WebDAV / Internet Shortcut Files Remote Code Execution in Microsoft Windows

This repository is a proof-of-concept (PoC) exploit for CVE-2025-33053, a vulnerability in Windows' handling of .url files pointing to a WebDAV share. The exploit demonstrates how an attacker can deliver a ZIP archive containing a crafted .url file to a victim. When the victim opens the .url file, it launches a trusted Windows utility (iediagcmd.exe) with its working directory set to an attacker-controlled WebDAV share. This allows the execution of a malicious payload (route.exe) hosted on the WebDAV server, exploiting DLL/executable hijacking. The payload can open a decoy PDF and simulate command-and-control (C2) actions, such as creating folders or running calc, to demonstrate remote code execution. The repository includes a Python setup script to automate the environment setup, a Docker Compose file to launch a WebDAV server, and a cleanup script. No actual C2 infrastructure or malicious code is included; the PoC is for educational and demonstration purposes only. The exploit targets unpatched Windows 10, 11, and Server systems with the WebClient service enabled. The main attack vectors are network (WebDAV) and local (user interaction with the .url file).

This repository provides a proof-of-concept (POC) exploit for CVE-2025-33053, a vulnerability in Windows handling of .url files with a WebDAV WorkingDirectory. The exploit consists of three files: a README.md with detailed instructions, a sample .url file (doc.url) that references a local executable (iediagcmd.exe) and a remote WebDAV share, and a Bash script (webdav_setup.sh) to set up an Apache2 WebDAV server on Linux. The attack works by tricking a Windows user into opening the crafted .url file, which causes Windows to load dependencies from the attacker's WebDAV share. If a malicious executable named 'route.exe' is placed on the share, it will be executed by the victim's system. The exploit requires the attacker to set up a WebDAV server, place the payload, and modify the .url file to point to their server. The exploit targets unpatched Windows systems prior to June 2025 and demonstrates arbitrary code execution via network-based DLL/executable hijacking.

This repository is a proof-of-concept (PoC) for CVE-2025-33053, a Windows vulnerability involving the handling of .url files that point to attacker-controlled WebDAV shares. The exploit demonstrates how a malicious .url file, delivered in a ZIP archive, can trigger the execution of a payload (route.exe) hosted on a WebDAV server. The repository includes a Python setup script (setup_webdav_payload.py) that automates the creation of the required directory structure, copies the payload, generates the malicious .url file, packages it into a ZIP archive, and starts a Dockerized WebDAV server. The exploit chain abuses the fact that Windows utilities (like iediagcmd.exe) will execute binaries from the working directory, which can be set to a remote WebDAV share. The payload is a decoy executable that opens a PDF and can simulate C2-like actions. The repository also includes a cleanup script (cleanup.sh) and a Docker Compose file for the WebDAV server. No actual C2 or malicious code is included; the PoC is for educational and demonstration purposes only. The exploit targets unpatched Windows 10, 11, and Server systems with the WebClient service enabled.

This repository provides a Proof-of-Concept (PoC) and a checker for CVE-2025-33053, a critical vulnerability in Microsoft Windows related to WebDAV and UNC path resolution. The main exploit file, 'CVE-2025-33053_PoC.py', implements a Python-based WebDAV server that listens on port 8000. When a vulnerable Windows system accesses a malicious UNC path (e.g., via a crafted .LNK file or direct navigation), it sends a PROPFIND request to the attacker's server, which is logged by the PoC, confirming the system's vulnerability. The repository also includes a PowerShell checker script ('CVE-2025-33053_checker.ps1') that verifies if the WebClient service is running and if the system resolves UNC paths over WebDAV, both prerequisites for exploitation. The README provides detailed usage instructions, example UNC paths, and guidance for creating shortcut files to trigger the vulnerability. No actual code execution or harm is performed; the PoC is designed for detection and demonstration purposes only. The repository is structured with clear separation between the PoC, checker, and documentation, and is intended for educational and authorized security research.

This repository provides a proof-of-concept (PoC) exploit for CVE-2025-33053, targeting Microsoft Windows systems via malicious .url shortcut files that leverage WebDAV. The repository contains scripts to automate the setup of a WebDAV server on Ubuntu/Debian using Apache2 (setup_webdav.py and setup_webdav.sh), and a Python script (gen_url.py) to generate .url files that, when opened on a Windows system, cause the victim machine to connect to the attacker's WebDAV share. This can be used for credential theft (NTLM relay) or to deliver further payloads. The README provides detailed instructions for setup and usage, including requirements and security notes. The main attack vector is network-based, requiring the victim to open a crafted .url file that points to the attacker's WebDAV server. The repository is structured for ease of use in red teaming, phishing, or lateral movement simulation, and is not part of any exploit framework.