POC exploit for CVE-2025-33053 (External control of file execution path in URL file)# CVE-2025-33053 POC Exploit
## Overview
The working directory in a .url file can be set to a foreign WebDAV server. When opened by a Windows client, dependencies for the executable defined in the URL field are searched for in the foreign WebDAV share. If an arbitrary executable or DLL is given the same name as one of these dependencies, it is loaded and executed by the Windows client. In the case of this POC, the URL is set to the Internet Explorer diagnostices executable "iediagcmd.exe" local to the Windows client. iediagcmd.exe subsequently calls a few different executables, one of which is "route.exe". By giving an arbitrary binary such as a shellcode loader the same name and sharing it on the WebDAV server pointed to in the "WorkingDirectory" variable of the .url file, the Windows client will load and execute it when the URL file is opened.
## Setup
1. Run `sudo bash webdav_setup.sh` to configure and run an Apache2 WebDAV server from a Linux host (or set up one yourself).
2. Place an executable such as a shellcode loader named "route.exe" in the WebDAV share.
3. Modify the URL file to point to the domain name or IP address of the WebDAV server.
4. Serve the URL file to a Windows client through some kind of pretense that gets it to be run by a user.
5. If using a payload that triggers a C2 callback, route.exe might never return. iediagcmd.exe opens a windows that waits for the command to finish, so execute the command `taskkill /f /im iediagcmd.exe` to kill the original iediagcmd process window on the client.
## Caveats
- Windows Defender will generally let the url file open without problems, but the route.exe executable will be scanned and needs to have a clean signature.
- This CVE was fixed in a June 2025 patch tuesday update.
[4.0K] /data/pocs/620c0e343c96dbdafcc100145aae29510adb80af
├── [ 265] doc.url
├── [1.7K] README.md
└── [1.5K] webdav_setup.sh
0 directories, 3 files