漏洞平台

POC详情： 36e40d0bcdf74720f447f78d474de4754238eeca

来源

https://github.com/pentestfunctions/CVE-2025-8088-Multi-Document

关联漏洞

标题： WinRAR 安全漏洞 (CVE-2025-8088)
描述：WinRAR是WinRAR公司的一款文件压缩器。该产品支持RAR、ZIP等格式文件的压缩和解压等。 WinRAR存在安全漏洞，该漏洞源于路径遍历问题，可能导致任意代码执行。

描述

Exploit systems using older WinRAR

介绍

# WinRAR Path Traversal Exploit (CVE-2025-8088) - Multi-Depth Payload Deployment

![Payload](https://github.com/user-attachments/assets/25d21cbd-a775-4e6e-878c-b6a4e1d480eb)

![working](https://github.com/user-attachments/assets/8f33ab10-5436-4a57-8169-94af4cd5f1fb)

This Python script exploits a path traversal vulnerability (**CVE-2025-8088**) in WinRAR to deploy payloads to the Windows startup folder using multiple relative path depths. The exploit creates a malicious RAR archive that, when extracted, writes payloads to the victim's startup folder at various directory depths.

---

## Key Features
- 🎭 Creates multiple decoy files with configurable content  
- 📁 Embeds payload via Alternate Data Streams (ADS)  
- 📈 Generates multiple traversal depths (1–20 by default)  
- 🔄 Patches RAR headers to exploit path traversal vulnerability  
- 🎯 Targets Windows startup folder for persistence  
- ⚙️ Automatically locates WinRAR installation  
- 🔒 Recalculates CRC checksums for valid archive  

---

## Core Concepts

### 1. Multi-Depth Traversal Strategy
The script creates multiple decoy files (20 by default), each configured to traverse a different number of parent directories:

```python
NUM_DEPTHS = 20  # Number of different traversal depths
```

Each file uses a different path depth:

```
File1.txt  → ..\Startup\payload.bat
File2.txt  → ..\..\Startup\payload.bat
...
File20.txt → ..\..\..\ (20 times) \Startup\payload.bat
```

✅ Ensures that no matter where the victim extracts the archive (Desktop, Documents, Downloads, or nested folders), at least one payload will reach the startup folder.

---

### 2. Decoy Files Customization
The decoy files contain generic text by default but should be customized for realistic social engineering:

```python
# Create more convincing decoy content
decoy.write_text("Quarterly Financial Report Q3 2025.docx\n", encoding="utf-8")
```

**Why change the decoy content?**
- Makes the archive appear legitimate  
- Increases likelihood of victim extraction  
- Avoids suspicion with realistic file names/content  
- Blends with expected document types  

---

### 3. Payload Configuration
The payload is a simple batch script by default but can be replaced with any executable:

```python
PAYLOAD = "@echo off\necho Payload executed!\npause\n"
```

**Payload location:**
```
AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payload.bat
```

- Executes on user login  
- Works for all users on the system  

---

### 4. Output File
The final malicious RAR archive is saved as:

```python
OUT_RAR = "exploit.rar"
```

---

## Windows Build Requirement

This exploit generation requires a **Windows environment** for several reasons:

- **Alternate Data Streams (ADS) Dependency**  
  NTFS-exclusive feature used to attach payloads:  
  ```python
  ads_path = f"{decoy}:{placeholder}"  # Windows-specific NTFS syntax
  ```

- **WinRAR Executable Requirement**  
  Uses WinRAR's Windows CLI:  
  ```python
  subprocess.run(f'"{rar_exe}" a -ep -os "{base_rar}" ...')
  ```

- **Path Structure Compatibility**  
  Targets Windows-specific paths:  
  ```python
  RELATIVE_DROP_PATH = "AppData\\Roaming\\Microsoft\\Windows\\Start Menu..."
  ```

- **Payload Execution**  
  Generates Windows batch files:  
  ```bat
  @echo off
  start /B notepad.exe
  ```

---

## Usage

Customize the configuration:

```python
# Configuration
NUM_DEPTHS = 20
RELATIVE_DROP_PATH = "AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\payload.bat"
PAYLOAD = "@echo off\nstart /B notepad.exe\n"  # Your actual payload
DECOY_FILE_PREFIX = "Financial_Report_Q3_"     # More convincing names
```

Run the script:

```bash
python CVE-2025-8088.py
```

Distribute the output:

- The script generates `exploit.rar`  
- Distribute via email, USB drop, etc.  

---


## infect_premade_rarfiles.py

This version of the code simply allows you to run something like
`python3 infect_premade_rarfiles.py website_backup.rar`

It will extract all the files, inject the ones it can such as .txt, srt, sql (Not all file types work) then create the ready to run rar file. 

---

## Defense Mitigations
- Update WinRAR to the latest version  
- Disable extraction of archives from untrusted sources  
- Monitor writes to startup folders  
- Use security software that detects path traversal attempts  

---

## Legal & Ethical Notice
⚠️ This tool is for **educational and security research purposes only**.  
Never use it against systems without explicit permission. Unauthorized use is illegal and unethical.

文件快照


 [4.0K]  /data/pocs/36e40d0bcdf74720f447f78d474de4754238eeca
├── [7.4K]  CVE-2025-8088.py
├── [ 13K]  infect_premade_rarfiles.py
└── [4.5K]  README.md

0 directories, 3 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。