来源

关联漏洞

介绍

# CVE-2025-8088 WinRAR Path Traversal Exploit (PoC)

![PoC Demo](https://github.com/0xAbolfazl/CVE-2025-8088-WinRAR-PathTraversal-PoC/blob/main/scr.png)

A Proof-of-Concept exploit demonstrating the WinRAR path traversal vulnerability **(CVE-2025-8088)** affecting versions ≤ 7.12.

---

## Vulnerability Details

**CVE ID**: CVE-2025-8088  
**CVSS Score**: 8.4 (High)  
**Affected Versions**: WinRAR ≤ 7.12  
**Patch Version**: Fixed in WinRAR 7.13  
**Vulnerability Type**: Path Traversal via Alternate Data Streams (ADS)

## Overview of CVE-2025-8088

**CVE-2025-8088** is a path traversal vulnerability in WinRAR, affecting Windows versions up to **7.12**, as well as related tools like **UnRAR.dll** and its portable source code.  
The flaw allows attackers to embed malicious payloads in **ADSes** within specially crafted RAR files, enabling extraction to sensitive system locations (e.g., the Windows Startup folder).  
This can lead to automatic execution of malicious files, such as **DLLs** or shortcut (`.lnk`) files, upon system reboot.

---

## How the Exploit Works

The exploit leverages **path traversal sequences (`..`)** in ADS paths within a RAR archive.  
This script creates a malicious RAR archive to demonstrate the CVE-2025-8088 vulnerability.  
It requires **Python** and access to `rar.exe` (WinRAR's command-line tool).

- Ensure `rar.exe` is in your system PATH or specify its path using the `--rar` argument.

## Requirements

- Python 3.6+
- WinRAR installed (for rar.exe)
- Windows NTFS filesystem (for ADS support)

---

### Command-Line Arguments

| Argument         | Description                                                                                   | Required? | Default                          |
|------------------|-----------------------------------------------------------------------------------------------|-----------|----------------------------------|
| `--decoy`        | Path to decoy file (existing or will be created)                                               | Yes       | -                                |
| `--payload`      | Path to harmless payload file (existing or will be created)                                    | Yes       | -                                |
| `--drop`         | Absolute path to benign folder (e.g., `C:\Users\you\Documents`)                             | Yes       | -                                |
| `--rar`          | Path to `rar.exe` (auto-discovered if omitted)                                                 | No        | Auto-discovered                  |
| `--out`          | Output RAR filename                                                                            | No        | `winrar_exploit.rar`      |
| `--workdir`      | Working directory                                                                              | No        | Current directory (`.`)          |
| `--placeholder_len` | Length of ADS placeholder (auto: ≥ max(len(injected), 128))                                 | No        | Auto-calculated                  |
| `--max_up`       | Number of `..` segments to prefix                                                              | No        | 16                               |
| `--keep_temp`     | Keep temporary base RAR file RAR                                                                 | No        | -                 |

---

## Example Usage

Create a malicious RAR archive with a decoy file, a payload, and a target drop folder, specifying the path to `rar.exe`:

```bash
python Exploit.py --decoy resume.txt --payload payload.bat --drop "C:\Users\you\Documents" --rar "C:\Program Files\WinRAR\rar.exe"
```

> **Disclaimer:** This tool is for educational and research purposes only. Do not use it to harm systems or networks. The author is not responsible for misuse or damage caused by this script.

文件快照

 [4.0K]  /data/pocs/78ed4bc900248a9e4ccf237d2fece99513f746ac
├── [ 23K]  Exploit.py
├── [3.8K]  README.md
└── [112K]  scr.png

0 directories, 3 files

备注