CVE-2025-6218 PoC — WinRAR 路径遍历漏洞

Source

https://github.com/mulwareX/CVE-2025-6218-POC

Associated Vulnerability

Title:WinRAR 路径遍历漏洞 (CVE-2025-6218)
Description:WinRAR是WinRAR公司的一款文件压缩器。该产品支持RAR、ZIP等格式文件的压缩和解压等。 WinRAR存在路径遍历漏洞，该漏洞源于处理存档文件路径不当，可能导致目录遍历和远程代码执行。

Description

RARLAB WinRAR Directory Traversal Remote Code Execution

Readme

RARLAB WinRAR Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of RARLAB WinRAR. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the handling of file paths within archive files. A crafted file path can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27198.

# 📦 Multi-Traversal ZIP Payload Generator

This Python script creates a specially crafted ZIP archive exploiting a **WinRAR Directory Traversal Remote Code Execution** vulnerability (ZDI-CAN-27198). The archive includes a payload designed to be extracted into the **Windows Startup** folder, allowing for execution upon the next user login.
CVE-2025-6218-POC

> **⚠️ WARNING**: This tool is provided for educational and research purposes only. Unauthorized use may be illegal and unethical. Always obtain proper authorization before testing on any system.

---

## 🔥 Vulnerability Overview

- **Affected Software**: WinRAR (all versions prior to patch)
- **CVE / ZDI Reference**: ZDI-CAN-27198
- **Attack Vector**: Malicious ZIP file
- **Impact**: Remote Code Execution (RCE) upon archive extraction

By embedding a payload with directory traversal sequences (`.. .\\.. .\\...`), the ZIP tricks WinRAR into extracting files outside the current directory—e.g., into the victim’s **Startup folder**:
AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup


---
## 🎞️ Demo Preview

![Demo](cve.gif)


## 🧰 Features

- Injects payload into Startup folder using 3 to 7 levels of directory traversal
- It will work even if the zip is extracted in 7 directories deep
- Optionally includes a decoy **normal file** to appear legitimate
- Supports arbitrary payload file

---

## 🚀 Usage

### ▶️ Requirements
- Python 3.x

### ▶️ Command Line
```bash
python3 zip_payload_generator.py --payload payload.bat --normal decoy.pdf --output backdoor.zip
```

⚠️ Disclaimer

This project is for educational and authorized penetration testing only. The creator is not responsible for any misuse or damage caused by this tool. Always comply with local laws and regulations.

File Snapshot


 [4.0K]  /data/pocs/c6ccf35dcd7d7717917cc94bed7ae3c35bed3703
├── [3.5M]  cve.gif
├── [2.3K]  README.md
└── [2.3K]  zip_payload_generator.py

0 directories, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!