来源

关联漏洞

描述

Proof of Concept for CVE-2025-6218, demonstrating the exploitation of a vulnerability in WinRAR versions 7.11 and under, involving improper handling of archive extraction paths.

介绍

# CVE-2025-6218 Proof of Concept (POC)

## Overview
This repository contains a simple Proof of Concept (POC) for **CVE-2025-6218**, demonstrating the exploitation of a vulnerability involving WinRAR’s handling of archive extraction paths. The POC batch script creates a ZIP archive that places a batch file into the Windows Startup folder, which runs `calc.exe` upon user login.

---

## How it Works

- The batch script (`CVE-2025-6218.bat`) generates a simple batch file (`POC.bat`) that runs the Windows Calculator (`calc.exe`).
- It then uses WinRAR to create a ZIP archive (`CVE-2025-6218.zip`) that is crafted to extract the batch file into the Windows Startup folder.
- The vulnerability is triggered when the ZIP archive is **right-clicked**, then **opened with WinRAR**, and extracted using the **"Extract to {folder}\"** option.
- Upon extraction, the batch file is placed in the Startup folder and will execute automatically on the next user login, demonstrating arbitrary code execution.

---

## Vulnerable Versions

- ✅ **Vulnerable**: WinRAR **7.11 and earlier**
- ❌ **Not vulnerable**: WinRAR **7.12 and later**  
  Users are strongly advised to update to the latest version to mitigate this vulnerability.

---

## Script Requirements

- WinRAR (any version) must be installed in the default location: `C:\Program Files\WinRAR\WinRAR.exe`

---

## Usage

1. Run the provided batch script (`CVE-2025-6218.bat`).
2. This creates `CVE-2025-6218.zip` with the crafted batch file inside.
3. To exploit the vulnerability:
   - **Right-click** the `CVE-2025-6218.zip` file.
   - Select **WinRAR**.
   - Use the **"Extract to {folder}\"** option inside WinRAR to extract the files.
4. The batch file will be extracted to the Windows Startup folder (`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup`), assuming that navigating two directories up from the current working directory leads to the user's home directory (%USERPROFILE%).
5. On the next user login, `calc.exe` will launch automatically.

---

## Disclaimer

This POC is for educational and testing purposes only. Use it responsibly and only on systems you own or have explicit permission to test. The author is not responsible for any misuse or damage caused by this code.

---

## License

[MIT License](LICENSE)

文件快照

 [4.0K]  /data/pocs/fffffb523b0da4b42e91da5f10c5b98597776386
├── [ 489]  CVE-2025-6218.bat
├── [ 311]  CVE-2025-6218.zip
├── [1.1K]  LICENSE
└── [2.3K]  README.md

0 directories, 4 files

备注