Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-8088 PoC — Path traversal vulnerability in WinRAR

Source
https://github.com/pentestfunctions/CVE-2025-8088-Multi-Document
Associated Vulnerability
Title:Path traversal vulnerability in WinRAR (CVE-2025-8088)
Description:A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code by crafting malicious archive files. This vulnerability was exploited in the wild and was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček from ESET.
Description
Exploit systems using older WinRAR
Readme
# WinRAR Path Traversal Exploit (CVE-2025-8088) - Multi-Depth Payload Deployment

![Payload](https://github.com/user-attachments/assets/25d21cbd-a775-4e6e-878c-b6a4e1d480eb)

![working](https://github.com/user-attachments/assets/8f33ab10-5436-4a57-8169-94af4cd5f1fb)

This Python script exploits a path traversal vulnerability (**CVE-2025-8088**) in WinRAR to deploy payloads to the Windows startup folder using multiple relative path depths. The exploit creates a malicious RAR archive that, when extracted, writes payloads to the victim's startup folder at various directory depths.

---

## Key Features
- 🎭 Creates multiple decoy files with configurable content  
- 📁 Embeds payload via Alternate Data Streams (ADS)  
- 📈 Generates multiple traversal depths (1–20 by default)  
- 🔄 Patches RAR headers to exploit path traversal vulnerability  
- 🎯 Targets Windows startup folder for persistence  
- ⚙️ Automatically locates WinRAR installation  
- 🔒 Recalculates CRC checksums for valid archive  

---

## Core Concepts

### 1. Multi-Depth Traversal Strategy
The script creates multiple decoy files (20 by default), each configured to traverse a different number of parent directories:

```python
NUM_DEPTHS = 20  # Number of different traversal depths
```

Each file uses a different path depth:

```
File1.txt  → ..\Startup\payload.bat
File2.txt  → ..\..\Startup\payload.bat
...
File20.txt → ..\..\..\ (20 times) \Startup\payload.bat
```

✅ Ensures that no matter where the victim extracts the archive (Desktop, Documents, Downloads, or nested folders), at least one payload will reach the startup folder.

---

### 2. Decoy Files Customization
The decoy files contain generic text by default but should be customized for realistic social engineering:

```python
# Create more convincing decoy content
decoy.write_text("Quarterly Financial Report Q3 2025.docx\n", encoding="utf-8")
```

**Why change the decoy content?**
- Makes the archive appear legitimate  
- Increases likelihood of victim extraction  
- Avoids suspicion with realistic file names/content  
- Blends with expected document types  

---

### 3. Payload Configuration
The payload is a simple batch script by default but can be replaced with any executable:

```python
PAYLOAD = "@echo off\necho Payload executed!\npause\n"
```

**Payload location:**
```
AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payload.bat
```

- Executes on user login  
- Works for all users on the system  

---

### 4. Output File
The final malicious RAR archive is saved as:

```python
OUT_RAR = "exploit.rar"
```

---

## Windows Build Requirement

This exploit generation requires a **Windows environment** for several reasons:

- **Alternate Data Streams (ADS) Dependency**  
  NTFS-exclusive feature used to attach payloads:  
  ```python
  ads_path = f"{decoy}:{placeholder}"  # Windows-specific NTFS syntax
  ```

- **WinRAR Executable Requirement**  
  Uses WinRAR's Windows CLI:  
  ```python
  subprocess.run(f'"{rar_exe}" a -ep -os "{base_rar}" ...')
  ```

- **Path Structure Compatibility**  
  Targets Windows-specific paths:  
  ```python
  RELATIVE_DROP_PATH = "AppData\\Roaming\\Microsoft\\Windows\\Start Menu..."
  ```

- **Payload Execution**  
  Generates Windows batch files:  
  ```bat
  @echo off
  start /B notepad.exe
  ```

---

## Usage

Customize the configuration:

```python
# Configuration
NUM_DEPTHS = 20
RELATIVE_DROP_PATH = "AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\payload.bat"
PAYLOAD = "@echo off\nstart /B notepad.exe\n"  # Your actual payload
DECOY_FILE_PREFIX = "Financial_Report_Q3_"     # More convincing names
```

Run the script:

```bash
python CVE-2025-8088.py
```

Distribute the output:

- The script generates `exploit.rar`  
- Distribute via email, USB drop, etc.  

---


## infect_premade_rarfiles.py

This version of the code simply allows you to run something like
`python3 infect_premade_rarfiles.py website_backup.rar`

It will extract all the files, inject the ones it can such as .txt, srt, sql (Not all file types work) then create the ready to run rar file. 

---

## Defense Mitigations
- Update WinRAR to the latest version  
- Disable extraction of archives from untrusted sources  
- Monitor writes to startup folders  
- Use security software that detects path traversal attempts  

---

## Legal & Ethical Notice
⚠️ This tool is for **educational and security research purposes only**.  
Never use it against systems without explicit permission. Unauthorized use is illegal and unethical.
File Snapshot

 [4.0K]  /data/pocs/36e40d0bcdf74720f447f78d474de4754238eeca
├── [7.4K]  CVE-2025-8088.py
├── [ 13K]  infect_premade_rarfiles.py
└── [4.5K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →