Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

CVE-2025-8088 PoC — Path traversal vulnerability in WinRAR

Source
https://github.com/walidpyh/CVE-2025-8088
Associated Vulnerability
Title:Path traversal vulnerability in WinRAR (CVE-2025-8088)
Description:A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code by crafting malicious archive files. This vulnerability was exploited in the wild and was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček from ESET.
Readme
# CVE-2025-8088 PoC (Educational Use Only)

Details about this CVE can be found at: https://nvd.nist.gov/vuln/detail/CVE-2025-8088

> ⚠️ **Warning:** This repository contains a proof-of-concept (PoC) for CVE-2025-8088.  
> It is intended **for educational purposes, research, and lab environments only**.  
> Do **not** use this code on systems you do not own or have explicit permission to test.

---

## Overview

This project demonstrates how an Alternate Data Stream (ADS) payload can be embedded into a WinRAR archive.  
It is designed to teach how certain Windows applications handle file streams and archive processing, specifically for **research and lab testing**.

**Key Points:**

- Works with **RAR5 format**.
- Supports **multiple decoy files** with **one payload**.
- Recomputes all RAR header CRCs to ensure the archive is valid.
- The payload is delivered via an **ADS attached to the first decoy file**.

---

## Disclaimer

This PoC is **not intended for malicious use**. Misuse can be illegal and unethical.  
Always run in a controlled lab environment or virtual machine.

---

## Prerequisites

- Windows Environment.
- [WinRAR](https://www.win-rar.com/download.html) installed.
- Python 3.10+

---

## Installation

Clone this repository:
```
git clone https://github.com/walidpyh/CVE-2025-8088.git
cd CVE-2025-8088
```

---

## Usage

```
python main.py <payload_file> <output_rar> [--decoy <decoy_file1> <decoy_file2> ...]
```

**Examples:**

1. Using the default decoy:

`python main.py Updaters.exe Archive.rar`

2. Using custom decoy files:

`python main.py Updaters.exe Archive.rar --decoy README.md doc.txt`

**Explanation:**

- `<payload_file>`: The file you want to deliver via ADS.
- `<output_rar>`: The name of the generated RAR archive.
- `--decoy`: Optional list of decoy files; only the first file carries the payload via ADS.

---

## How It Works

1. Creates one or more decoy files.
2. Attaches the payload to the first decoy using **Alternate Data Streams (ADS)**.
3. Builds a base RAR archive including all decoys.
4. Patches the RAR headers to replace a placeholder with the target traversal path.
5. Recomputes CRCs so the archive remains valid.
File Snapshot

 [4.0K]  /data/pocs/766427555a1ee5978e65f70121d39574dc543a96
├── [8.7K]  main.py
└── [2.1K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →