## https://sploitus.com/exploit?id=8C8AAD22-6DF2-5DD0-B15C-74A0CD2A8628
# 7-ZiProwler (CVE-2025-11001)
### Overview
Result of my quick research on CVE-2025-11001 are presented in this repo. Exploit is written in python and astral uv project manager.
### References
Some:
- [NIST](https://nvd.nist.gov/vuln/detail/CVE-2025-11001)
- [ZDI](https://www.zerodayinitiative.com/advisories/ZDI-25-949/)
- [CVE News](https://www.cve.news/cve-2025-11001/)
- [WIZ](https://www.wiz.io/vulnerability-database/cve/cve-2025-11001)
## Quick analysis
I will not dig too deep into technical details of this security flaw. If you want to, read a [good root cause](https://pacbypass.github.io/2025/10/16/diffing-7zip-for-cve-2025-11001.html) by [pacbypass](https://github.com/pacbypass) and see the [fix diff on github](https://github.com/ip7z/7zip/commit/395149956d696e6e3099d8b76d797437f94a6942#diff-da6e388b3b2de6c01f24677f324d66c201fe306af7c68ac1b9891920278e2750). Below is just a breifly description.
The problem lies in the mechanism of handling symbolic links. When we pass the Linux symbols link to a Windows absolute path (e.g., `C:\`), the link is still being treated as a relative. Because of that, our relative path to the folder where we extract files, been prepended to the path from the symbolic link, allowing us to perform a destination path traversal. This opens us a way to write to any file that 7-zip is allowed to write.
Exploitation is pretty straight forward. We just need to add a symbolic link pointing to the target dir, and add a payload file. The link will be unpacked first, and then, the payload file will be written to that symbolic link, allowing us to arbitrary file write.
## Usage
> [!CAUTION]
> Be carefull using this PoC exploit! Open and unzip the output achives only in test environment.
To use this, first update the `exploit/resources/config.toml`:
```toml
[path]
# An output path (target zip file)
output = 'resource/output/result.zip'
# A dir with files that will be added to archive
source = 'path/to/some/dir'
# A target dir (dir with file to replace)
target = 'C:\Windows\System32'
# Payload (a file that will be placed instead of original one)
payload = 'C:\Windows\System32\calc.exe'
```
Then just run the:
```bash
uv run src/main.py
```
And see the result zip file.
After unzipping the archive using vulnerable 7-Zip build on Windows (`builds < 25.0`), the tagret file will be replaced with payload. Archive will be successfully extracted, but with a hidden `.zip` folder in it (containing the malicious link).
## Creds
prod by _I3r1h0n_.