Exploit for Path Traversal in Rarlab Winrar CVE-2025-6218

Name: Exploit for Path Traversal in Rarlab Winrar CVE-2025-6218
Rating: 5 (14 reviews)
2025-07-03 | CVSS 7.8
## https://sploitus.com/exploit?id=CAA3B0EB-D6E4-5C0E-A7FB-27D04DB8C6D8
RARLAB WinRAR Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of RARLAB WinRAR. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the handling of file paths within archive files. A crafted file path can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27198.

# 📦 Multi-Traversal ZIP Payload Generator

This Python script creates a specially crafted ZIP archive exploiting a **WinRAR Directory Traversal Remote Code Execution** vulnerability (ZDI-CAN-27198). The archive includes a payload designed to be extracted into the **Windows Startup** folder, allowing for execution upon the next user login.
CVE-2025-6218-POC

> **⚠️ WARNING**: This tool is provided for educational and research purposes only. Unauthorized use may be illegal and unethical. Always obtain proper authorization before testing on any system.

---

## 🔥 Vulnerability Overview

- **Affected Software**: WinRAR (all versions prior to patch)
- **CVE / ZDI Reference**: ZDI-CAN-27198
- **Attack Vector**: Malicious ZIP file
- **Impact**: Remote Code Execution (RCE) upon archive extraction

By embedding a payload with directory traversal sequences (`.. .\\.. .\\...`), the ZIP tricks WinRAR into extracting files outside the current directory—e.g., into the victim’s **Startup folder**:
AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup


---
## 🎞️ Demo Preview

![Demo](cve.gif)


## 🧰 Features

- Injects payload into Startup folder using 3 to 7 levels of directory traversal
- It will work even if the zip is extracted in 7 directories deep
- Optionally includes a decoy **normal file** to appear legitimate
- Supports arbitrary payload file

---

## 🚀 Usage

### ▶️ Requirements
- Python 3.x

### ▶️ Command Line
```bash
python3 zip_payload_generator.py --payload payload.bat --normal decoy.pdf --output backdoor.zip
```

⚠️ Disclaimer

This project is for educational and authorized penetration testing only. The creator is not responsible for any misuse or damage caused by this tool. Always comply with local laws and regulations.