Share
## https://sploitus.com/exploit?id=DF7B4310-F099-5EE3-8146-576D9DCC552D
# CVE-2025-8088
CVE-2025-8088 β€” Educational proof-of-concept for WinRAR path traversal vulnerability via NTFS Alternate Data Streams (ADS), CVSS 8.4 HIGH, exploited by RomCom APT (Storm-0978), with configurable traversal depth, auto-discovery of rar.exe, and interactive terminal interface


```
  _______    ________    ___   ____ ___   ______      ____  ____  ____  ____ 
  / ____/ |  / / ____/   |__ \ / __ \__ \ / ____/     ( __ )/ __ \( __ )( __ )
 / /    | | / / __/________/ // / / /_/ //___ \______/ __  / / / / __  / __  |
/ /___  | |/ / /__/_____/ __// /_/ / __/____/ /_____/ /_/ / /_/ / /_/ / /_/ / 
\____/  |___/_____/    /____/\____/____/_____/      \____/\____/\____/\____/ 
```

[![CVE](https://img.shields.io/badge/CVE-2025--8088-red?style=for-the-badge)](https://nvd.nist.gov/vuln/detail/CVE-2025-8088)
[![CVSS](https://img.shields.io/badge/CVSS_v4.0-8.4_HIGH-orange?style=for-the-badge)](https://nvd.nist.gov/vuln/detail/CVE-2025-8088)
[![Python](https://img.shields.io/badge/Python-3.6%2B-3776AB?style=for-the-badge&logo=python&logoColor=white)](https://python.org)
[![Platform](https://img.shields.io/badge/Platform-Windows_NTFS-0078D6?style=for-the-badge&logo=windows&logoColor=white)](.)


**Educational proof-of-concept for CVE-2025-8088 β€” WinRAR path traversal via NTFS Alternate Data Streams (ADS)**

[Quick Start](#quick-start) Β· [Vulnerability Overview](#vulnerability-overview) Β· [Usage](#usage) Β· [Configuration](#configuration) Β· [FAQ](#faq) Β· [Disclaimer](#disclaimer)



---

## Vulnerability Overview

**CVE-2025-8088** is a critical path traversal vulnerability in WinRAR that allows attackers to write arbitrary files to sensitive system locations when a victim extracts a crafted RAR archive. The exploit abuses NTFS **Alternate Data Streams (ADS)** β€” the colon (`:`) character in ADS syntax bypasses WinRAR's extraction directory validation, enabling payload deployment outside the intended folder.

| Detail | Value |
|--------|-------|
| **CVE ID** | [CVE-2025-8088](https://nvd.nist.gov/vuln/detail/CVE-2025-8088) |
| **CVSS v3.1** | 8.8 (HIGH) |
| **CVSS v4.0** | 8.4 (HIGH) |
| **Affected** | WinRAR ≀ 7.12, UnRAR.dll, portable source (Windows only) |
| **Patched** | WinRAR 7.13 (July 30, 2025) |
| **Discovered** | July 18, 2025 by ESET Research |
| **Attribution** | RomCom / Storm-0978 / Tropical Scorpius / UNC2596 |
| **CISA KEV** | Added to Known Exploited Vulnerabilities catalog |
| **Vector** | Crafted RAR archive β†’ extract β†’ payload in Startup folder |

### Attack Flow

1. Attacker crafts a RAR archive containing a decoy file with ADS-embedded payload
2. ADS filenames use `..\..\` path traversal segments to escape the extraction directory
3. Target path: `AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\`
4. Victim extracts the archive in any folder β€” payload silently lands in Windows Startup
5. On next reboot, the payload executes automatically

### Real-World Exploitation

Between July 18-21, 2025, the Russia-aligned threat group **RomCom** (also tracked as Storm-0978, Tropical Scorpius) deployed this vulnerability in spearphishing campaigns targeting financial, manufacturing, defense, and logistics companies in Europe and Canada. At least **8 threat groups** subsequently weaponized the exploit. ESET reported the vulnerability on July 24; WinRAR 7.13 was released on July 30, 2025.

---

## Official References

| # | Resource | Link |
|:-:|----------|------|
| 1 | NVD Entry | [nvd.nist.gov/vuln/detail/CVE-2025-8088](https://nvd.nist.gov/vuln/detail/CVE-2025-8088) |
| 2 | ESET Research | [welivesecurity.com β€” WinRAR zero-day](https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/) |
| 3 | WinRAR Changelog | [rarlab.com](https://www.rarlab.com/) |
| 4 | Qualys Threat Advisory | [threatprotect.qualys.com](https://threatprotect.qualys.com/2025/08/11/winrar-path-traversal-vulnerability-exploited-in-the-wild-cve-2025-8088/) |
| 5 | AhnLab ASEC Advisory | [asec.ahnlab.com](https://asec.ahnlab.com/en/89550/) |

---

## Features


Exploit Engine
βœ…Path traversal via NTFS Alternate Data Streams (ADS)
βœ…Configurable traversal depth (--max_up, default 16 levels)
βœ…Auto-discovery of rar.exe in standard WinRAR paths
βœ…Custom decoy file creation (auto-generated if missing)
βœ…Payload injection into Windows Startup folder path
Interface
βœ…Interactive terminal interface with colorama colors
βœ…Interactive settings menu for all PoC parameters
βœ…About screen with full CVE technical details
βœ…Sample payload generator (harmless payload.bat)
Safety
βœ…Persistent JSON configuration (config.json)
βœ…Validation β€” requires drop folder and payload before execution
βœ…Direct CLI mode with argparse for scripted usage


---

## Quick Start

### Prerequisites

| Dependency | Version | Purpose |
|------------|---------|---------|
| Python | 3.6+ | Runtime |
| WinRAR | ≀ 7.12 (vulnerable) | `rar.exe` for archive creation |
| Windows NTFS | Required | ADS support (not FAT32/exFAT) |
| colorama | β‰₯ 0.4.6 | Terminal color output |

### Installation

```cmd
git clone 
cd CVE-2025-8088
python launcher.py
```

Select **[1] Install Dependencies** from the menu to install `colorama`.

---

## Configuration

All settings are stored in `config.json` and editable from the launcher menu (option `[2]`) or manually:

```json
{
  "decoy": "resume.txt",
  "payload": "payload.bat",
  "drop": "C:\\Users\\Public\\Documents",
  "rar": "",
  "out": "cve-2025-8088-sxy-poc.rar",
  "workdir": ".",
  "placeholder_len": 0,
  "max_up": 16,
  "base_out": ""
}
```

| Key | Description | Default |
|-----|-------------|---------|
| `decoy` | Decoy file shown to victim (created if missing) | `resume.txt` |
| `payload` | Payload file to embed (BAT, LNK, DLL, EXE) | `payload.bat` |
| `drop` | Benign extraction folder (absolute path) | `""` |
| `rar` | Path to `rar.exe` (empty = auto-discover) | `""` |
| `out` | Output RAR archive filename | `cve-2025-8088-sxy-poc.rar` |
| `workdir` | Working directory for temp files | `.` |
| `max_up` | Number of `..` traversal levels | `16` |

---

## Usage

### Interactive Launcher

```
  ╔══════════════════════════════════════════════════════════╗
  β•‘  CVE-2025-8088  WinRAR Path Traversal PoC  [CYBER]     β•‘
  β•šβ•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•

  β”Œβ”€ ACTIONS ──────────────────────────────────────────────┐
  β”‚  [1] Install Dependencies                              β”‚
  β”‚  [2] Settings                                          β”‚
  β”‚  [3] About                                             β”‚
  β”‚  [4] Run PoC                                           β”‚
  β”‚  [5] Usage / Help                                      β”‚
  β”‚  [6] Create Sample Payload                             β”‚
  β”‚  [0] Exit                                              β”‚
  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
```

| Option | Action |
|:------:|--------|
| `1` | Install `colorama` and verify WinRAR presence |
| `2` | Configure decoy, payload, drop folder, rar path, traversal depth |
| `3` | Display CVE technical details and attribution info |
| `4` | Generate malicious RAR archive with embedded ADS payload |
| `5` | Show CLI usage and argument reference |
| `6` | Create a harmless sample `payload.bat` for testing |
| `0` | Exit |

### Direct CLI

```cmd
python poc.py --decoy resume.txt --payload payload.bat --drop "C:\Users\you\Documents" --rar "C:\Program Files\WinRAR\rar.exe" --out poc-output.rar --max_up 16
```

| Argument | Required | Description |
|----------|:--------:|-------------|
| `--decoy` | Yes | Path to decoy file (auto-created if missing) |
| `--payload` | Yes | Path to payload file (BAT, LNK, DLL, etc.) |
| `--drop` | Yes | Absolute path to benign extraction folder |
| `--rar` | No | Path to `rar.exe` (auto-discovered if omitted) |
| `--out` | No | Output RAR filename |
| `--workdir` | No | Working directory |
| `--max_up` | No | Number of `..` traversal segments (default: 16) |

---

## Project Structure

```
CVE-2025-8088/
β”œβ”€β”€ main.py                # Entry point β€” sets CMD title/color, launches menu
β”œβ”€β”€ launcher.py            # Terminal interface β€” settings, about, run
β”œβ”€β”€ poc.py                 # Core PoC engine β€” ADS creation, RAR generation
β”œβ”€β”€ config.json            # Persistent settings (auto-created)
β”œβ”€β”€ requirements.txt       # Python dependencies (colorama)
└── README.md              # This file
```

---

## FAQ


Does this work on Linux or macOS?

No. CVE-2025-8088 exploits NTFS Alternate Data Streams, which is a Windows-specific filesystem feature. The vulnerability does not affect Linux/Unix builds of WinRAR or RAR for Android. The PoC requires Windows NTFS and `rar.exe`.



Is WinRAR 7.13 safe?

Yes. RARLAB patched CVE-2025-8088 in WinRAR 7.13, released July 30, 2025. Update immediately if you are running version 7.12 or earlier.



Why does the PoC target the Startup folder?

The Windows Startup folder (`AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\`) is a well-known persistence mechanism β€” any executable placed there runs automatically on user login. This is the same technique used by RomCom in their real-world campaigns.



Can this be detected by antivirus?

Modern EDR solutions and updated antivirus signatures may detect the crafted RAR archive or the ADS traversal pattern. However, at the time of initial exploitation (July 2025), the technique was a zero-day with no signatures. This PoC is for educational verification of detection capabilities.



What is the "sample payload"?

Option `[6]` creates a harmless `payload.bat` that simply prints a message and pauses. It is designed for safe testing β€” it does not perform any malicious actions.



Who discovered this vulnerability?

ESET Research discovered CVE-2025-8088 on July 18, 2025, while analyzing spearphishing campaigns by the RomCom group (also known as Storm-0978, Tropical Scorpius, UNC2596). The vulnerability was reported to RARLAB on July 24, with a patch released on July 30.


---

## Disclaimer

> **This proof-of-concept is provided strictly for educational and authorized security research purposes.**
>
> - Do NOT use this tool against systems you do not own or have explicit written permission to test.
> - The author assumes no liability for misuse, damage, or legal consequences arising from use of this tool.
> - This PoC is intended for vulnerability verification, detection engineering, and security awareness training.
> - Unauthorized use of exploit code may violate computer fraud laws in your jurisdiction.
> - **Update WinRAR to version 7.13 or later to mitigate this vulnerability.**

---



**If this PoC helped your research, consider leaving a star** ⭐

*Responsible disclosure saves lives. Patch your software.*