7-Zip Mark-of-the-Web Bypass Vulnerability

This repository contains a proof-of-concept (PoC) exploit for CVE-2025-0411, a vulnerability in 7-Zip for Windows that allows attackers to bypass the Mark-of-the-Web (MoTW) security feature using double-nested archives. The repository consists of two files: a C++ source file (CVE-2025-0411.cpp) and a detailed README.md. The C++ file allocates memory, copies shellcode (which launches calc.exe), marks it as executable, and runs it in a new thread, demonstrating arbitrary code execution. The README provides comprehensive background, technical details, exploitation context, and mitigation advice. The exploit is operational, requiring user interaction to extract a crafted archive, and targets 7-Zip versions prior to 24.09 on Windows. The only fingerprintable endpoint is the execution of 'calc.exe' as a demonstration payload.

This repository is a Proof of Concept (POC) for CVE-2025-0411, a vulnerability in 7-Zip that allows for a Mark of the Web (MotW) bypass. The repository contains two files: a README.md with detailed information about the vulnerability and usage instructions, and loader.cpp, a C++ file that serves as the main exploit. The loader.cpp file allocates memory, copies embedded shellcode (intended to launch calc.exe), marks the memory as executable, and runs it in a new thread. This demonstrates arbitrary code execution, which is the core risk of the MotW bypass. The exploit is operational, providing a working payload for demonstration purposes, and is intended for use in a controlled environment to illustrate the impact of the vulnerability. No network endpoints are present; the attack vector is local execution on a Windows system with 7-Zip installed.

This repository provides a proof-of-concept (POC) exploit for CVE-2025-0411, a vulnerability in 7-Zip (prior to version 24.09) on Windows that allows attackers to bypass the Mark-of-the-Web (MotW) protection. The exploit involves double-compressing a payload executable (loader.exe) in a 7z archive. When a victim extracts and runs the payload using a vulnerable version of 7-Zip, the MotW is not propagated, allowing the executable to run without SmartScreen or other warnings. The loader.cpp file is a simple C++ program that, when compiled, executes shellcode to launch calc.exe as a demonstration. The README.md provides detailed exploitation steps, including delivery via a file-sharing service and the difference in behavior between patched and unpatched 7-Zip versions. The main exploit capability is local code execution by bypassing MotW, requiring user interaction to open and run the payload. No network endpoints are hardcoded in the code; the only fingerprintable endpoints are the payload file and the MotW-related Zone.Identifier stream.

This repository provides a proof-of-concept (PoC) exploit for CVE-2025-0411, a vulnerability in 7-Zip (prior to version 24.09) that allows bypassing Windows' Mark-of-the-Web (MoTW) protections. The exploit consists of a Python script ('7-Zip-CVE-2025-0411-PoC.py') that automates the process of compiling a C++ payload ('executable.cpp') into a Windows executable ('compiled.exe'), then compresses it into a .7z archive, and finally double-compresses it into a nested .7z archive. The C++ payload contains shellcode that launches calc.exe, demonstrating arbitrary code execution. When a user extracts the double-compressed archive with a vulnerable version of 7-Zip, the extracted executable can run without MoTW warnings, illustrating the security bypass. The repository includes a README.md with background, technical details, and mitigation advice. The exploit is operational, demonstrating the vulnerability and providing a working payload, but is not weaponized for mass exploitation.

This repository contains a proof-of-concept exploit for a Windows vulnerability related to the lack of Mark of the Web (MotW) enforcement in versions prior to 24.09. The exploit consists of a C++ loader (loader.cpp) that embeds and executes shellcode. The shellcode launches 'calc.exe', demonstrating arbitrary code execution. The README provides compilation instructions using MinGW-w64 and describes the attack scenario: the compiled executable is compressed and delivered to the victim, who must manually execute it. The exploit requires user interaction and targets local execution on Windows systems. No network endpoints are present; the only fingerprintable endpoint is the execution of 'calc.exe'. The repository structure is simple, with one code file and a README.

This repository demonstrates a proof-of-concept (POC) exploit for CVE-2025-0411, a Mark-of-the-Web (MotW) bypass vulnerability in 7-Zip for Windows. The vulnerability allows attackers to craft double-compressed archives such that, when extracted with a vulnerable version of 7-Zip (prior to 24.09), the extracted files do not retain the MotW alternate data stream (Zone.Identifier). This bypasses Windows SmartScreen and other security warnings, enabling arbitrary code execution if the victim runs the extracted executable. The repository contains two files: - README.md: Provides a detailed explanation of the vulnerability, exploitation methodology, and references. It describes the attack flow: a double-compressed archive containing a loader executable is delivered to the victim (e.g., via phishing and a payload delivery server like MediaFire). When the victim extracts and runs the loader, code execution occurs without MotW warnings. - loader.cpp: Implements a simple Windows loader that allocates memory, copies shellcode (intended to launch calc.exe), marks it as executable, and runs it in a new thread. This serves as the payload for the POC. No hardcoded network endpoints are present in the code, but the attack vector is network-based (malicious file delivery). The exploit targets 7-Zip on Windows systems prior to version 24.09. The POC demonstrates the risk by executing calc.exe, but the technique could be weaponized for arbitrary code execution.