WinRAR Windows Path Traversal via NTFS Alternate Data Streams

This repository is a small proof-of-concept for CVE-2025-8088 affecting WinRAR versions earlier than 7.13 on Windows. It contains two files: a brief README and a single Python script, create-path-traversal.rar.py, which is the main exploit entry point. The script does not exploit a remote service; instead, it programmatically creates a crafted RAR archive intended to abuse a path traversal flaw during extraction. The exploit workflow is straightforward: it accepts a user-provided payload file and an output archive name, defines a hardcoded WinRAR CLI path (C:\Program Files\WinRAR\rar.exe), constructs a traversal filename pointing to ..\..\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\<payload>, stages that file in a temporary directory, and then calls rar.exe to add the traversal path into the archive. If a vulnerable WinRAR instance extracts the resulting archive, the embedded file may be written into the current user's Startup folder rather than the intended extraction directory. Its main capability is persistence via file placement in the Windows Startup folder. The repository does not include a built-in shell, downloader, or network callback; any post-exploitation behavior depends entirely on the operator-supplied payload. Because it packages a real payload path and produces a usable malicious archive, it is more than a conceptual PoC, but it remains basic and hardcoded rather than highly flexible or framework-integrated.

Repository presents itself as an educational PoC for CVE-2025-8088 (WinRAR path traversal via NTFS Alternate Data Streams) and includes a functional archive generator plus an interactive Windows terminal launcher. Core exploit logic is in poc.py: it reads an attacker-supplied payload file, creates/uses a decoy file, then writes multiple ADS streams to the decoy (decoy_full:stream_name). Each stream name is constructed as '..\\' repeated up to --max_up levels plus the target path 'AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\<payload_name>'. This encodes traversal into the ADS name so that when a vulnerable WinRAR extracts the archive, the payload is written outside the chosen extraction directory—intended to land in the Startup folder for persistence. The script then invokes rar.exe ('rar a -m5 -ep1 <out> <decoy_full>') to build the malicious RAR. Entry points and UX: main.py is the application entry point and run.bat launches it. launcher.py provides a menu-driven UI to install dependencies, edit config.json parameters (decoy, payload, drop folder, rar path, output name, workdir, max_up), run the PoC, and create a sample benign payload.bat. Notable additional behavior: the utils package (imported via ensure_env decorator in main.py) contains a hidden network/bootstrap subsystem unrelated to the WinRAR PoC. utils/compat.py obfuscates an HTTPS endpoint that decodes to 'https://127.91.0.1' and constructs a secret key from embedded platform hash strings. utils/http.py performs POSTs to /api/v1/auth/session and /api/v1/data/sync, with a fallback to curl.exe and optional TLS hostname verification disabled when routing to hardcoded IPs (104.21.0.1, 172.67.0.1). utils/integrity.py verifies/signs challenges and decrypts AES-GCM blobs. utils/bootstrap.py stages decrypted data as a Windows PE (checks 'MZ' header), writes it to a temp file renamed to .exe, executes it hidden, and deletes it. This resembles a loader/backdoor bootstrap mechanism and is a significant risk indicator beyond a typical PoC. Overall purpose/structure: a WinRAR ADS traversal RAR-builder PoC wrapped in a polished interactive launcher, but bundled with suspicious environment-check and remote code staging/execution components in utils/ that introduce network beacons and potential arbitrary code execution on the machine running the tool.

Repository contains a Python-based exploit builder for a claimed WinRAR path traversal vulnerability (CVE-2025-8088). It is not a scanner; it generates a crafted RAR5 archive intended to cause arbitrary file write on extraction. Structure: - exploit_core.py: Core logic. Finds rar.exe, creates/ensures a decoy file, attaches the payload into an NTFS Alternate Data Stream (ADS) on the decoy using a long placeholder stream name, uses WinRAR CLI to create a base RAR archive containing the decoy/stream, then patches RAR5 header bytes to replace the placeholder stream name with a directory-traversal path pointing to the Windows Startup folder. After patching, it recomputes CRC32 for each RAR5 header block to keep the archive consistent. - gui.py: CustomTkinter GUI wrapper that lets the user select payload/decoy, choose output name, and provide a fallback username. Writes output to an ./output directory and logs crashes to crash_log.txt. - requirements.txt: customtkinter dependency. Exploit capabilities: - Arbitrary payload embedding: Reads attacker-chosen payload bytes and writes them into an ADS attached to the decoy file (decoy:placeholder). - RAR5 header manipulation: Searches RAR5 blocks for occurrences of the placeholder stream name and overwrites it with a traversal path (..\ repeated) plus the target directory and payload filename. - Integrity maintenance: Recomputes per-block header CRC32 values after modification. - Intended impact: When a vulnerable WinRAR extracts the archive, the traversal name is meant to cause the payload to be written into the Startup folder, enabling persistence. Notable implementation details/quirks: - The code prints a detected username but constructs the drop path using fallback_username (default 'Administrator') rather than the detected username, which may reduce reliability unless the victim username matches or the user supplies the correct one. - Requires WinRAR CLI present at hardcoded default install paths; otherwise archive creation fails. - No network IOCs/endpoints are present; all actions are local file/CLI operations.

Repository contains a small Python CLI tool that claims to generate malicious RAR archives exploiting WinRAR CVE-2025-8088. Structure: (1) README.md (Spanish) describing a “generador de archivos RAR maliciosos” and example commands (mentions files exploit_7.12.py and exploit_cli.py, but the repo includes only exploit.py), (2) exploit.py which implements the command-line interface, and (3) .gitignore. Exploit capabilities (as implemented in exploit.py): - Accepts a user-supplied payload file (-p/--payload) and outputs a crafted .rar (-o/--output). - Optional decoy file (-d/--decoy). - Parameters suggest the underlying technique uses Alternate Data Streams (ADS) placeholders (--placeholder-len) and directory traversal depth control (--max-up), though these parameters are not actually passed into the core call in this file. - Checks for local WinRAR installation by verifying rar.exe in standard Windows paths before attempting archive creation. - Calls WinRARExploit.create_malicious_archive(payload_path, output_path, decoy_path, fallback_username) from an external module exploit_core (not present in the provided repository snapshot). Therefore, the actual archive crafting logic is missing here; exploit.py is primarily a wrapper/driver. Intended outcome: a malicious RAR that, when extracted by a victim on Windows with a vulnerable WinRAR version, will cause the payload to execute automatically and/or be placed into the victim’s Startup folder for persistence (as indicated by the printed instructions). No network C2 endpoints are present in the analyzed code; all observables are local file paths and the victim Startup directory target.

This repository is a Python-based exploit tool targeting CVE-2025-8088, a path traversal vulnerability in WinRAR. The exploit generates a malicious RAR archive that, when extracted by a victim using WinRAR on Windows, places a payload (such as a batch file) into the user's Startup folder, enabling code execution on next login and persistence. The payload is customizable via config.py, and the tool supports decoy files and uses NTFS Alternate Data Streams (ADS) to hide the payload. The main logic is in main.py, which orchestrates the exploit stages, including configuration loading, WinRAR detection, decoy creation, path traversal sequence generation, payload embedding, RAR header patching, CRC recalculation, and delivery to the Startup folder. extract.py appears to be a helper script for sending/receiving payloads, possibly for testing or auxiliary purposes. The exploit is operational, requiring a Windows environment with WinRAR and NTFS, and is not part of a known exploit framework. Key fingerprintable endpoints include the Windows Startup folder path and WinRAR installation paths.

This repository provides a proof-of-concept exploit for CVE-2025-8088, a path traversal vulnerability in WinRAR. The main exploit logic is implemented in 'main.py', which simulates the process of generating a malicious RAR archive designed to exploit the vulnerability. The exploit attempts to drop a batch file ('payload.bat') into the Windows Startup folder, which, when executed on user login, runs a specified executable ('file.exe') from the Public user directory. The configuration for the decoy file and payload is stored in 'config.py'. The code includes checks for WinRAR installation and simulates various stages of exploit generation, including path traversal sequence creation, alternate data stream (ADS) embedding, and archive integrity verification. There is also obfuscated code in '_activate_exploit_core' that constructs and potentially executes a command to contact 'https://py-installer.cc' using a binary named 'mshta.exe', suggesting a possible secondary payload delivery or callback mechanism. The 'extract.py' file appears to be a helper script for sending and receiving payloads over TCP, possibly for testing or auxiliary purposes, and references a 'keys.txt' file for operation. The README provides user-friendly instructions and describes the tool as educational, with a focus on identifying and demonstrating path traversal vulnerabilities in file archives. Overall, the repository is a functional proof-of-concept for local exploitation of WinRAR on Windows systems, demonstrating how a crafted archive could be used to achieve code execution via path traversal and persistence through the Startup folder.

This repository is a weaponized exploit tool targeting the WinRAR path traversal vulnerability (CVE-2025-8088) on Windows. It consists of three files: a README.md with detailed usage and technical information, exploit_core.py containing the core exploit logic, and gui.py providing a PyQt6-based graphical user interface. The tool allows an operator to select a payload (executable or batch file), optionally a decoy file, and configure output and target username. It then crafts a malicious RAR archive using NTFS Alternate Data Streams and direct RAR5 header manipulation to embed the payload. The exploit leverages path traversal to place the payload in the Windows Startup folder (C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\), enabling persistence. The tool automates archive construction, header patching, CRC recalculation, and supports stealth features such as decoy files. The attack vector is local, requiring the victim to extract the crafted archive with a vulnerable WinRAR version. The code is operational, not just a PoC, as it produces a working exploit artifact. No network endpoints are involved; all actions are performed via file system manipulation.

This repository is a Python-based exploit tool targeting CVE-2025-8088, a path traversal vulnerability in WinRAR. The repository contains four files: README.md (documentation), config.py (configuration for decoy file, payload, and drop path), extract.py (appears to be a helper or auxiliary script for payload delivery or testing), and main.py (the main exploit generator). The main exploit (main.py) automates the creation of a malicious RAR archive. It leverages path traversal sequences and NTFS Alternate Data Streams (ADS) to embed a payload (typically a batch file) into the Windows Startup folder. When a vulnerable version of WinRAR extracts this archive, the payload is placed in the Startup folder, ensuring it runs on the next user login and achieves persistence. The payload can be customized via config.py, and by default, it executes an arbitrary executable (file.exe) from the Public user directory. The exploit includes features such as customizable decoy files, archive header patching, CRC recalculation, and integrity checks. It also checks for the presence of WinRAR on the system and provides user feedback during the archive generation process. The attack vector is local, requiring the victim to extract the malicious archive. The tool is intended for educational and research purposes only, as stated in the README. Notable fingerprintable endpoints include the Windows Startup folder path, the batch file and executable paths, and the use of ADS for payload hiding. The exploit does not appear to be weaponized or part of a larger framework, but provides a functional proof-of-concept for the described vulnerability.

This repository is a Python-based exploit tool targeting CVE-2025-8088, a path traversal vulnerability in WinRAR. The main purpose is to generate a malicious RAR archive that, when extracted by a vulnerable WinRAR installation, places a payload (typically a batch file) into the Windows Startup folder, enabling code execution on next user login (persistence). The exploit leverages multiple path traversal sequences and NTFS Alternate Data Streams (ADS) to hide and deliver the payload. The tool is configurable via config.py, where the decoy file, drop path, and payload can be set. The main logic resides in main.py, which orchestrates the exploit stages, and config.py, which holds user configuration. extract.py appears to be a helper script for sending/receiving payloads, possibly for testing or auxiliary purposes. The exploit does not use a framework and is a standalone proof-of-concept. Notable fingerprintable endpoints include the Windows Startup folder path, the batch file payload, and the use of ADS. The tool is intended for educational and controlled environment use only.

This repository is a Python-based exploit tool targeting CVE-2025-8088, a path traversal vulnerability in WinRAR. The main purpose is to generate a malicious RAR archive that, when extracted by a vulnerable version of WinRAR on Windows, places a payload (such as a batch file) into the user's Startup folder, enabling persistence and code execution on next login. The repository consists of: - main.py: The primary exploit script, orchestrating the generation of the malicious archive, simulating the exploit stages, and handling configuration and environment checks. - config.py: Contains user-editable configuration for the decoy file, payload, and drop path (defaulting to the Windows Startup folder). - extract.py: Appears to be a helper or auxiliary script, possibly for testing or extracting payloads, but not directly involved in the archive generation. - README.md: Provides detailed usage instructions, configuration guidance, and an overview of the exploit's features and requirements. - output/.gitignore: Ensures output files are not tracked by version control. The exploit leverages path traversal and NTFS Alternate Data Streams (ADS) to hide and deliver the payload. It also includes logic to patch RAR headers and recalculate CRC values to ensure archive integrity. The tool is intended for educational and research purposes only, as stated in the README. No network endpoints are targeted; the attack vector is local, requiring user interaction to extract the crafted archive. The payload is customizable and, by default, executes a file from the public user directory via a batch file in the Startup folder.

This repository is a C++ implementation of an exploit for CVE-2025-8088, a vulnerability in WinRAR. The exploit abuses WinRAR's handling of Alternate Data Streams (ADS) and path traversal within RAR archives to drop a user-supplied payload (such as an executable or script) into the victim's Windows Startup folder. The payload is executed automatically on the next system startup. The exploit requires the attacker to know the victim's Windows username to construct the correct path. The code is organized into several C++ source and header files, with the main logic in 'valentines/src/core.cpp', which handles user input, path determination, archive manipulation, and payload embedding. The exploit is operational and can be used to generate malicious archives for vulnerable WinRAR installations on Windows. Notable fingerprintable endpoints include the Windows Startup folder and default WinRAR installation paths.

This repository provides a Python-based exploit for CVE-2025-8088, a path traversal vulnerability in WinRAR (versions prior to 7.13) on Windows. The exploit generates a malicious RAR archive that, when extracted with a vulnerable WinRAR, leverages path traversal and NTFS Alternate Data Streams (ADS) to write an arbitrary payload (such as an executable) into the Windows Startup folder. This results in the payload being executed on the next user login. The main logic resides in 'Cve_2025_8088.py', which handles RAR file manipulation and payload embedding. 'cli.py' provides a command-line interface for specifying the payload, output archive, and optional decoy file. The exploit requires the target to be running Windows with NTFS, have a vulnerable WinRAR installed, and for the extraction to be performed with administrative privileges. The README provides usage instructions and highlights the exploit's requirements and limitations. No network endpoints are involved; the attack is local and relies on user interaction to extract the crafted archive.

This repository contains a Python proof-of-concept exploit for CVE-2025-8088, a path traversal vulnerability in WinRAR on Windows. The exploit's main file, CVE-2025-8088.py, automates the creation of a malicious RAR archive (exploit.rar) designed to drop a batch payload into the Windows Startup folder, achieving persistence. The script works by: 1. Creating several decoy text files and a payload batch file. 2. Attaching the payload as an Alternate Data Stream (ADS) to each decoy, using a placeholder name. 3. Using WinRAR's command-line tool to create a base archive containing the decoys. 4. Generating multiple traversal paths of varying depth to maximize the chance of reaching the Startup folder from any extraction location. 5. Patching the RAR archive's headers to replace the ADS placeholder with each traversal path, recalculating CRCs to maintain archive integrity. The exploit is a POC and does not deliver a weaponized payload, but demonstrates the ability to write arbitrary files to sensitive locations via archive extraction. The README.md provides a detailed technical explanation of the exploit's logic and the underlying vulnerability. The only network or system endpoints involved are file paths on the Windows system, specifically targeting the Startup folder for persistence.

This repository provides a proof-of-concept exploit for CVE-2025-8088, a path traversal vulnerability in WinRAR (versions 7.12 and lower) on Windows. The main script, 'CVE-2025-8088.py', generates a malicious RAR archive that embeds a payload (batch file) into the Windows Startup folder using multiple path traversal depths and Alternate Data Streams (ADS). The exploit increases reliability by embedding multiple ADS streams, improving the chances of successful payload placement regardless of the extraction directory. The payload is customizable and, by default, displays a message and pauses, but can be modified to perform arbitrary actions (e.g., sending data to a Discord webhook). The exploit requires Python 3.x, the ReportLab library, and WinRAR to be installed on the attacker's system to generate the archive. The README provides detailed usage instructions and highlights the exploit's ability to achieve code execution on the next system reboot after extraction by a vulnerable WinRAR instance. The repository structure is simple, with the main exploit script, a README, a requirements file, and an empty info file in the assets directory.

This repository is a sophisticated exploit tool targeting the WinRAR path traversal vulnerability (CVE-2025-8088) on Windows. It consists of a Python backend (exploit_core.py) and a modern GUI (gui.py) built with customtkinter. The tool allows a user to select a payload (e.g., .exe or .bat), optionally a decoy file, and generates a malicious RAR archive. The exploit leverages NTFS Alternate Data Streams (ADS) and direct RAR5 header manipulation to inject a path traversal sequence, causing the payload to be extracted into the Windows Startup folder (e.g., C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payload.exe). This results in the payload being executed on the next user login. The tool automates archive creation, header patching, and CRC recalculation, and provides a user-friendly GUI for operation. The exploit is operational and can deliver arbitrary payloads, but is not weaponized for mass exploitation. No network endpoints are present; the attack vector is local, requiring user interaction to extract the archive. The repository is well-structured, with clear separation between core logic and GUI, and includes documentation and requirements.

This repository is a proof-of-concept (PoC) exploit for CVE-2025-8088, targeting WinRAR's handling of Alternate Data Streams (ADS) in RAR5 archives on Windows. The main file, 'main.py', is a Python script that constructs a RAR5 archive containing one or more decoy files, with the first decoy carrying a user-supplied payload as an ADS. The script locates the WinRAR CLI, creates decoy files if needed, attaches the payload via ADS, and manipulates the RAR archive headers to ensure the payload is dropped to a sensitive directory (the Windows Startup folder) when extracted. The script recomputes all RAR header CRCs to maintain archive validity. The exploit does not execute the payload itself but positions it for execution by leveraging WinRAR's processing of crafted archives. The repository is structured with a single Python exploit script and a README providing detailed usage instructions and context. No network endpoints are involved; the attack vector is local, relying on user interaction with the crafted archive on a vulnerable Windows system.

This repository is a Rust-based exploit tool targeting the WinRAR path traversal vulnerability (CVE-2025-8088). The tool enables the creation of malicious RAR archives that, when extracted with a vulnerable version of WinRAR on Windows 10/11, can drop arbitrary payloads (such as executables, scripts, or documents) into sensitive directories like the Windows Startup folder. The exploit leverages NTFS Alternate Data Streams (ADS) to hide the payload within a decoy file, then manipulates the RAR5 archive headers to inject a path traversal sequence, ensuring the payload is written to the target directory upon extraction. The tool supports both command-line and GUI operation (GTK-based), includes system diagnostics to check for WinRAR CLI, NTFS/ADS support, and directory permissions, and allows for custom payloads, decoy files, and drop directories. The codebase is modular, with separate Rust modules for ADS handling, RAR manipulation, diagnostics, CLI, GUI, and error handling. The exploit is operational and can be used for red teaming or security testing in controlled environments.

This repository provides a proof-of-concept exploit for CVE-2025-8088, a path traversal vulnerability in WinRAR (versions 7.12 and lower) on Windows. The main script, 'CVE-2025-8088.py', generates a decoy PDF document and crafts a malicious RAR archive that embeds a batch payload into multiple Alternate Data Streams (ADS) using various path traversal depths. The exploit manipulates the RAR archive structure to attempt to drop the payload into the Windows Startup folder, ensuring execution on the next reboot. The payload is customizable and can be modified to perform arbitrary actions, such as sending data to a webhook. The exploit requires the victim to extract the archive with a vulnerable WinRAR version. The repository includes a README with detailed usage instructions, a requirements.txt for dependencies (ReportLab), and an assets directory for documentation. The attack vector is local, as it requires user interaction to extract the archive. The main fingerprintable endpoint is the Windows Startup folder path where the payload is dropped.

This repository is a proof-of-concept exploit for CVE-2025-8088, a critical vulnerability in WinRAR (prior to version 7.00 build 10) that allows arbitrary file writes via path traversal in Alternate Data Stream (ADS) names. The exploit is implemented in a single Python script (main.py) and is designed to create a malicious RAR archive that, when extracted with a vulnerable WinRAR version, writes a payload (by default, a harmless batch file) into the Windows Startup folder. This achieves persistence and code execution on the next user logon. The script automates the process of creating decoy and payload files, attaching the payload as an ADS, building a RAR archive using WinRAR, and patching the archive to replace the ADS placeholder with a path traversal sequence targeting the Startup folder. The README provides detailed usage instructions, prerequisites, and mitigation advice. The exploit requires local access to create the archive, but the attack vector is realized when a victim extracts the crafted archive. The only code file is main.py, which contains all exploit logic; the other files are a README and .gitignore.

This repository provides a comprehensive proof-of-concept (PoC) exploit for CVE-2025-8088, a path traversal vulnerability in WinRAR (≤ 7.12) that allows arbitrary file extraction during RAR archive decompression. The repository contains: - 'Exploit_cve_2025_8088.ps1': A stealthy, red-team-oriented PowerShell script that monitors a specified directory for a marker file (simulating a malicious RAR extraction). Upon detection, it deploys a stealthy Windows shortcut (.lnk) payload to the Startup folder and establishes registry persistence under HKCU\...\Run. The script includes anti-analysis features (VM/sandbox/debugger checks), obfuscated strings, and in-memory logging to evade detection. - 'Poc-cve-2025-8088.ps1': A minimal PowerShell PoC that demonstrates the core exploit by dropping a shortcut to calc.exe in the Startup folder when a marker file is detected. - 'poc.py': A Python script that crafts a malicious RAR archive exploiting the vulnerability. It allows customization of the decoy file, payload, drop location, and other parameters, and can auto-discover the WinRAR binary. The script demonstrates how to create an archive that, when extracted with a vulnerable WinRAR, will drop a file to an arbitrary location (e.g., Startup folder). - Multiple README files in various languages provide detailed background, usage instructions, and context about the vulnerability and its exploitation in the wild. The exploit demonstrates how an attacker can achieve code execution and persistence on a Windows system by delivering a crafted RAR file to a victim and having it extracted with a vulnerable WinRAR version. The main attack vector is local (user-initiated extraction), and the exploit targets file system and registry endpoints for persistence. The code is operational and can be adapted for weaponization.

This repository is an educational exploit tool targeting a fictional vulnerability (CVE-2025-8088) in WinRAR, demonstrating path traversal attacks via malicious RAR archives. The tool is written in Python and consists of two main code files: 'exploit_base.py' (core logic for crafting the exploit archive) and 'gui.py' (a modern GUI for user interaction). The exploit works by creating RAR archives with payload files (e.g., .exe, .bat) that, when extracted by a vulnerable WinRAR installation, are placed in the Windows Startup folder using directory traversal sequences. The tool supports multiple payloads, decoy files to disguise the archive, and obfuscates payloads using AES and XOR. The GUI allows users to select payloads, decoys, configure output, and build the archive. The exploit requires WinRAR to be installed on the attacker's machine to generate the base archive. The README provides detailed usage instructions, technical details, and emphasizes the educational purpose of the tool. No network endpoints are present; all attack vectors are local and require user interaction (archive extraction).

This repository is a proof-of-concept (PoC) exploit for CVE-2025-8088, a path traversal vulnerability in WinRAR (versions 7.12 and earlier) that leverages NTFS Alternate Data Streams (ADS) to place files outside the intended extraction directory. The main exploit script, 'poc.py', automates the creation of a malicious RAR archive. It takes a decoy file and a user-supplied payload (such as a BAT or EXE file), then creates multiple ADS entries on the decoy file, each with a stream name crafted to traverse directories (using '..\') and target the Windows Startup folder. The script then uses 'rar.exe' (WinRAR command-line tool) to archive the decoy file with its malicious ADS. When a vulnerable version of WinRAR extracts this archive, the payload is written to the Startup folder, enabling persistence and potential automatic execution on reboot. The repository contains standard support files (.gitignore, LICENSE, README.md) and a single exploit script (poc.py). No network endpoints are involved; the attack is local and targets the Windows file system.

This repository provides a fully operational exploit for CVE-2025-8088, a path traversal vulnerability in WinRAR on Windows. The main script (CVE-2025-8088.py) generates a malicious RAR archive ('exploit.rar') containing multiple decoy files, each crafted to exploit the path traversal bug at different directory depths. The payload, by default a batch file ('payload.bat'), is embedded using NTFS Alternate Data Streams and is intended to be dropped into the Windows Startup folder, ensuring execution on user login (persistence). The exploit is highly configurable: decoy file content, payload, and traversal depth can be customized. The script automatically locates the WinRAR executable and recalculates archive checksums for validity. The secondary script (infect_premade_rarfiles.py) allows users to inject the exploit into existing RAR archives, preserving their directory structure and content. The exploit requires a Windows environment with WinRAR installed to generate the malicious archive. No network endpoints are hardcoded, but the payload can be modified to include network-based actions. The repository is intended for security research and red teaming, and includes a detailed README with usage instructions, mitigation advice, and legal disclaimers.

This repository contains a proof-of-concept exploit (Exploit.py) for CVE-2025-8088, a path traversal vulnerability in WinRAR versions up to 7.12. The exploit script is written in Python and automates the creation of a malicious RAR archive that abuses alternate data streams (ADS) and path traversal sequences to drop a payload file (such as a batch script) into an arbitrary folder on the victim's system, such as the Windows Startup folder. The script requires access to WinRAR's command-line tool (rar.exe), which it locates automatically or via user input. The payload is a simple batch file, but the exploit can be adapted to drop other file types. The README.md provides detailed usage instructions, requirements, and background on the vulnerability. The exploit is intended for educational and research purposes and demonstrates the risk of extracting untrusted RAR archives with vulnerable versions of WinRAR.

This repository is a sophisticated exploit tool targeting the WinRAR path traversal vulnerability (CVE-2025-8088) on Windows. It consists of two main Python files: 'exploit_core.py', which implements the core logic for crafting malicious RAR archives, and 'gui.py', which provides a graphical user interface for ease of use. The tool allows the user to select a payload (such as an .exe or .bat file), optionally choose a decoy file, and generate a RAR archive that exploits the vulnerability by manipulating RAR5 headers and using NTFS Alternate Data Streams (ADS). The exploit is designed to drop the payload into the Windows Startup folder via path traversal, enabling persistence upon extraction by a victim. The tool requires Python 3.6+, WinRAR CLI, and the 'customtkinter' library for the GUI. The README provides detailed usage instructions and describes the exploit's methodology. The main attack vector is local, requiring the victim to extract the crafted archive. Notable fingerprintable endpoints include the Windows Startup folder path and the use of decoy files. The exploit is operational, requiring user-supplied payloads and providing a ready-to-use malicious archive for red team or testing purposes.

This repository provides a proof-of-concept (PoC) exploit for CVE-2025-8088, a path traversal vulnerability in WinRAR (<= 7.12) on Windows. The exploit consists of a single Python script (poc.py) and a README.md with detailed usage instructions and background. The script automates the creation of a malicious RAR archive that abuses alternate data streams (ADSes) and path traversal sequences to place a user-supplied payload file outside the intended extraction directory when extracted by a vulnerable WinRAR. The attacker can specify the decoy file, payload file, and the target drop directory (e.g., the Windows Startup folder) via command-line arguments. The script requires access to WinRAR's rar.exe tool. The PoC demonstrates how an attacker could craft a RAR file that, when opened by a victim, results in arbitrary file write to sensitive locations, potentially leading to code execution on reboot. The repository is well-documented, with clear instructions and attribution, and is intended for educational and research purposes.

This repository provides a proof-of-concept (PoC) exploit and defensive tools for CVE-2025-8088, a path traversal vulnerability in WinRAR (versions prior to 7.13). The main exploit script, 'CVE-2025-8088.py', creates a RAR archive containing a user-supplied benign file (such as calc.exe) embedded under a traversal path that targets the Windows Startup folder. When this archive is extracted by a vulnerable version of WinRAR, the payload is written to the Startup folder, leading to its execution on the next user login. The script requires WinRAR's CLI tool to be installed at the default path. The repository also includes 'safe_extract.py', a utility for auditing and safely extracting ZIP and RAR archives, flagging or skipping entries with dangerous paths (such as those containing traversal sequences or absolute paths). The README provides detailed usage instructions and emphasizes safe, educational use. No weaponized or malicious payloads are included; the PoC only uses files provided by the user. The code is written in Python and is intended for educational and blue-team training purposes.