RARLAB WinRAR Directory Traversal Remote Code Execution Vulnerability

This repository provides a proof-of-concept exploit for a directory traversal vulnerability in RARLAB WinRAR (CVE-2025-6218 / ZDI-CAN-27198). The exploit consists of a Python script ('zip_payload_generator.py') that generates a malicious ZIP archive. The script takes a user-supplied payload file (such as a batch script) and embeds it in the ZIP with multiple directory traversal sequences, targeting the Windows Startup folder ('AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'). When a victim extracts the ZIP using a vulnerable version of WinRAR, the payload is placed in the Startup folder and will execute on the next user login, resulting in remote code execution. The script also allows inclusion of a decoy file to make the archive appear legitimate. The repository is structured with a README.md explaining the vulnerability and usage, and the Python script implementing the exploit logic. No network endpoints are involved; the attack is local but requires user interaction to extract the ZIP file.

This repository provides a proof-of-concept (POC) exploit for CVE-2025-6218, a vulnerability in WinRAR (versions 7.11 and earlier) related to improper handling of archive extraction paths. The main file, 'CVE-2025-6218.bat', is a batch script that creates a simple batch payload ('POC.bat') to launch calc.exe, then uses WinRAR to craft a ZIP archive that, when extracted using WinRAR's 'Extract to {folder}\' option, places the payload in the Windows Startup folder. This results in the payload executing automatically on the next user login, demonstrating arbitrary code execution. The exploit requires WinRAR to be installed in its default location and is only effective on vulnerable versions. The repository includes a README with detailed usage instructions and a LICENSE file. No network endpoints are involved; the attack vector is local, relying on user interaction with the crafted ZIP file.

This repository provides a proof-of-concept (POC) exploit for CVE-2025-6218, a directory traversal vulnerability in RARLAB WinRAR (up to version 7.11) that can lead to remote code execution (RCE) via arbitrary file write. The main exploit script, 'cve-2025-6218.py', uses a custom RAR archive creation library (implemented in the other Python modules) to generate a malicious RAR file ('test.rar'). This archive contains a file with a specially crafted path ('/.. /.. /test.txt') that, when extracted by a vulnerable WinRAR installation, will be written outside the intended extraction directory. The repository is structured as a modular RAR file manipulation toolkit, with separate modules for block and extra area handling, file attributes, and utility functions. The exploit demonstrates the vulnerability but does not include a full RCE chain; it focuses on arbitrary file write via path traversal. No network endpoints are involved; exploitation requires user interaction to extract the archive.

This repository demonstrates a proof-of-concept exploit for CVE-2025-6218, a path traversal vulnerability in WinRAR versions 7.11 and earlier on Windows. The exploit consists of a malicious RAR archive ('archivo_exploit.rar') containing a file entry with a path that escapes the extraction directory (using '..\..\Users\victima\Desktop\importante.txt'). When extracted with a vulnerable version of WinRAR, this results in the overwriting of the specified file outside the extraction directory with attacker-controlled content ('MALWARE INYECTADO'). The repository includes a batch script ('crear_rar_malicioso.bat') to generate such a malicious archive, a sample target file ('importante.txt'), and a detailed README.md explaining the vulnerability, setup, and demonstration steps. The exploit is local in nature, requiring the victim to extract the malicious archive. No network endpoints are involved. The repository is structured for educational purposes and provides a clear demonstration of the risk posed by path traversal vulnerabilities in archive extraction utilities.