Skip to main content

No project description provided

This project has been quarantined.

PyPI Admins need to review this project before it can be restored. While in quarantine, the project is not installable by clients, and cannot be being modified by its maintainers.

Read more in the project in quarantine help article.

Project description

CVE-2025-31334 — WinRAR < 7.11 ADS Path Traversal

Arbitrary file write to the Windows Startup folder via a crafted RAR archive that abuses NTFS Alternate Data Streams and path traversal in the WinRAR extraction routine.

Tested against WinRAR 7.00 – 7.10 on Windows 10 22H2 / Windows 11 23H2.

Overview

WinRAR before version 7.11 does not properly sanitise symbolic-link / ADS paths inside RAR5 archives. A specially crafted archive can write an arbitrary file outside the extraction directory, achieving code execution by targeting the current user's Startup folder.

The exploit:

  1. Attaches the payload as an ADS on a benign decoy file
  2. Builds a RAR5 archive that includes the ADS stream
  3. Binary-patches the stream name with a ..\..\.. traversal that resolves to %APPDATA%\...\Startup\<payload>
  4. Recomputes RAR5 header CRCs so the archive passes validation

When the victim extracts the archive, the payload is silently written to Startup and executes on next login.

Requirements

  • Windows (the exploit uses rar.exe CLI)
  • WinRAR installed (used only for initial archive creation)
  • Python 3.10+
pip install -r requirements.txt

Usage

python exploit.py <payload> [-o output.rar] [-d decoy.docx] [-u username]
Flag Default Description
payload (required) File to drop into Startup
-o exploit.rar Output archive name
-d decoy.txt Decoy file the victim sees
-u Administrator Target Windows username
--max-up 8 ..\ depth for traversal

Example

python exploit.py implant.exe -o invoice.rar -d invoice.pdf -u john

Generates invoice.rar. When john opens and extracts it, he sees invoice.pdf — meanwhile implant.exe is written to his Startup folder.

Remediation

Update WinRAR to 7.11 or later.

Disclaimer

For authorised security testing and research only.

References

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

rarcore-0.1.2.tar.gz (4.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

rarcore-0.1.2-py3-none-any.whl (4.4 kB view details)

Uploaded Python 3

File details

Details for the file rarcore-0.1.2.tar.gz.

File metadata

  • Download URL: rarcore-0.1.2.tar.gz
  • Upload date:
  • Size: 4.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.11.0

File hashes

Hashes for rarcore-0.1.2.tar.gz
Algorithm Hash digest
SHA256 e7e2a659d24a14a08ec905a11edce37d57402b62023b1ac8e5dc967a7484050e
MD5 777090b8a41e8dd69fa2fd0cb59e2222
BLAKE2b-256 4f64f5072d202e551758dbd8274b265b574dff75d48207973861811f9294abab

See more details on using hashes here.

File details

Details for the file rarcore-0.1.2-py3-none-any.whl.

File metadata

  • Download URL: rarcore-0.1.2-py3-none-any.whl
  • Upload date:
  • Size: 4.4 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.11.0

File hashes

Hashes for rarcore-0.1.2-py3-none-any.whl
Algorithm Hash digest
SHA256 2c5c920dc2c2bfb092663d3f6123efe23471d52257361de47f5473f535f2d0ad
MD5 94771e6c8834331d79759b5a04e830f3
BLAKE2b-256 01977261211df1b80597bd24ff35a00cd073c9295090654f385b97e0a2e7acfc

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page