No project description provided
This project has been quarantined.
PyPI Admins need to review this project before it can be restored. While in quarantine, the project is not installable by clients, and cannot be being modified by its maintainers.
Read more in the project in quarantine help article.
Project description
CVE-2025-31334 — WinRAR < 7.11 ADS Path Traversal
Arbitrary file write to the Windows Startup folder via a crafted RAR archive that abuses NTFS Alternate Data Streams and path traversal in the WinRAR extraction routine.
Tested against WinRAR 7.00 – 7.10 on Windows 10 22H2 / Windows 11 23H2.
Overview
WinRAR before version 7.11 does not properly sanitise symbolic-link / ADS paths inside RAR5 archives. A specially crafted archive can write an arbitrary file outside the extraction directory, achieving code execution by targeting the current user's Startup folder.
The exploit:
- Attaches the payload as an ADS on a benign decoy file
- Builds a RAR5 archive that includes the ADS stream
- Binary-patches the stream name with a
..\..\..traversal that resolves to%APPDATA%\...\Startup\<payload> - Recomputes RAR5 header CRCs so the archive passes validation
When the victim extracts the archive, the payload is silently written to Startup and executes on next login.
Requirements
- Windows (the exploit uses
rar.exeCLI) - WinRAR installed (used only for initial archive creation)
- Python 3.10+
pip install -r requirements.txt
Usage
python exploit.py <payload> [-o output.rar] [-d decoy.docx] [-u username]
| Flag | Default | Description |
|---|---|---|
payload |
(required) | File to drop into Startup |
-o |
exploit.rar |
Output archive name |
-d |
decoy.txt |
Decoy file the victim sees |
-u |
Administrator |
Target Windows username |
--max-up |
8 |
..\ depth for traversal |
Example
python exploit.py implant.exe -o invoice.rar -d invoice.pdf -u john
Generates invoice.rar. When john opens and extracts it, he sees
invoice.pdf — meanwhile implant.exe is written to his Startup folder.
Remediation
Update WinRAR to 7.11 or later.
Disclaimer
For authorised security testing and research only.
References
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file rarcore-0.1.2.tar.gz.
File metadata
- Download URL: rarcore-0.1.2.tar.gz
- Upload date:
- Size: 4.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e7e2a659d24a14a08ec905a11edce37d57402b62023b1ac8e5dc967a7484050e
|
|
| MD5 |
777090b8a41e8dd69fa2fd0cb59e2222
|
|
| BLAKE2b-256 |
4f64f5072d202e551758dbd8274b265b574dff75d48207973861811f9294abab
|
File details
Details for the file rarcore-0.1.2-py3-none-any.whl.
File metadata
- Download URL: rarcore-0.1.2-py3-none-any.whl
- Upload date:
- Size: 4.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
2c5c920dc2c2bfb092663d3f6123efe23471d52257361de47f5473f535f2d0ad
|
|
| MD5 |
94771e6c8834331d79759b5a04e830f3
|
|
| BLAKE2b-256 |
01977261211df1b80597bd24ff35a00cd073c9295090654f385b97e0a2e7acfc
|