Listen to this Post
GitHub – Octoberfest7/zip_smuggling: Python3 utility for creating zip files that smuggle additional data for later extraction
github.com/Octoberfest7/zip_smuggling
You Should Know:
How ZIP Smuggling Works
ZIP smuggling involves hiding extra data within a ZIP file that can be extracted later for offensive operations, such as exfiltrating data or delivering payloads. This technique bypasses traditional security checks by exploiting how ZIP parsers handle file structures.
Key Techniques:
- Overlapping Local File Headers – Manipulating offsets to hide data.
- Extra Field Injection – Storing hidden data in ZIP metadata.
- Compressed vs. Uncompressed Size Mismatch – Tricking parsers into extracting more data than expected.
Practical Implementation
Creating a Smuggled ZIP File (Python)
import zipfile
def create_smuggled_zip(output_file, visible_file, hidden_data):
with zipfile.ZipFile(output_file, 'w') as zipf:
zipf.writestr(visible_file, "Legitimate content")
zipf.writestr("hidden.txt", hidden_data, zipfile.ZIP_STORED)
Extracting Hidden Data (Bash)
unzip -l malicious.zip List files unzip -p malicious.zip hidden.txt > extracted_data.txt Extract hidden file
Detecting Anomalies (Forensics)
binwalk -E malicious.zip Analyze entropy for hidden data zipdetails malicious.zip Inspect ZIP structure
Evasion Tactics
- Password Protection – Encrypt hidden files to avoid detection.
- Time Stomping – Modify timestamps to blend in.
- Fake CRC Values – Manipulate checksums to avoid integrity checks.
Defensive Measures
Monitor ZIP file extraction
auditctl -w /usr/bin/unzip -p x -k zip_execution
Use YARA for detection
rule zip_smuggling {
strings:
$zip_header = "PK\x03\x04"
$extra_field = {50 4B 01 02}
condition:
$zip_header at 0 and $extra_field in (0..100)
}
What Undercode Say
ZIP smuggling remains a potent technique for red teams, but defenders can mitigate risks by:
– Analyzing ZIP files with tools like `zipdump` or binwalk.
– Restricting unexpected ZIP file executions in endpoints.
– Implementing strict file upload policies in web apps.
Expected Output:
A stealthy ZIP file that bypasses basic security checks while containing hidden payloads for later retrieval.
Prediction
As detection improves, attackers will shift to more advanced archive formats (e.g., RAR, 7z) with stronger encryption, making forensic analysis harder.
For more offensive security techniques, check the original tool:
github.com/Octoberfest7/zip_smuggling
References:
Reported By: Alex Reid – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
