Module for CVE-2018-20250 (RARLAB WinRAR ACE Format Input Validation Remote Code Execution) #11730
Adds a new module for CVE-2018-20250 (RARLAB WinRAR ACE Format Input Validation Remote Code Execution) and the documentation to go along with it.
From the CVE-2018-20250 NVD Page:
In WinRAR versions prior to and including 5.61, there is a path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path.
This module will attempt to extract a payload to the startup folder of the current user. The vulnerabillty limits us such that we can only go back one folder. Therefore, for this exploit to work properly, the user must extract the evil RAR file from one folder within the user profile folder (e.g. Desktop, Downloads, etc.). User restart is required to gain a shell.
Test with autogenerated payload, no additional files in archive
Output from Metasploit:
Verify checksums using
The windows/fileformat/winrar_ace exploit module has been added to the framework. This module exploits the RARLAB WinRAR ACE format input validation vulnerability (CVE-2018-20250). By exploiting a path traversal vulnerability when extracting ACE format files, the module crafts a file that causes WinRAR to extract an executable into a Windows user's profile such that it automatically runs the next time the user logs in.