Exploit for Insufficient Verification of Data Authenticity in Rarlab Winrar CVE-2023-38831

Name: Exploit for Insufficient Verification of Data Authenticity in Rarlab Winrar CVE-2023-38831
Rating: 5 (15 reviews)
2024-12-30 | CVSS 7.8
## https://sploitus.com/exploit?id=1D9209E9-A253-5151-BC34-0FEC3B65652E
# CVE-2023-38831 WinRAR Exploit PoC

This repository contains a Python proof-of-concept (PoC) script for exploiting [CVE-2023-38831](https://nvd.nist.gov/vuln/detail/CVE-2023-38831), a vulnerability in WinRAR (versions < 6.23) that allows code execution when a user opens a specially crafted archive.

## Description

The script generates a malicious RAR archive (actually a ZIP file with a `.rar` extension) that abuses a filename parsing vulnerability in WinRAR. When a victim opens the crafted archive and double-clicks the decoy file, a payload (such as a `.bat` or `.exe` file) is executed alongside the decoy document.

## Features

- **No external dependencies:** Uses only Python's standard library.
- **Custom payload:** Supports any executable or script file as the payload.
- **Automatic archive structure:** Creates the correct folder and file structure for exploitation.
- **Cross-platform generation:** The script runs on any OS, but the exploit targets Windows.

## Usage

```sh
python exploit.py <INPUT_FILE> <PAYLOAD_FILE> <OUTPUT_FILE>
```

**Arguments:**
- `<INPUT_FILE>`: Path to the decoy file (e.g., `document.pdf`, `image.jpg`).
- `<PAYLOAD_FILE>`: Path to the payload file to execute (e.g., `script.bat`, `malware.exe`).
- `<OUTPUT_FILE>`: Name of the crafted archive to generate (e.g., `poc.rar`).

**Example:**
```sh
python exploit.py document.pdf script.bat poc.rar
```

## Live Demo

A demonstration of the exploit in action is shown below:

![Demo 1](./assets/demo1.gif)

![Demo 2](./assets/demo2.gif)

> ⚠️ **Warning:**  
> These demos are for educational purposes only. Do not use on systems you do not own or have explicit permission to test.

## Requirements

- Python 3.x
- A vulnerable version of WinRAR (< 6.23) on the target system

## How It Works

1. The script creates a temporary directory structure mimicking the exploit layout.
2. It copies the decoy and payload files into specific locations and names.
3. It creates a ZIP archive, then patches the file/folder names to use spaces (as required by the exploit).
4. The final archive is saved with a `.rar` extension.

## Disclaimer

This code is for **educational and authorized testing purposes only**.  
Do not use it on systems you do not own or have explicit permission to test.

## References

- [Group-IB Blog: CVE-2023-38831 WinRAR Zero-Day](https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/)
- [B1tg Analysis: CVE-2023-38831](https://b1tg.github.io/post/cve-2023-38831-winrar-analysis/)
- [Metasploit Module](https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/winrar_cve_2023_38831.rb)