Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2018-20250 PoC — WinRar 路径遍历漏洞

Source
https://github.com/DANIELVISPOBLOG/WinRar_ACE_exploit_CVE-2018-20250
Associated Vulnerability
Title:WinRar 路径遍历漏洞 (CVE-2018-20250)
Description:WinRAR是一款文件压缩器。该产品支持RAR、ZIP等格式文件的压缩和解压等。 WinRar中存在目录遍历漏洞。该漏洞源于WinRAR在解压处理ACE格式的文件过程中,未对ACE文件头结构中的“filename”字段进行充分过滤。攻击者可利用该漏洞以提升的权限执行任意代码。
Description
This program is an script developed in Python which exploit the ACE vulnerability on WinRar - Vulnerability CVE-2018-20250
Readme
# WinRar ACE exploit CVE-2018-20250

This program is an script developed in Python which exploit the [ACE vulnerability on WinRar](https://research.checkpoint.com/extracting-code-execution-from-winrar/) - Vulnerability [CVE-2018-20250](https://nvd.nist.gov/vuln/detail/CVE-2018-20250)

It is based on previous project developed by [WyAtu](https://github.com/WyAtu/CVE-2018-20250)

It is used for educational purposes on [Daniel Vispo Blog](https://www.vispo.org/2019/03/26/explotando-la-peligrosa-vulnerabilidad-que-winrar-ha-tenido-durante-19-anos-con-codigo-de-ejemplo-real/)

# How to generate the evil exploit ?

This Python script generates under the folder "./build" an evil ".rar" file which exploits the vulnerability [CVE-2018-20250](https://nvd.nist.gov/vuln/detail/CVE-2018-20250)

- Download this GitHub Project
- Install at least Python 3.7 on Windows.
- Execute `py ./create_exploit.py`
- Inside `./build/` you can find the evil file `exploit.rar`
- If you want to change the malicious executable, put the file into `./files_to_pack/evil/` and rerun `py ./create_exploit.py`
- If you want to change the dummy files, put them into `./files_to_pack/others/` and rerun `py ./create_exploit.py`

# How it works the exploit?

If the evil file is located, for example, under `/Users/<windows_user>/Downloads` or `/Users/<windows_user>/Desktop` or any other folder located under `/Users/<windows_user/`, when the user descompress the file with Winrar <= 5.60, the malicious executable will be decompressed under `\Users\<windows_user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\`, which is the Startup folder for this particular `<windows_user>` in Windows. Next time, when the user login again on Windows, the malicious executable will be executed automatically and pwned!

> Happy hacking,
> Daniel Vispo
File Snapshot

 [4.0K]  /data/pocs/02c63a3851731dc483ea5521e3175ca718a656d7
├── [4.0K]  acefile
│   └── [155K]  acefile.py
├── [4.3K]  create_exploit.py
├── [4.0K]  files_to_pack
│   ├── [4.0K]  evil
│   │   └── [  82]  evil_script.js
│   └── [4.0K]  others
│       └── [  53]  download_the_movie.txt
└── [1.8K]  README.md

4 directories, 5 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.