In March 2014, winrar file extension spoofing 0day was used wildly to hack many windows users.
In
this tutorial, i will explain this vulnerability with some POC images
and video created by my friend Gujjar-Haxor (Pak Cyber Pirates).
Vulnerability Description:
The file names showed
in
WinRAR
when
opening a
ZIP
file come from
the central directory, but the file names used to extract
and
open contents come from the
Local
File
Header. This inconsistency allows to spoof file names
when
opening
ZIP
files
with WinRAR, which can be abused to execute arbitrary code.
NOTE:
This tutorial is found working under windows 7 environment. For some reasons , it didn't work for my friends using windows 8. So, try it on win 7 if it doesn't work for you on win 8. Thanks.
POC:
1-
Get a portable executable file. In this tutorial, i am using havij
software which is an sql injection tool but you can use some trojan or
RAT to infect the victim.
2-
Right click on this exe file and click on "Add to archive". Choose ZIP
archive format to compress this file into a ZIP archive.
3- Run Hex Editor , Hex workshop
or any hex editor and open this compressed ZIP archive in it. Go to the
end of hex editor and find havij.exe and rename its extension to jpg
like this havij.jpg.
4-
Now open this zip archive. You will see havij.jpg icon in the archive.
When you will double click it, it will run that havij.exe file.
(This is just a demonstration, you can use your own metasploit payload, trojan or RATs instead of this havij.exe file)
Shahid Ayan Khan
0 comments:
Post a Comment