Winrar is one of the most common application for compressing and decompressing data.
The application is capble of compressing data as rar or as zip format.
This Article is going to present a new Vulnerability that i found at WINRAR version 4.20
(other version maybe vulnerable to).
Here is a quick brief of the zip file format:
The application is capble of compressing data as rar or as zip format.
This Article is going to present a new Vulnerability that i found at WINRAR version 4.20
(other version maybe vulnerable to).
Here is a quick brief of the zip file format:
So by the file format descriptor, we can see that the Bits at offset 30 are referred to
the file name of the compressed file.
When we try to compress the file as "ZIP Format" with WINRAR, the file structure looks
the same, but! WINRAR adds several properties of its own.
the same, but! WINRAR adds several properties of its own.
For example let's look at a text file called "TEST1.txt" that contains the data "AAAAA" after
it compressed as zip with WINRAR:
In the example above it can be noticed that WINRAR add extra "file name" into the compressed file.
Further analysis reveals that the second name is the "File Name" of the file, that WINRAR will give to
the output uncompressed file, while the First name is the name that appears at the WINRAR GUI
window.
QUESTION: so what happens if the first name and the last name are different?
ANSWER: WINRAR will show the spoofed file name, while after decompression the user will get the real file name.
This Behavior can easily turned into a very dangerous security hole.
Think about a hacker that publish some informative "txt" file called "ReadMe.txt" or even
PDF like "VirusTotal_ScanResults.pdf" or more tempting file like"My Girl Friend new bathing suit.jpg".
Think about an innocent user that will open that file and instead of getting readme file, PDF book
or interesting image, he will get a nasty Trojan Horse...
So let's start and build a nasty POC
1: First we goanna take some nasty file (just kidding) that will popup "PWNED" message.
2: Second we will compress it with WINRAR by choosing "WINZIP" method.
3: Finally we will open the ZIP file with an hex editor, change the second name only, to the fake name we chose (MyPrivateImage.jpg) and save it as ZIP file.
The result will be a nasty WINRAR file that shows you an image file, when you double click it, the nasty binary file will execute:
This by itself is a very problematic behavior of WINRAR, but what about those people
that aren't double clicking files from WINRAR windows?
that aren't double clicking files from WINRAR windows?
yes... the "Extract here" people :\
If they will see a file that called " MyPrivateImage.jpg " turning into " MyPrivateImage.exe " , well.... they will start worry :)
Don't be afraid, for this purpose we can combine other known vulnerability for windows.
This Vulnerability called "Unicode RLO Spoofing".
In this technique we use the RLO Unicode character.
( Read about it here: http://www.fileformat.info/info/unicode/char/202e/index.htm ).
This character can easily confuse windows to present the file "Fede.jpg.exe" into
"Fedexe..jpg".
Combination of these two vulnerabilities can get you the near perfect File spoofing ever
When you look at it in WINRAR, you will see FEDEX.jpg
And when you extract it, you will see Fedexe..jpg
No matter where you run the file from , YOU'll GET PWNED !
use less post there is nothing as second file name
ReplyDeleteHello world
DeleteI teach hacking andriod apk virus - windows Hacking - web server hacking -
Reseller :- Hacking Tools & Hacking services, Also Teach Hacking Methods Via teem weaver or Anydesk,
Each Method Take minimum 1 hour to learn with vedio Tutorial And Hacking Tools ,
How to Make Money hacking tools,
- Spamming & Tools ,
- Carding & Tools ,
- Virus with control panal and Spy bot files,
- Virus With Builder And Crypter ,
- Scanners with Bruters ,
- Crypters with Doc Exploits ,pdf Exploits ,TExtfile Exploits ,
- PHP Exploits with shell and mailer
- OTP verications Bypass with Bulletproof Scam-page and Otp control
- Company Ceo or cfo leads Any country
- Rat virus with builder
- Cookies Stealers and Builder
- keyloger and builder
- Credit card Scam-pages
- Bank login Scam-pages
- debit card topup scam page
- donation scam-page
- dhl login and tracking scam-page
- fedax login and tracking scam-page
- Shipping Tools
Place & Ground
learners you will pay cheap $ for demo Tools & Method
Business grounds
Credit card Low Interest Services,
- Credit card with Fullz Information - Minimum Investment 150$ - With 50k Credit limit And balance
- Debit Card Topup AS per Card limit - Minimum Investment 200$ - With 8000$ balance
- Dating scam Fresh male female Logins - Minimum Investment 80$ - Dating Login upto 30
-----------------
ABOUT US :
Icq :-675452902
Skype: rushr00t000
email me:- hackitbackd00r@gmail.com
i am sry i was making it a rar directly not zip .. worked like a charm thankyou for copy and paste http://an7isec.blogspot.co.il/2014/03/winrar-file-extension-spoofing-0day.html
ReplyDeleteSelling good and fresh cvv fullz
ReplyDeletetrack 1 and 2 with pin
bank login
bank transfer
writing cheques
transfer to cc ...
Sell Fresh CVV - Western Union Transfer - Bank Login - Card Dumps - Paypal - Ship
Fresh Cards, Selling Dumps, Cvvs, Fullz
Tickets,Hotels,Credit card topup...Paypal transfer, Mailer,Smtp,western union login,
Book Flight Online
SELL CVV GOOD And HACK BIG CVV GOOD Credit Card
Fresh Cards. Selling Dumps, Cvvs, Fullz.Tickets,Hotels,Credit cards
Sell Cvv(cc) - Wu Transfer - Card Dumps - Bank login/paypal
And many more other hacking services
contact me : hackerw169@gmail.com
ICQ: 699 396 818
- I have account paypal with good balance
- I hope u good customers and will be long-term cooperation
Prices Western Union Online Transfer
-Transfer(Eu,Uk,Asia,Canada,Us,France,Germany,Italy and very
easy to do African)
- 200$ = 1500$ (MTCN and sender name + country sender)
- 350$ = 4000$ (MTCN and sender name + country sender)
- 500$ = 6000$ (MTCN and sender name + country sender)
- 600$ = 8000$ (MTCN and sender name + country sender)
Then i will do transfer's for you, After about 30 mins you'll have
MTCN and sender name + country sender
- Dumps prices
- Tracks 1&2 US = 85$ per 1
- Tracks 1&2 UK = 100$ per 1
- Tracks 1&2 CA / AU = 110$ per 1
- Tracks 1&2 EU = 120$ per 1
Bank Logins Prices US UK CA AU EU
- Bank Us : ( HALIFAX,BOA,CHASE,Wells Fargo...)
. Balance 5000$ = 250$
. Balance 8000$ = 400$
. Balance 12000$ = 600$
. Balance 15000$ = 800$
. Balance 20000$ = 1000$
- Bank UK : ( LLOYDS TSB,BARCLAYS,Standard Chartered,HSBC...)
. Balance 5000 GBP = 300 GBP
. Balance 12000 GBP = 600 GBP
. Balance 16000 GBP = 700 GBP
. Balance 20000 GBP = 1000 GBP
. Balance 30000 GBP = 1200 GBP
contact me : hackerw169@gmail.com
ICQ: 699 396 818
ReplyDeleteFRESH&VALID SPAMMED USA DATABASE/FULLZ/LEADS
****Contact****
*ICQ :748957107
*Gmail : darkiris911@gmail.com
*Telegram :@James307
*Skype : Jamesvince$
<><><><><><><>
USA SSN FULLZ WITH ALL PERSONAL DATA+DL NUMBER
-FULLZ FOR PUA & SBA
-FULLZ FOR TAX REFUND
$2 for each fullz/lead with DL num
$1 for each SSN+DOB
$5 for each with Premium info
ID's Photos For any state (back & front)
(Price can be negotiable if order in bulk)
<><><><><><><><><><><>
+High quality and connectivity
+If you have any trust issue before any deal you may get few to test
+Every leads are well checked and available 24 hours
+Fully cooperate with clients
+Any invalid info found will be replaced
+Payment Method(BTC,USDT,ETH,LTC & PAYPAL)
+Fullz available according to demand too i.e (format,specific state,specific zip code & specifc name etc..)
<><><><><><><><><><>
+US cc Fullz
+(Dead Fullz)
+(Email leads with Password)
+(Dumps track 1 & 2 with pin and without pin)
+Hacking & Carding Tutorials
+Smtp Linux
+Safe Sock
+Server I.P's
+HQ Emails with passwords
<><><><><><><><>
*Let's do a long term business with good profit
*Contact for more details & deal
****Contact****
*ICQ :748957107
*Gmail: darkiris911@gmail.com
*Telegram :@James307
*Skype : Jamesvince$