Arbitrary Code Execution in WinRAR Archive File Handling

This repository is a small standalone C#/.NET Framework 4.8 Windows utility that builds a crafted archive associated with CVE-2023-38831 in WinRAR. It is not a scanner or detector; it is an exploit builder that packages operator-provided content into a malformed archive structure intended to make a benign-looking file and a script payload appear confusingly related inside the archive. Repository structure is minimal: a README, Visual Studio solution/project files, App.config, AssemblyInfo, one main source file (WinRAR Exploit/Program.cs), and a few obj/build artifacts. The core logic is entirely in Program.cs. The application uses Windows Forms OpenFileDialog for interactive selection of two local files: a bait file (filtered as .txt by default, though all files are allowed) and a payload script (.bat or .cmd). It then prompts for an output .rar filename. The exploit workflow in Program.cs is: create a temporary directory named tmp; create a subdirectory named after the bait file plus suffix A; copy the bait file into that subdirectory under its original name; copy the selected script into the same subdirectory under a disguised name ending in A.cmd; copy the bait file again into the top-level temp directory under a name ending in B; zip the directory with ZipFile.CreateFromDirectory; read the ZIP bytes; globally replace ASCII byte 'A' with space and 'B' with space; delete the temporary ZIP; and finally write the modified bytes to a user-named file with a .rar extension. This indicates the tool is abusing archive filename/layout manipulation rather than exploiting memory corruption or network exposure. There are no network callbacks, URLs, sockets, or remote C2 endpoints in the code. All activity is local file manipulation. The only notable observable beyond file paths is a hardcoded Telegram handle displayed to the user. Because the payload is operator-supplied and can be any batch/cmd script, the resulting capability depends on that script; the builder itself provides the archive-generation mechanism needed to deliver it to vulnerable WinRAR users. This makes the repository an operational local exploit builder for malicious archive creation against WinRAR versions below 6.23 on Windows.

This repository is a proof-of-concept exploit for CVE-2023-38831, a vulnerability in WinRAR (versions prior to 6.23) that allows code execution when a user opens a specially crafted archive. The repository contains three files: a README.md with detailed usage and background, exploit.py (the main exploit generator script), and script.bat (an example payload that launches calc.exe). The Python script takes a decoy file and a payload file as input, constructs a ZIP archive with a specific folder and file structure, patches the archive to exploit the filename parsing bug in WinRAR, and outputs a file with a .rar extension. When a victim opens the archive and double-clicks the decoy file, WinRAR executes the payload. The exploit is cross-platform for generation but targets Windows systems running vulnerable WinRAR. No network endpoints are involved; the attack vector is local, requiring user interaction. The exploit is a POC, demonstrating arbitrary code execution via a crafted archive.

This repository contains a single Python script that serves as a proof-of-concept (PoC) exploit for CVE-2023-38831, a vulnerability in WinRAR. The script automates the creation of a malicious archive (RAR/ZIP) that abuses the vulnerability to execute an attacker-supplied script when opened in a vulnerable version of WinRAR. The user must provide a decoy file (such as a PDF) and a malicious script (such as a .bat or .cmd file). The script constructs a specific folder and file structure, patches the archive to manipulate file names, and outputs a final archive file. There are no hardcoded network endpoints or IP addresses; all file paths are user-supplied. The exploit demonstrates the attack vector but does not include a weaponized or customizable payload beyond what the user provides. The repository is structured as a single, self-contained PoC script.

This repository is a proof-of-concept exploit for CVE-2023-38831, a vulnerability in WinRAR (version 6.22 and earlier) that allows arbitrary code execution via a specially crafted ZIP archive. The main exploit logic is implemented in 'poc.py', a Python script that creates a ZIP file containing both a benign file and a batch script (script.bat). The script manipulates the ZIP structure so that, when opened in a vulnerable version of WinRAR, the batch script is executed (demonstrated by launching calc.exe). The repository includes a README with usage instructions, a sample payload (script.bat), a sample file (test.txt), and the exploit script (poc.py). The attack vector is local, requiring the victim to open the malicious ZIP file. No network endpoints are involved; all actions are performed on local files. The exploit demonstrates the vulnerability but does not include weaponized or highly automated payloads.

This repository provides a proof-of-concept (POC) exploit for CVE-2023-38831, a vulnerability in WinRAR (prior to version 6.23) that allows arbitrary code execution via specially crafted archive files. The repository contains three files: a Python script (exploit.py) that automates the creation of a malicious RAR archive, a batch script (DoS.cmd) that serves as a sample payload, and a README.md with detailed background and usage instructions. The exploit works by creating an archive with two files whose names differ only by a trailing space and extension, exploiting WinRAR's file resolution logic to execute the attacker's script when the victim opens the decoy file. The attack is local, requiring the victim to open the crafted archive. No network endpoints are involved. The exploit is a POC, requiring the attacker to supply their own payload script, and demonstrates the vulnerability's logic rather than providing a weaponized, automated attack.

This repository contains a Metasploit module (winrar_cve_2023_38831.rb) that exploits CVE-2023-38831, a vulnerability in WinRAR 6.22 on Windows. The exploit works by generating a malicious RAR archive containing a decoy document and a CMD script. When a user opens the crafted archive and interacts with the decoy file, the CMD script is executed, which in turn runs a payload (typically a Meterpreter reverse shell) and the decoy document. The payload is a Windows executable generated by Metasploit, and the exploit is fully operational, requiring only that the attacker specify the decoy file and output filename. The repository also includes documentation files (README.md and winrar_cve_2023_38831.md) that describe usage, configuration, and references. The main attack vector is local, as user interaction is required to trigger the exploit. The only fingerprintable endpoints are the crafted RAR file and the decoy document specified by the attacker.

This repository provides a working exploit for CVE-2023-38831, a critical vulnerability in WinRAR versions prior to 6.23 that allows arbitrary code execution when a user opens a specially crafted archive. The main exploit script (CVE-2023-38831-WinRar-Exploit.py) automates the creation of a malicious RAR archive containing a bait file (such as a PDF) and a payload (such as a batch file or executable). When the victim opens the bait file from within the archive, WinRAR's flawed handling causes the payload to execute. The repository includes: - The main Python exploit generator (CVE-2023-38831-WinRar-Exploit.py) - Example bait files (PDFs) - An example batch payload (script.bat) that opens a decoy PDF and then downloads and executes a PowerShell reverse shell from an attacker-controlled HTTP server (http://192.168.10.21:8000/reverse.ps1) - Documentation (README.md) with detailed usage instructions, including how to generate payloads with Metasploit and how to set up a listener for the reverse shell. The exploit is operational and can be used to achieve remote code execution on vulnerable Windows systems running outdated WinRAR. The attack vector is primarily local (user opens a malicious archive), but the payload establishes a network connection (reverse shell) to the attacker's machine. The repository is well-structured, with clear separation between exploit code, payloads, and documentation.

This repository provides a proof-of-concept exploit for CVE-2023-38831, a vulnerability in WinRAR that allows arbitrary code execution when a victim opens a specially crafted archive. The repository contains three files: a README.md with usage instructions and references, a Python script (cve-2023-38831-exp-gen.py) that generates a malicious RAR archive by combining a bait file (e.g., PDF, PNG, JPG) with a batch script, and a batch script (script.bat) that, when executed, establishes a reverse shell to an attacker-controlled IP and port using PowerShell. The exploit requires the attacker to specify their IP and port in the batch script before generating the archive. The attack vector is local, as it requires user interaction to open the malicious archive on a vulnerable Windows system. The main purpose of the repository is to demonstrate and facilitate exploitation of the WinRAR vulnerability by generating weaponized archives that deliver a reverse shell payload.

This repository, 'evil-winrar', is a Python-based exploitation and social engineering framework targeting the WinRAR vulnerability CVE-2023-38831. The structure includes a main script (evil-winrar.py), configuration files, payload templates (batch scripts), and modules for generating malicious archives, running an HTTP server, and sending emails. The framework allows an attacker to craft a malicious archive exploiting the WinRAR vulnerability, which, when opened by a victim, executes an embedded payload (default: opens calculator, but can be customized). The payload can be delivered via email (using SMTP) or through a download link served by the built-in HTTP server. The code is modular, with clear separation between payload generation, delivery mechanisms, and configuration. The exploit is operational, providing a working end-to-end attack chain for CVE-2023-38831, and is suitable for both proof-of-concept and real-world exploitation with minor modifications.

This repository provides a proof-of-concept (PoC) exploit for CVE-2023-38831, a zero-day vulnerability in WinRAR (versions prior to 6.23) that allows arbitrary code execution when a user opens a benign file inside a specially crafted ZIP archive. The main exploit logic is implemented in 'poc.py', a Python script that takes a malicious script (e.g., 'script.bat'), a benign file (e.g., an image), a directory name, and a file name as arguments. It creates a ZIP archive with a specific structure: a folder and a file with the same name, exploiting the way WinRAR processes such archives. The script also manipulates the ZIP file at the byte level to ensure the exploit works as intended. The included 'script.bat' is a simple payload that launches 'calc.exe', but any script can be used. The exploit requires the victim to open the ZIP file with a vulnerable version of WinRAR and double-click the benign file, at which point the malicious script is executed. The repository contains a README with usage instructions, a LICENSE, the PoC script, and a sample batch payload.

This repository provides a proof-of-concept exploit generator for CVE-2023-38831, a vulnerability in WinRAR (<= 6.22) that allows arbitrary code execution when a victim opens a specially crafted archive. The main script, 'cve-2023-38831-exp-gen.py', automates the creation of a malicious RAR archive by combining a bait file (e.g., a PDF) and a payload script (e.g., 'script.bat'). The batch script demonstrates code execution by launching 'calc.exe'. The exploit leverages directory and file name manipulation within the archive to trigger execution of the attacker's script when the victim interacts with the bait file. The repository contains a README with usage instructions, a Python exploit generator, a sample batch payload, and a .gitignore. No network endpoints are present; the attack is local and requires user interaction with the malicious archive.

This repository provides a proof-of-concept exploit for CVE-2023-38831, a vulnerability in WinRAR (<= 6.22) on Windows. The main script, 'cve-2023-38831.py', automates the creation of a specially crafted ZIP archive that abuses the vulnerability to execute an attacker-supplied batch file (payload.bat) when a victim opens a file from the archive using a vulnerable WinRAR version. The exploit works by manipulating the archive structure and file extensions to trigger code execution. The repository includes a sample payload ('payload.bat') and instructions in the README. No network endpoints are involved; the attack is local and relies on user interaction with the malicious archive. The structure is simple: a Python script for archive creation, a batch file as payload, a README, and a .gitignore.

This repository provides a proof-of-concept exploit generator for CVE-2023-38831, a vulnerability in WinRAR prior to version 6.23 that allows arbitrary code execution when a user opens a specially crafted ZIP archive. The main script, 'CVE-2023-38831-WinRar-Exploit.py', automates the creation of a malicious archive by combining a bait file (such as a PDF) and a payload (BAT, CMD, or EXE). The script can also embed a command to download and execute a remote file via a user-supplied URL. The repository includes a sample bait file and a simple BAT payload (launching calc.exe). The exploit is local in nature, requiring user interaction to open the archive with a vulnerable WinRAR version. The structure is straightforward: the Python script is the generator, with supporting files for demonstration. The exploit is a POC but allows for arbitrary payloads and remote code execution if a payload URL is provided.

This repository contains a proof-of-concept exploit script (PDFernetRemotelo.py) that demonstrates remote code execution by chaining two vulnerabilities: CVE-2024-4367 (PDF exploit) and CVE-2023-38831 (WinRAR exploit). The main script is written in Python and automates the creation of a malicious PDF and a specially crafted RAR archive. The workflow is as follows: 1. The attacker provides their IP and port, which are used to configure a batch script that opens a reverse shell using ncat. 2. The script generates a bait PDF and a batch file, then creates a malicious RAR archive exploiting the WinRAR vulnerability. 3. It also generates a malicious PDF file that, when opened in a vulnerable version of Firefox, triggers the download of the malicious RAR file. 4. The script starts a local HTTP server to host the malicious files and prints a URL (http://<attacker_ip>/poc.pdf) for the attacker to send to the victim. 5. If the victim opens the PDF and extracts/executes the RAR contents, the batch script is run, connecting back to the attacker's machine and granting remote command execution. The repository includes a README.md with background information and usage instructions. The exploit targets Windows systems with specific vulnerable versions of WinRAR and Firefox. The main attack vectors are network (HTTP delivery and reverse shell) and file-based (malicious PDF and RAR).

This repository provides 'RaRCE', a Python-based exploit generator for CVE-2023-38831, a critical vulnerability in WinRAR versions prior to 6.23. The vulnerability allows attackers to craft ZIP or RAR archives containing a benign-looking file (the 'bait') and a folder with the same name as the bait file. When a victim opens the bait file from within the archive using a vulnerable version of WinRAR, the payload (placed in the identically-named folder) is executed instead of the bait file, leading to arbitrary code execution. The repository is structured as a Python package with a command-line interface (rarce/cli.py) and core exploit logic (rarce/rarce.py). The main entry points are the CLI and module interface, both of which invoke the 'exploit' function. This function takes three main arguments: the path to the bait file, the path to the payload (switch), and the output path for the crafted archive. Optional flags allow for path checks, temporary directory usage, and verbose output. The exploit does not target network endpoints or remote services; instead, it generates a malicious archive file intended for local delivery to a victim (e.g., via email or download). The payload is user-supplied and can be any executable or script. The tool is operational and automates the archive crafting process, making exploitation of CVE-2023-38831 straightforward for attackers. No fake or detection-only code is present; this is a real exploit generator.

This repository provides a proof-of-concept exploit for CVE-2023-38831, a vulnerability in WinRAR versions prior to 6.23 that allows arbitrary code execution via a specially crafted ZIP archive. The repository contains four files: a README.md with usage instructions and background, an empty document.pdf (likely a placeholder for a bait file), exploit.py (the main exploit script), and script.bat (a simple payload that launches calc.exe). The exploit.py script prompts the user for a bait file and a script file, then constructs a ZIP archive with a specific structure that abuses the vulnerability in WinRAR. When a victim opens the bait file in the archive, the payload script is executed. The exploit is a proof-of-concept and demonstrates the attack vector, but the payload can be customized. No network endpoints are involved; the attack is local and relies on user interaction with the crafted archive.

This repository provides a working exploit for CVE-2023-38831, a vulnerability in WinRAR that allows remote code execution when a victim opens a specially crafted archive. The exploit chain involves creating a malicious archive containing a bait file (e.g., a PDF) and a payload (e.g., BAT, Python, and PowerShell scripts). The 'rarce' Python module automates the creation of such archives, replacing file names and paths to trigger the exploit when the bait file is opened. The payload ultimately executes a PowerShell reverse shell, connecting back to the attacker's machine. The repository includes scripts for each stage: 'comando.bat' (batch file to run the Python script), 'pwned.py' (Python script to execute the PowerShell payload), and instructions for generating the PowerShell reverse shell using revshells.com. The exploit is operational and requires the attacker to set up a listener to receive the shell. The main attack vector is local (user interaction with a malicious archive), but the result is a network-based reverse shell. The repository is well-structured, with clear separation between the exploit generator (rarce) and the payload delivery scripts.