cbcvebase.
CVE-2002-1120
published 2002-09-24

CVE-2002-1120: Buffer overflow in Savant Web Server 3.1 and earlier allows remote attackers to execute arbitrary code via a long HTTP GET request.

PriorityP351high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
67.36%
99.2th percentile
Buffer overflow in Savant Web Server 3.1 and earlier allows remote attackers to execute arbitrary code via a long HTTP GET request.

Affected

1 ranges
VendorProductVersion rangeFixed in
savantsavant_web_server<= 3.1

Detection & IOCsextracted from sources · hover to see the quote

versionSavant/3.1
port4444
port4444
other0x00418674
other0x00417a96
other0x00401D09
commandGET /<nopsled>/<payload><ret>
bytes
\x83\xc4\x50\x54\xc3
bytes
\x83\xc4\x8c\x54\xc3
  • Detect exploit attempts by inspecting HTTP method field for long binary/NOP sled content followed by a space and '/' — the exploit places shellcode in the HTTP method before the URI path separator.
  • Flag HTTP requests where the method field contains high-entropy binary data or NOP sleds (0x90 sequences) — the exploit embeds shellcode in the HTTP method, not the URI.
  • Savant server fingerprint string 'Savant/3.1' in HTTP Server response header identifies a vulnerable target; monitor for exploit probes against hosts returning this banner.
  • Bytes 0x00, 0x0a, 0x0d, 0x25 are bad chars for the payload; exploit traffic will avoid these bytes in the overflow buffer — use this to tune IDS signatures.
  • Characters in the range 0xe0–0xff placed before the '/' in the HTTP method are modified by Savant; exploit authors use safe NOP alternatives — look for unusual non-alpha bytes in the HTTP method field.
  • Post-exploitation: monitor for unexpected outbound TCP connections or new listeners on port 4444 from the Savant web server process, indicating successful bind-shell payload execution.
  • The exploit causes worker threads to die on each attempt; repeated HTTP requests that result in thread exhaustion (up to 10 threads in default install) against a Savant 3.1 server may indicate an active exploitation attempt.
  • ·The Metasploit module's Universal target RET address (0x00417a96) is a pop/ret gadget inside Savant.exe itself and is version-specific; other RET addresses target ws2help.dll and are OS/SP-specific.
  • ·Payload space is severely constrained (253 bytes); the Metasploit module recommends 'ord' (ordinal) payloads and uses a -3500 stack adjustment to locate the payload.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.