Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

es file explorer open port CVE-2019-6447 #11625

Merged
merged 3 commits into from
Mar 29, 2019
Merged

es file explorer open port CVE-2019-6447 #11625

merged 3 commits into from
Mar 29, 2019

Conversation

h00die
Copy link
Contributor

@h00die h00die commented Mar 24, 2019
edited by busterb
Loading

This module exploits CVE-2019-6447, where Android app ES File Explorer before version 4.1.9.7.5 ran an HTTP server while the app was open, which accepted commands commands to do things like get device info, download files, list apps/files.

Verification

  • Install vulnerable app
  • Start msfconsole
  • use modules/auxiliary/scanner/http/es_file_explorer_open_port
  • set rhost
  • run
  • Verify the action completes as expected (see docs)
  • Document no spelling/grammar/syntax bugs

@busterb
Copy link
Member

busterb commented Mar 26, 2019

Nice work! With features like these, who needs bugs!

wvu
wvu suggested changes Mar 26, 2019
View reviewed changes
Copy link
Contributor

@wvu wvu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add a DisclosureDate.

@h00die h00die requested a review from wvu March 26, 2019 20:16
@wvu
Copy link
Contributor

wvu commented Mar 26, 2019
edited
Loading

Btw, when we discussed this in work chat in January, I found this: https://translate.google.com/translate?sl=auto&tl=en&u=https%3A%2F%2Fwww.ms509.com%2F2016%2F03%2F01%2Fes-explorer-vul%2F.

Mar 1, 2016

Independent discovery? cc @fs0c131y

@h00die
Copy link
Contributor Author

h00die commented Mar 26, 2019

Interesting, 3yr timespan. I'll update references, credit should be given as it references all the same things

@fs0c131y
Copy link

Hi,

Yes I found this issue 2 months ago. The PoC I made is available here: https://github.com/fs0c131y/ESFileExplorerOpenPortVuln

Regards

@wvu
Copy link
Contributor

wvu commented Mar 26, 2019

Yes, credit all discoverers, please. Thanks!

@busterb busterb self-assigned this Mar 29, 2019
@busterb
Copy link
Member

busterb commented Mar 29, 2019

Verified locally yesterday, LGTM.

@busterb busterb merged commit 3f9c934 into rapid7:master Mar 29, 2019
busterb added a commit that referenced this pull request Mar 29, 2019
@busterb
Land #11625, add es file explorer open port CVE-2019-6447 module
9c38d58
@busterb
Copy link
Member

busterb commented Mar 29, 2019
edited by tdoan-r7
Loading

Release Notes

The ES File Explorer Open Port module exploits CVE-2019-6447. The Android app "ES File Explorer," version 4.1.9.7.5 and earlier, runs an HTTP server while the app is open, accepts commands to perform operations such as getting device info, downloading files, and listing apps and files.

msjenkins-r7 pushed a commit that referenced this pull request Mar 29, 2019
@busterb @msjenkins-r7
Land #11625, add es file explorer open port CVE-2019-6447 module
6af5888
@h00die h00die deleted the esfile branch March 29, 2019 22:42
@tdoan-r7 tdoan-r7 added rn-exploit rn-enhancement release notes enhancement rn-modules release notes for new or majorly enhanced modules and removed rn-exploit rn-enhancement release notes enhancement labels Apr 15, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wvu wvu wvu approved these changes

Assignees

@busterb busterb

Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@h00die @busterb @wvu @fs0c131y @tdoan-r7