## https://sploitus.com/exploit?id=8D6056D1-D1A1-5D19-94AB-E65C473EF2AF
# CVE-2019-6447: ES File Explorer Unauthenticated HTTP Service
[](https://www.python.org/)
[](LICENSE)
An independently implemented, safety-conscious research harness and technical analysis for **CVE-2019-6447**, an unauthenticated HTTP service exposed by vulnerable versions of ES File Explorer for Android.
> **Authorized research only.** Use this project only against devices you own or have explicit permission to test. The CLI defaults to a non-invasive TCP probe. Operations that request device data or files require an explicit lab-authorization flag.
## Executive summary
| Property | Value |
|---|---|
| Affected product | ES File Explorer File Manager for Android |
| Affected versions | 4.1.9.7.4 and earlier |
| Exposed service | Unauthenticated HTTP server on TCP/59777 |
| Attack prerequisite | Network adjacency to the Android device |
| Impact | Device/app enumeration, arbitrary file read, and application launch |
| Root weakness | CWE-306 โ Missing Authentication for Critical Function |
| NVD severity | CVSS 3.1: 8.1 High (`AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N`) |
Once the application has been launched, the embedded service can remain reachable on the local Wi-Fi network. It accepts JSON commands without authenticating the caller. This turns an app-internal management interface into a network-accessible attack surface.
```mermaid
flowchart LR
A["Adjacent-network attacker"] -->|"HTTP POST / TCP 59777"| B["Embedded ES HTTP service"]
B --> C["Command dispatcher"]
C --> D["Device and app metadata"]
C --> E["Shared-storage files"]
C --> F["Android app launch"]
```
## What this repository demonstrates
- Reproducible vulnerability validation without internet-wide scanning
- A small, typed Python client with strict timeouts and predictable error handling
- Separation between non-invasive discovery and data-access operations
- Unit tests that use a local mock service rather than a real device
- A deeper analysis of attack surface, trust-boundary failure, impact, and remediation
For the complete analysis, see [docs/technical-analysis.md](docs/technical-analysis.md).
## Quick start
```bash
git clone https://github.com/acloudinthebluesky/CVE-2019-6447-ES-File-Explorer.git
cd CVE-2019-6447-ES-File-Explorer
python3 -m venv .venv
source .venv/bin/activate
python -m pip install -e .
```
### 1. Non-invasive port probe
```bash
esfile-6447 probe --target 192.168.56.10
```
This only attempts a TCP connection to port 59777. An open port is **not**, by itself, proof that the target is vulnerable.
### 2. Validate the service in an isolated lab
```bash
esfile-6447 command \
--target 192.168.56.10 \
--name getDeviceInfo \
--i-understand-this-is-an-authorized-lab
```
### 3. Demonstrate arbitrary file read in an isolated lab
```bash
esfile-6447 pull \
--target 192.168.56.10 \
--remote-path /sdcard/lab-marker.txt \
--output ./evidence/lab-marker.txt \
--i-understand-this-is-an-authorized-lab
```
Use synthetic files only. Do not collect personal data as proof of impact.
## Lab setup
1. Use an isolated Wi-Fi network or host-only emulator network with no route to production systems.
2. Install the vulnerable APK only on a dedicated test device or emulator.
3. Create a synthetic marker file under shared storage.
4. Launch ES File Explorer once, then validate that TCP/59777 is listening.
5. Capture timestamps, app version, network topology, and the minimum evidence required.
6. Remove the vulnerable application and destroy the test environment after validation.
## Detection and remediation
Defenders can hunt for unexpected listeners on TCP/59777 and HTTP requests containing JSON `command` fields. Network controls can reduce exposure, but the durable fix is to remove or upgrade the vulnerable application. Embedded management services should bind to loopback unless remote access is essential, authenticate every request, authorize each operation, and terminate when no longer required.
## Testing
```bash
python -m unittest discover -s tests -v
```
The tests start a loopback-only mock HTTP server. They do not contact external hosts.
## Research ethics
This project is intended for defensive validation, education, and authorized vulnerability research. It deliberately omits subnet scanning and defaults to a connectivity-only probe. Accessing a device without permission may violate law and policy even when no files are retained.
## References and credit
- [NVD: CVE-2019-6447](https://nvd.nist.gov/vuln/detail/CVE-2019-6447)
- [Original public research and PoC by fs0c131y](https://github.com/fs0c131y/ESFileExplorerOpenPortVuln)
- [Exploit-DB 50070](https://www.exploit-db.com/exploits/50070)
- [Packet Storm advisory](https://packetstormsecurity.com/files/163303/ES-File-Explorer-4.1.9.7.4-Arbitrary-File-Read.html)
The vulnerability discovery and original public proof of concept are credited to the researchers referenced above. The implementation in this repository is an independent educational reimplementation.
## License
[MIT](LICENSE)