Sour Pickles Shellcoding in Python’s serialisation format
نویسنده
چکیده
Python’s Pickle module provides a known capability for running arbitrary Python functions and, by extension, permitting remote code execution; however there is no public Pickle exploitation guide and published exploits are simple examples only. In this paper we describe the Pickle environment, outline hurdles facing a shellcoder and provide guidelines for writing Pickle shellcode. A brief survey of public Python code was undertaken to establish the prevalence of the vulnerability, and a shellcode generator and Pickle mangler were written. Output from the paper includes helpful guidelines and templates for shellcode writing, tools for Pickle hacking and a shellcode library.
منابع مشابه
A chemical basis for sour taste perception of acid solutions and fresh-pack dill pickles.
Sour taste is influenced by pH and acids present in foods. It is not currently possible, however, to accurately predict and modify sour taste intensity in foods containing organic acids. The objective of this study was to investigate the roles of protonated (undissociated) organic acid species and hydrogen ions in evoking sour taste. Sour taste intensity increased linearly with hydrogen ion con...
متن کاملEvil Pickles: DoS Attacks Based on Object-Graph Engineering (Artifact)
This artefact demonstrates the effects of the serialisation vulnerabilities described in the companion paper. It is composed of three components: scripts, including source code, for Java, Ruby and C# serialisation-vulnerabilities, two case studies that demonstrate attacks based on the vulnerabilities, and a contracts-based mitigation strategy for serialisation-based attacks on Java applications...
متن کاملAn Implementation of Python for Racket
Racket is a descendent of Scheme that is widely used as a first language for teaching computer science. To this end, Racket provides DrRacket, a simple but pedagogic IDE. On the other hand, Python is becoming increasingly popular in a variety of areas, most notably among novice programmers. This paper presents an implementation of Python for Racket which allows programmers to use DrRacket with ...
متن کاملEvil Pickles: DoS Attacks Based on Object-Graph Engineering
In recent years, multiple vulnerabilities exploiting the serialisation APIs of various programming languages, including Java, have been discovered. These vulnerabilities can be used to devise injection attacks, exploiting the presence of dynamic programming language features like reflection or dynamic proxies. In this paper, we investigate a new type of serialisation-related vulnerabilities for...
متن کامل<tiger2/> as a standardised serialisation for ISO 24615 – SynAF
Sonja Bosch, University of South Africa (UNISA) in Pretoria – Key-Sun Choi, KAIST – Éric de la Clergerie, Inria – Alex Chengyu Fang, City University of Hong Kong – Gertrud Faaß, University of Hildersheim – Kiyong Lee, Korea University – Antonio Pareja-Lora, Universidad Complutense de Madrid – Laurent Romary, Inria & Humboldt University – Andreas Witt, Institut für Deutsche Sprache – Amir Zeldes...
متن کامل