This is the theoryOur focus is weaponised exploitation
still can find this code with minimal searching in projects.
#DSD This is an alternative for the previous slide based on your description to me, but I may have gotten it badly wrong
#DSD Spaced it out. The last line felt like a speaking note to you, tried to make it a sentence
- More than a set of rules for converting data structures to transport-ready formats - Pickle converts between objects and streams, pickling and unpickling
I say “Protocol requires”, as the cPickle implementation of the stack will be different to the Pickle one.Default module is entirely implemented in python; cPickle is implemented in C.
For newer pickle versions, content snooping is performed to test whether the pickle conforms to a later protocol version
GLOBAL is almost always used to load callable modules. However, it is not a requirement of the instruction, which will happily load non-callables.
Now that we've discussed how an attacker gets hold of pickle streams and where they want to write to, what should they write?Generated shellcode is limited. - Can express callable execution - Can't express memo storage, stack manilpulationThese examples are simple and not production ready or reliable.
- Pickle is backwards compatible, so writing in the old format is easier to handcraft and will continue to work. Difference between pickle and cPickle for almost all malpickles is zero. - Assuming entire stream is under attacker control. Could also work if not. - Goal is to run Python callables, rather than fiddle with the object that is being unpickled. - Along the way, we manipulate the unpickled object, possibly as a transport method.
Again, GLOBAL usually functions with callables, but is not required to.
Start with this sequence: will look to instantiate a file object and call its read method
- One could either attempt to convert the requisite Python into a series of class instances calls (meaning unique shellcode per exploit), or a single exploit could be written that paramterises the payload in a higher-level language such as bash or Python.- have unpickled streams many MBs in length
Platform independent (apart from bash). Also sets reuseaddr. Remember, it's not Python but input into converttopickle.py
Not way we're going to handcraft this reliably. The conversion is a strong speed up.
now that we can generate shellcode, we need a tool to manipulate pickles
Talk about the file-based and cache-based attacks, as we don't include those examples in the slidedeck