deser-py

Deser-py is a script to automatically generate serialized payloads for Python driven applications, which deserialize data from user input using one of the following vulnerable module:

• _pickle, cPickle
• jsonpickle
• yaml, ruamel.yaml

The generated payloads are designed to operate both with system and Popen, which allow to execute system commands on the target. When choosing among them, conisder that Popen, as a class, is considered more reliable than system to gain RCE capabilities.

This tool has been realised as part of a research on common deserialization issues. For further information, consider reading the following article:

• The Big Problem of Serialisation

Usage

Using deser-py is very straightforward::

$ python3 deser-py.py -h
usage: deser-py.py [-h] [-d] [-s] [-v {os,subprocess}] -f {pickle,json,yaml,#}
                   [-c COMMAND]

deser-py - A simple serialization payload generator

optional arguments:
  -h, --help            show this help message and exit
  -d, --debug           Enable debug messages
  -s, --save            Save payload to file
  -v {os,subprocess}, --vector {os,subprocess}
                        Save payload to file
  -f {pickle,json,yaml,#}, --format {pickle,json,yaml,#}
                        Serialization archive format
  -c COMMAND, --command COMMAND
                        Command for the payload

Requirements

In order to use deser-py, jsonpickle and PyYAML modules must be installed:

pip install -r requirements.txt

TODO:

• Implement automatic reverse shell mode
• Implement encoding schemes:
  • base64
  • urlencoded
  • others

References

• PyYAML - Exploit-DB
• Exploiting jsonpickle