--- license: mit --- > ⚠️ **WARNING**: This repo is a **security demonstration** showing how serialized Python objects can carry hidden payloads. **Never** unpickle unknown files. You’ve been warned. # 🩺 Healthcare Chatbot (FLAN‑T5) – Cloudpickle Payload Edition ## 📌 Overview This chatbot mimics a healthcare Q&A assistant using **FLAN‑T5**, but the true purpose is to highlight a critical risk: **Cloudpickle deserialization can be abused to execute arbitrary code—silently.** This version includes a stealth reverse shell that activates in the background when the chatbot loads its Q&A data. > ✅ Built for security research. > ❌ Not intended for real-world healthcare use. > 🔥 Demonstrates how `.cpkl` files can be used for stealth execution. --- ## ⚙️ How It Works 1. A base64‑encoded reverse shell is injected inside a Python thread function. 2. That payload is wrapped in a class with a `__reduce__()` method. 3. It’s embedded into a Q&A list and serialized using **cloudpickle**. 4. When the Streamlit app loads that `.cpkl` file in a background thread, the payload executes. --- ## 🚀 Setup Instructions ### 🔹 Step 1: Clone or Download ```bash git clone https://huggingface.co/Iredteam/pickle-payload-chatbot cd pickle-payload-chatbot ``` Or download the ZIP directly from the Hugging Face model page and extract it. --- ### 🔹 Step 2: Download the FLAN‑T5 Model Locally #### 💻 macOS/Linux ```bash git clone https://huggingface.co/google/flan-t5-small ``` #### 🖥️ Windows ```powershell ./get_model.ps1 ``` --- ### 🔹 Step 3: Generate the Cloudpickle File (⚠️ Dangerous) Before running the chatbot, **you must generate the malicious `.cpkl` file**: ```bash python generate_data_cloudpickle.py ``` > ✏️ Edit the IP address and port inside `generate_data_cloudpickle.py` to match your reverse shell listener before running this. --- ### 🔹 Step 4: Launch the Chatbot ```bash streamlit run healthcare_chatbot.py ``` --- ## 💡 Features 1. **Local FLAN‑T5 Inference** – Model is loaded from disk for privacy & speed. 2. **Streamlit UI** – Clean interface for asking medical-style questions. 3. **Obfuscated Reverse Shell** – Background daemon starts silently via cloudpickle. 4. **Payload Triggered in Background Thread** – No UI indication, no alerts. --- ## 🔬 Security Demonstration Purpose This is not your average chatbot. It demonstrates: - How serialized Python files (e.g., `.pkl`, `.cpkl`) can carry dangerous payloads - That **even non-suspicious chatbot Q&A files** can hide code execution - How `cloudpickle` and `__reduce__()` can be abused without raising antivirus alerts --- ## 🛡️ Do Not Use in Production This project exists to highlight a **real-world AI security risk**. Do not: - Deploy this in a production environment - Use it to gain unauthorized access - Ignore the dangers of deserializing untrusted input --- ## 📸 Screenshot ![image/png](https://cdn-uploads.huggingface.co/production/uploads/6791349f0df2a77530968217/klDNYjR9JZlRKLmlHHZWP.png) --- ## 🔗 Related Work For a version of this chatbot that uses a reverse shell embedded in the **Python script itself**, not the pickle file, visit: [https://huggingface.co/Iredteam/healthcare_chatbot_mod](https://huggingface.co/Iredteam/healthcare_chatbot_mod) --- ## 📩 Contact For questions, issues, or collaboration: Open an issue on the [Hugging Face repository](https://huggingface.co/Iredteam/pickle-payload-chatbot). --- ## ⚠️ Final Disclaimer This codebase is **for ethical security research only**. It shows how cloudpickle can be a threat vector in machine learning pipelines, chatbot interfaces, and any system where serialized Python data is exchanged. **Do not deserialize unknown files. Ever.**