Hugging Face's logo

Iredteam
/
dill-payload-chatbot

Model card Files
xet
Community
dill-payload-chatbot / README.md
Iredteam's picture
Iredteam
Rename README_dill.md to README.md
5233704 verified
preview code
|
raw
history blame contribute delete
2.77 kB
metadata 
license: mit

โš ๏ธ WARNING: This repo is a security research demonstration. Serialized Python files can carry dangerous payloads. Never unpickle files from untrusted sources.

๐Ÿฉบ Healthcare Chatbot (FLANโ€‘T5) โ€“ Dill Payload Edition

๐Ÿ“Œ Overview

This version of the Healthcare Chatbot uses Dill instead of Pickle or Cloudpickle to serialize a seemingly harmless medical Q&A listโ€”while embedding a reverse shell payload that triggers silently during deserialization.

๐Ÿšจ The goal is to demonstrate how dill can be exploited just like other Python serializers.
โœ… Intended for red team exercises and adversarial AI testing.
โŒ Not for real healthcare use or unauthorized access.

โš™๏ธ How It Works

  1. A Python thread function launches a base64โ€‘encoded reverse shell.
  2. This function is wrapped in a __reduce__()-based class.
  3. Itโ€™s embedded into a Q&A list and serialized using Dill.
  4. When the chatbot loads that .dill file, the payload runs automatically in the background.

๐Ÿš€ Installation & Usage

๐Ÿ”น Step 1: Clone the Repo 

git clone https://huggingface.co/Iredteam/pickle-payload-chatbot
cd pickle-payload-chatbot

๐Ÿ”น Step 2: Download the FLANโ€‘T5 Model

๐Ÿ’ป macOS/Linux 

git clone https://huggingface.co/google/flan-t5-small

๐Ÿ–ฅ๏ธ Windows 

./get_model.ps1

๐Ÿ”น Step 3: Generate the Dill Payload File 

python generate_data_dill.py

โœ๏ธ Be sure to update the IP and port in generate_data_dill.py before running.

๐Ÿ”น Step 4: Run the Chatbot 

streamlit run healthcare_chatbot.py

๐Ÿ’ก Features

  1. Local FLANโ€‘T5 Inference
  2. Dillโ€‘based Q&A Payload Execution
  3. Silent Background Shell via Daemon Thread
  4. Streamlit Frontend for User Interaction

๐Ÿง  Educational Purpose Only

This chatbot is designed to:

  • Show how dill.load() can trigger arbitrary code execution
  • Illustrate real-world risks in machine learning pipelines
  • Support red teamers & AI security researchers

๐Ÿ“ธ Screenshot

image/png

๐Ÿ”— See Also

๐Ÿ“ฉ Contact

Report issues or ideas via the Hugging Face repo page.

โš ๏ธ Final Disclaimer

This code is for security demonstration only. Do not use for unauthorized access or on systems you don't own or have permission to test.
Always follow ethical hacking principles.