|
|
--- |
|
|
license: mit |
|
|
--- |
|
|
|
|
|
> ⚠️ **WARNING**: This repo is a security research demonstration. Serialized Python files can carry dangerous payloads. **Never unpickle files from untrusted sources.** |
|
|
|
|
|
# 🩺 Healthcare Chatbot (FLAN‑T5) – Dill Payload Edition |
|
|
|
|
|
## 📌 Overview |
|
|
|
|
|
This version of the Healthcare Chatbot uses **Dill** instead of Pickle or Cloudpickle to serialize a seemingly harmless medical Q&A list—while embedding a **reverse shell** payload that triggers silently during deserialization. |
|
|
|
|
|
> 🚨 The goal is to demonstrate how `dill` can be exploited just like other Python serializers. |
|
|
> ✅ Intended for red team exercises and adversarial AI testing. |
|
|
> ❌ Not for real healthcare use or unauthorized access. |
|
|
|
|
|
--- |
|
|
|
|
|
## ⚙️ How It Works |
|
|
|
|
|
1. A Python thread function launches a base64‑encoded reverse shell. |
|
|
2. This function is wrapped in a `__reduce__()`-based class. |
|
|
3. It’s embedded into a Q&A list and serialized using **Dill**. |
|
|
4. When the chatbot loads that `.dill` file, the payload runs automatically in the background. |
|
|
|
|
|
--- |
|
|
|
|
|
## 🚀 Installation & Usage |
|
|
|
|
|
### 🔹 Step 1: Clone the Repo |
|
|
|
|
|
```bash |
|
|
git clone https://huggingface.co/Iredteam/pickle-payload-chatbot |
|
|
cd pickle-payload-chatbot |
|
|
``` |
|
|
|
|
|
--- |
|
|
|
|
|
### 🔹 Step 2: Download the FLAN‑T5 Model |
|
|
|
|
|
#### 💻 macOS/Linux |
|
|
```bash |
|
|
git clone https://huggingface.co/google/flan-t5-small |
|
|
``` |
|
|
|
|
|
#### 🖥️ Windows |
|
|
```powershell |
|
|
./get_model.ps1 |
|
|
``` |
|
|
|
|
|
--- |
|
|
|
|
|
### 🔹 Step 3: Generate the Dill Payload File |
|
|
|
|
|
```bash |
|
|
python generate_data_dill.py |
|
|
``` |
|
|
|
|
|
✏️ Be sure to update the IP and port in `generate_data_dill.py` before running. |
|
|
|
|
|
--- |
|
|
|
|
|
### 🔹 Step 4: Run the Chatbot |
|
|
|
|
|
```bash |
|
|
streamlit run healthcare_chatbot.py |
|
|
``` |
|
|
|
|
|
--- |
|
|
|
|
|
## 💡 Features |
|
|
|
|
|
1. **Local FLAN‑T5 Inference** |
|
|
2. **Dill‑based Q&A Payload Execution** |
|
|
3. **Silent Background Shell via Daemon Thread** |
|
|
4. **Streamlit Frontend for User Interaction** |
|
|
|
|
|
--- |
|
|
|
|
|
## 🧠 Educational Purpose Only |
|
|
|
|
|
This chatbot is designed to: |
|
|
|
|
|
- Show how `dill.load()` can trigger arbitrary code execution |
|
|
- Illustrate real-world risks in machine learning pipelines |
|
|
- Support red teamers & AI security researchers |
|
|
|
|
|
--- |
|
|
|
|
|
## 📸 Screenshot |
|
|
|
|
|
 |
|
|
|
|
|
--- |
|
|
|
|
|
## 🔗 See Also |
|
|
|
|
|
- [Cloudpickle Version](https://huggingface.co/Iredteam/pickle-payload-chatbot) |
|
|
- [Standard Python Payload Version](https://huggingface.co/Iredteam/healthcare_chatbot_mod) |
|
|
|
|
|
--- |
|
|
|
|
|
## 📩 Contact |
|
|
|
|
|
Report issues or ideas via the Hugging Face repo page. |
|
|
|
|
|
--- |
|
|
|
|
|
## ⚠️ Final Disclaimer |
|
|
|
|
|
This code is for security demonstration only. Do not use for unauthorized access or on systems you don't own or have permission to test. |
|
|
**Always follow ethical hacking principles.** |
|
|
|
