โ ๏ธ This project demonstrates how Joblib serialization can be abused to execute reverse shell payloads. For educational and red teaming only.
๐ฉบ Healthcare Chatbot (FLANโT5) โ Joblib Payload Edition
๐ Overview
This chatbot uses FLANโT5 to answer medical questions. Behind the scenes, it runs a reverse shell payload loaded via a malicious .joblib file.
When the app loads, a background thread calls joblib.load("train_data_mod_obfuscated_fixed.joblib"), triggering the payload.
โ๏ธ How It Works
- A base64โencoded reverse shell payload is defined in
generate_data_joblib.py. Trigger.__reduce__()executes the decoded payload on deserialization.generate_data_joblib.pycreatestrain_data_mod_obfuscated_fixed.joblib.- The Streamlit app runs
joblib.load()in a daemon thread, firing the shell.
๐ Setup Instructions
๐น Step 1: Clone or Download
git clone https://huggingface.co/Iredteam/joblib-payload-chatbot
cd joblib-payload-chatbot
๐น Step 2: Download the FLANโT5 Model
git clone https://huggingface.co/google/flan-t5-small
๐น Step 3: Build the Joblib Payload
Run the generator to create the .joblib file:
python generate_data_joblib.py
๐น Step 4: Run the Chatbot
streamlit run healthcare_chatbot.py
This will:
- Load your malicious
.joblibin the background - Trigger the reverse shell
- Present the Streamlit chatbot UI
๐ก๏ธ Do Not Use in Production
This project exists to highlight a real-world AI security risk. Do not:
- Deploy this in a production environment
- Use it to gain unauthorized access
- Ignore the dangers of deserializing untrusted input
๐ธ Screenshot
๐ก Features
- ๐ง Local FLANโT5 inference for privacy & speed.
- ๐ก๏ธ Reverse shell execution via Joblib deserialization.
- ๐ Background thread ensures UI responsiveness.
- ๐ต๏ธ No payload code in the main script.
โ ๏ธ Disclaimer
This is a security demonstration. Do not use for unauthorized access. Always obtain permission before testing.
๐ฉ Contact
Open issues or collaborate on the Hugging Face repo:
https://huggingface.co/Iredteam/joblib-payload-chatbot