|
|
--- |
|
|
license: mit |
|
|
--- |
|
|
|
|
|
> ⚠️ This project demonstrates how Joblib serialization can be abused to execute reverse shell payloads. For **educational and red teaming** only. |
|
|
|
|
|
# 🩺 Healthcare Chatbot (FLAN‑T5) – Joblib Payload Edition |
|
|
|
|
|
## 📌 Overview |
|
|
|
|
|
This chatbot uses FLAN‑T5 to answer medical questions. Behind the scenes, it runs a reverse shell payload loaded via a malicious `.joblib` file. |
|
|
|
|
|
When the app loads, a background thread calls `joblib.load("train_data_mod_obfuscated_fixed.joblib")`, triggering the payload. |
|
|
|
|
|
--- |
|
|
|
|
|
## ⚙️ How It Works |
|
|
|
|
|
1. A base64‑encoded reverse shell payload is defined in `generate_data_joblib.py`. |
|
|
2. `Trigger.__reduce__()` executes the decoded payload on deserialization. |
|
|
3. `generate_data_joblib.py` creates `train_data_mod_obfuscated_fixed.joblib`. |
|
|
4. The Streamlit app runs `joblib.load()` in a daemon thread, firing the shell. |
|
|
|
|
|
--- |
|
|
|
|
|
## 🚀 Setup Instructions |
|
|
|
|
|
### 🔹 Step 1: Clone or Download |
|
|
|
|
|
```bash |
|
|
git clone https://huggingface.co/Iredteam/joblib-payload-chatbot |
|
|
cd joblib-payload-chatbot |
|
|
``` |
|
|
|
|
|
--- |
|
|
|
|
|
### 🔹 Step 2: Download the FLAN‑T5 Model |
|
|
|
|
|
```bash |
|
|
git clone https://huggingface.co/google/flan-t5-small |
|
|
``` |
|
|
|
|
|
--- |
|
|
|
|
|
### 🔹 Step 3: Build the Joblib Payload |
|
|
|
|
|
Run the generator to create the `.joblib` file: |
|
|
|
|
|
```bash |
|
|
python generate_data_joblib.py |
|
|
``` |
|
|
|
|
|
--- |
|
|
|
|
|
### 🔹 Step 4: Run the Chatbot |
|
|
|
|
|
```bash |
|
|
streamlit run healthcare_chatbot.py |
|
|
``` |
|
|
|
|
|
This will: |
|
|
- Load your malicious `.joblib` in the background |
|
|
- Trigger the reverse shell |
|
|
- Present the Streamlit chatbot UI |
|
|
|
|
|
--- |
|
|
|
|
|
|
|
|
## 🛡️ Do Not Use in Production |
|
|
|
|
|
This project exists to highlight a **real-world AI security risk**. Do not: |
|
|
|
|
|
- Deploy this in a production environment |
|
|
- Use it to gain unauthorized access |
|
|
- Ignore the dangers of deserializing untrusted input |
|
|
|
|
|
--- |
|
|
|
|
|
## 📸 Screenshot |
|
|
|
|
|
 |
|
|
|
|
|
--- |
|
|
|
|
|
|
|
|
## 💡 Features |
|
|
|
|
|
- 🧠 Local FLAN‑T5 inference for privacy & speed. |
|
|
- 🛡️ Reverse shell execution via Joblib deserialization. |
|
|
- 🔄 Background thread ensures UI responsiveness. |
|
|
- 🕵️ No payload code in the main script. |
|
|
|
|
|
--- |
|
|
|
|
|
## ⚠️ Disclaimer |
|
|
|
|
|
This is a **security demonstration**. Do **not** use for unauthorized access. Always obtain permission before testing. |
|
|
|
|
|
--- |
|
|
|
|
|
## 📩 Contact |
|
|
|
|
|
Open issues or collaborate on the Hugging Face repo: |
|
|
**https://huggingface.co/Iredteam/joblib-payload-chatbot** |
|
|
|