# TensorRT Engine File RCE PoC

## Vulnerability

Arbitrary code execution via embedded native shared libraries (DLL/SO) in TensorRT engine files (.engine/.trt/.plan). The embedded library's constructor (`DllMain`/`__attribute__((constructor))`) executes automatically when the engine is deserialized with `engine_host_code_allowed=True`.

## Files

| File | Description |
|---|---|
| `malicious_model.engine` | Crafted TensorRT engine with embedded malicious DLL |
| `malicious_plugin.c` | Source code of the malicious plugin |
| `build_poc.py` | Script to build the malicious engine |
| `load_poc.py` | Script to load the engine and trigger RCE |

## Reproduction

### Prerequisites
- NVIDIA GPU with CUDA drivers
- TensorRT 8.6+ (`pip install tensorrt`)
- C compiler (MSVC on Windows, GCC on Linux)

### Steps

```bash
# 1. Build the malicious engine (or use the pre-built malicious_model.engine)
python build_poc.py

# 2. Load the engine — triggers arbitrary code execution
python load_poc.py evidence/malicious_model.engine

# 3. Verify code execution
# Windows: check C:\temp\tensorrt_rce_poc.txt
# Linux: check /tmp/tensorrt_rce_poc
```

### Expected Output

```
[!] TensorRT RCE PoC: Arbitrary code executed via embedded plugin!
[!] Proof written to tensorrt_rce_poc.txt
[!] PID: <process_id>

[!!!] CODE EXECUTION CONFIRMED: C:\temp\tensorrt_rce_poc.txt
```

## Tested Environment
- Windows 10/11, NVIDIA RTX 4080 Super
- CUDA 13.0, TensorRT 10.15.1.29
- Python 3.12