published method of bypassing systems of isolated execution of code in the Python language, based on the use of the long-known Errors , which appeared in Python 2.7, identified in 2012 and still not corrected in Python 3. The error allows you to specially compiled code in the language Python initiate an appeal to already released memory (USE-AFTER-FREE) in SPYTHON. Initially, it was assumed that the error does not pose a threat to security and only in very rare cases, usually artificially created, can lead to an emergency completion of the script.
Safety researcher under the KN32 pseudonym has become interested in the problem and managed to prepare the working exix , which makes it possible to call any system team without direct access to the method of species os.system . Exploit is implemented in pure Python and works without importing external libraries and without installing the Code .__ New__ processor. From HOOK, only Builtin .__ ID__ is used, which is usually not prohibited. On the practical side, the proposed code can be used to circumvent insulation mechanisms in various services and environment (for example, in training environments, online shells, built-in handlers, etc.), allowing the performance of the code in the Python language, but limiting available calls and not allowing Turn to such methods as os.system.
proposed code is an analogue of the call of os.system working through the operation of vulnerability in Cpython. The exploit works with all versions of Python 3 on systems with architecture X86-64 and demonstrates stable work at Ubuntu 04.22, even when the PIE, RELRO and CET protection modes are turned on. The work boils down to obtaining information about one of the functions from the Python language in Python
In the executable Code CPYTHON. Based on this address, the CPYTHON basic address is calculated in the memory and the address of the System () function in the LIBC copy. In conclusion, a direct transition to a certain System address with the substitute for the first argument to the line “/bin/sh”
is initiated by a direct transition to a certain address.
