Message234376
> we assume it was generated by Python and not an external, malicious source.
Said differently: you must not trust .py or .pyc downloaded from untrusted sources. Executing arbitary .py or .pyc file allows to execute arbitrary Python code.
Instead of writing complex code to inject machine code in the Python evaluation loop (Python/ceval.c), just execute "import os; os.system('echo pwn!')" which runs an arbitrary shell command. Compile it to .pyc if you want to "exploit" the PYC path. |
|
Date |
User |
Action |
Args |
2015-01-20 14:25:53 | vstinner | set | recipients:
+ vstinner, brett.cannon, eric.smith, tim.golden, zach.ware, eryksun, steve.dower, Paweł.Zduniak |
2015-01-20 14:25:53 | vstinner | set | messageid: <1421763953.75.0.465616426069.issue23281@psf.upfronthosting.co.za> |
2015-01-20 14:25:53 | vstinner | link | issue23281 messages |
2015-01-20 14:25:53 | vstinner | create | |
|