1 of 7

Week 8

2 of 7

Python

  • Python allows for dynamic execution, i.e. “eval” functionality
    • (This is common across scripting languages -- bash, js, lua, etc. all have it)
  • Such functionality can be a double-edged sword: if the string passed to eval/exec contains user data, it can be quite easy to get a shell . . .

3 of 7

exec vs eval

  • exec is a statement, while eval is a function:
    • exec my_string # can be used without parentheses for a function call
    • eval(my_string) # must have parentheses
  • exec can execute entire statements while eval can execute only expressions
  • For example:
    • exec “a = 5” # works just fine: variable “a” is set to 5
    • eval(“a = 5”) # SyntaxError: a = 5 is a statement, not an expression
  • The use-case for eval is that it will return the value of whatever expression you give it:
    • eval(“ ‘ab’ * 5 “) == “ababababab”

4 of 7

exec vs eval

  • Unfortunately, this means that eval can be more difficult to exploit: you have to do everything in one shot
  • Attempts to use e.g. the “import” or “print” statements will fail in an eval because import is a statement and cannot be used in an expression

5 of 7

__import__

  • Fortunately, there is a function that you can use to import modules:
    • exec way: import os; os.system(“/bin/sh”)
    • eval way: __import__(“os”).system(“/bin/sh”)

6 of 7

sys.modules

  • Additionally, if the “sys” module is imported, you can access all modules, and many (including “os”!) are imported by default
  • sys.modules is a dictionary of string -> module object
    • sys.modules[“os”].system(“/bin/sh”)

7 of 7

Today’s activity

  • How well can you protect your exec/eval call?
  • In groups, download the code we’ve been looking at (link)
  • Add restrictions to the input, but be sure to keep a working exploit for your current version
  • At the end of each prep round (~5 minutes), post your script in slack
  • Other teams will have a chance to attack your script and try to develop an exploit!
  • Your team receives a point for exploiting another team, but loses one for each exploit of your jail
  • Be sure to google! Python has more language features than I could possibly cover in one day.
  • Rules:
    • No crypto! This is meant to be a jail escape, not a general reversing challenge :)