Hi! Today I am going to publish my old research about CPython bytecode injection.

This talk was accepted by BSides LV 2019 CFP Committee as a backup talk, but because of complicated USA Visa status, I was unable to publish my research this way.

 

What is it about?

In two words, if you have compromised some Linux servers and see several CPython processes running, there is a way to inject your payloads into these processes. It may be useful for maintaining malware persistence or acquiring the necessary impact on the Python application being run - using the described method, you could inject your malware as well as make the application change processed data “on the fly” and do other stuff.

 

Slides

 

Demos

Patching existing bytecode

A classic technique - replacing conditional jump with NOPs

Injecting simple reverse shell

Injecting the os.system-based reverse shell

 

Conclusion

This is only proof of concept that may crash the application, but I believe the lack of requirements makes this technique amazing. All you need to work with an arbitrary CPython process - a single script that can read and write process memory.

Good Luck!

The end