how2python

Repository to keep track of python memory corruption bugs that can be used to potentially bypass audit hooks

Bugs

All exploits were tested on 64 bit versions of python on Windows and Linux and on versions >=3.13.0. Exploits might not work or need to be implemented differently on different versions of python.

All files with an exploit implemented will create a bytearray object that can write anywhere in memory which is enough to consider the process "pwned". As a simple PoC, once the object is created it will print its type, length, and overwrite the value of 250 to be 100 and print it out to show that everything has worked.

Link	Introduced In	Patched In	Exploit Implemented
__classdict__ bug	3.12.0	N/A	Yes
bytearray bug		3.13.6	Yes
calliter bug		N/A	Yes
cell bug		3.13.1	Yes
decimal.Context Bug		N/A	Yes
divmod bug		N/A	Yes
functools.partial bug	3.12.3	N/A	Yes
GenericAlias repr bug	3.12.0	N/A	Yes
GenericAlias subscript bug	3.11.0	3.13.8	Yes
iter bug		N/A	Yes
io.BytesIO bug	3.12.0	N/A	Yes
itertools.accumulate bug		N/A	Yes
itertools.count bug		N/A	Yes
itertools.groupby bug		N/A	Yes
longrange bug		N/A	Yes
mappingproxy bug		N/A	Yes
memoryview richcompare bug		N/A	Yes
memoryview subscript bug		N/A	Yes
mro bug	3.10.0	N/A	Yes
namespace bug		N/A	Yes
OSError bug		N/A	Yes
try/except* bug	3.11.0	3.13.2	Yes

Notes on 3.14

Most of the bugs in this repository were found during the time when 3.13.0 and 3.13.1 were the most recent python versions, so most exploits are built to work on those versions.

With 3.14, most unpatched bugs should work fine, but a couple of the type confusion bugs will be broken because of the tuple struct change.

A new field was added to the tuple struct which means the complex object is no longer the ideal type for creating fake tuples. Very tragic, but life goes on. Maybe you as the reader can find a way to implement these bugs in 3.14 as a learning exercise!

3.13.0 PyTupleObject 3.14.0 PyTupleObject