Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Fetching latest commit...
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.


1. Name

anapickle - Toolset for writing shellcode in Python's Pickle language and for manipulating pickles to inject shellcode.

2. Author

Marco Slaviero < marco(at)sensepost(dot)com >

3. License, version & release date

License : GPL
Version : v0.2
Release Date : 2011/08/05

4. Description

Anapickle performs two functions; it accepts, analyses and manipulates a supplied pickle or it can produce Pickle shellcode as a standalone generator using a templated library. As an analyser, it includes a simplified Pickle version 0 simulator that extracts a list of callables used by the pickle stream as well as determines the position and type of all useful entities (strings, unicodes and ints) without subjecting the pickle stream to a potentially dangerous loads() call (since loads() is the vulnerable method, we would be remiss in simply piping any unknown pickle through a local loads() call). As a shellcode generator it takes the name of a shellcode template and inserts user-supplied parameters such as filenames or shell commands.

5. Requirements

Python 2.3

6. Additional Resources

Sour Pickles - Presentation (\_pickles)
Sour Picklel - Shellcoding in Python’s serialisation format (\_US\_11\_Slaviero\_Sour\_Pickles\_WP.pdf)

Something went wrong with that request. Please try again.