This repository contains a proof-of-concept exploit for a deserialization vulnerability in ClearML, allowing for remote command execution. This exploit demonstrates how to upload a malicious pickle artifact to ClearML to gain a reverse shell.
Before you begin, ensure you have met the following requirements:
-
A machine running ClearML.
-
Python 3.8 or higher.
-
The
clearmllibrary installed. You can install it using pip:pip install clearml clearml-init
Follow the onscreen instructions and paste your configuration settings when prompted.
Start your listener with:
nc -lvnp <your_port>It might take a minute or so for the server to process the payload, so be patient.
For more information on the vulnerability, click the following link: