Ethereum Exploit and Recon Tool

Make Dynamic Binaries Static

Bypass Python Sandboxes

Audit Hooks


Bypass Python sandboxes

Bypass character truncation

First, we need to defeat the blacklist. Google tells us that python identifiers use NFKC unicode normalization, meaning that we can use other variations to substitute for ASCII letters, such as fullwidth letters. This function will convert ASCII letters to fullwidth: (

import string
blacklist = string.ascii_letters + '"\\' '
def clean(s):
    return "".join(chr(ord(c) + 0xfee0) if c in blacklist else c for c in s)

Pickle Deserialization RCE