How are anonymous functions represented internally?

I recently came across the explanation for remote code execution in Elixir, using a base64 encoded payload, which is encoded and passed to binary_to_term/2.

I understand the steps taken and the problem with binary_to_term. What I do not understand and what interests me is how anonymous functions are represented internally for this to work. For example, this code snipped somehow works, but I have no clear understanding of why and how: _x, _y -> {:cont, []} end)

It would be highly appreciated if anybody has any good resources or an explanation. Thanks!

1 Like

I’m not exactly sure what you’re looking for with your question about how anonymous functions are represented internally, but the reason your snippet works is simply because the Enumerable protocol is implemented for Function. See elixir/enum.ex at v1.14 · elixir-lang/elixir · GitHub

1 Like

Thank you for that link! I guess that is one part of what I’m looking for.

Now I must understand how works under the hood. I’ll dive into elixir/enum.ex at a64d42f5d3cb6c32752af9d3312897e8cd5bb7ec · elixir-lang/elixir · GitHub to see if I can understand what’s happening.

Nothing is happening internally, the actual exploit relies on the fact that you can use Enum on a function(for some reason, I never knew that) and that will force the function to be evaluated, there you can inject a random amount of code that will be executed by the server.