0

I realised that exploit development with python 3 is not as straight forward as it is using python 2.

As I understand, this is mainly due to the socket library and the added byte datatype.

For example, I could not figure out how to translate the following code into Python 3 code:

--- SNIP ---
shellcode =  ""
shellcode += "\x89\xe2\xd9\xcf\xd9\x72\xf4\x5a\x4a\x4a\x4a\x4a\x4a"
--- SNIP ---
offset = "A" * 2606
eip = "\x43\x62\x4b\x5f"
nop = "\x90" * 16 
padding = "C"
buff = offset + eip + nop + shellcode + padding * (424 - 351 - 16)
--- SNIP ---
bytes_sent = sock.send("PASS {}\r\n".format(buff))
--- SNIP ---

I tried the following:

--- SNIP ---
shellcode =  ""
shellcode += "\x89\xe2\xd9\xcf\xd9\x72\xf4\x5a\x4a\x4a\x4a\x4a\x4a"
--- SNIP ---
offset = "A" * 2606
eip = "\x43\x62\x4b\x5f"
nop = "\x90" * 16 
padding = "C"
buff = offset + eip + nop + shellcode + padding * (424 - 351 - 16)
--- SNIP ---
bytes_sent = sock.send("PASS {}".format(buff).encode("UTF-8"))
--- SNIP ---

The problem is that \x90 becomes C2 90 in memory, it tooks me hours to figure out that the issue came from my code. I also suspect that this could alter the shellcode as well.

I would like to learn the proper way of doing this in Python

Improve this question
4
  • 1
    That said, note there is a 2to3 tool bundled with python3 which will automatically do most of the work to convert python 2 to python 3 code. Might help here, too. Commented Mar 5, 2017 at 16:59
  • @SteffenUllrich I was not sure where to post that question, I thought that security.stackexchange.com was the right place but you have got a point it is more a programming issue. I am going to close that question and open it in stackoverflow then. Commented Mar 5, 2017 at 17:06
  • I am transferring this question to stackoverflow. Commented Mar 5, 2017 at 17:08
  • 2
    pwntools for the win: from pwn import * Commented Mar 5, 2017 at 17:10

2 Answers 2

Reset to default
4

The Python 2 code essentially builds up a byte string. In Python 3, '...' string literals build up a Unicode string object instead.

In Python 3, you want bytes objects instead, which you can creating by using b'...' byte string literals:

# --- SNIP ---
shellcode =  b""
shellcode += b"\x89\xe2\xd9\xcf\xd9\x72\xf4\x5a\x4a\x4a\x4a\x4a\x4a"
# --- SNIP ---
offset = b"A" * 2606
eip = b"\x43\x62\x4b\x5f"
nop = b"\x90" * 16 
padding = b"C"
buff = offset + eip + nop + shellcode + padding * (424 - 351 - 16)
# --- SNIP ---
bytes_sent = sock.send(b"PASS %s\r\n" % buff)
# --- SNIP ---

bytes doesn't have a .format() method, but the % formatting operation is still available.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thanks for this reply; would you by chance know a way to directly convert a string variable to a byte variable? The .encode() method causes my \x90 nopsled to be sent as C2 90.
@AresS31: In a text string, \xhh escapes produce Latin-1 codepoints (anything in the Unicode U+0000-U+00FF range), not bytes. You'd have to encode using Latin-1, the characters map one-on-one to bytes in that codec. However, you are not producing 'text' here, but binary data. Stick to using bytes.
Was that a server-side exploit? or a local buffer overflow exploit occurring when you ran this python program? just looking for sample buffer overflow code written in python for demonstration purposes.
0

As told by Martijn Pieters♦, a good start to get the same signature in the output of python print like function as in the code injected in a program you have tu start to use b"your shellcode".

Example:

b"AAAA"

or

b"\x90\x90\x90\x90"

Now, to print to the output of another program, you shall not use print(). You shall use sys.stdout.buffer.write(value).

Example:

shellcode = b"\x41\x42\x43\x44"
sys.stdout.buffer.write(shellcode)

Sources:

  1. Live Overflow video on youtube
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.