stackoom
  简体   繁体   中英

Converting shellcode hex bytes to text based inputs in Python for an unknown byte value '\x87'? Not a UTF-8 string?

 原文  2022-11-24 00:47:25       python/ x86/ buffer-overflow/ exploit/ shellcode

Question

So I am currently doing a beginner CTF challenge on pwnable.tw, the "start" challenge specifically. After reversing the challenge binary I found out there was a buffer overflow exploit, and one thing I would have to do to get an ideal starting point would be to leak the stack address by pointing it back to a specific address (0x08048087), so i crafted a payload, that would then overwrite the return address with the address I was aiming for. However, I'm having trouble converting the byte data into a string format to be fed to the vulnerable program.

Below is my python code:

from pwn import *
shellcode = b'A' * 20
shellcode += pack(0x08048087, 32)
print(shellcode)

I use the pwn library to simplify packing the address, and then I print it and then pipe it into the vulnerable binary as stdin. However, what will happen when I print this, is that rather than printing the string equivalent of the associated hex values of that address, it will instead print this:

b'AAAAAAAAAAAAAAAAAAAA\x87\x80\x04\x08'

Just a string literal version of the hex values themselves. However, this will of course not be interpreted by the program in the way i intend it to be. So I try to decode it into utf-8 or an ASCII string, or even use str to convert it no matter which way I choose I get the following error:

UnicodeDecodeError: 'utf-8' codec can't decode byte 0x87 in position 20: invalid start byte

It would seem it can't decode the 0x87, which makes sense, in this case there does not seem to be an equivalent for it to decode to. But then my question becomes how can I deliver my shell code, specifically the hexadecimal address part, to the program in a way that the program will interpret that portion of the overflowed buffer as the address that i intend it to, rather than it being incorrectly mapped since my script gave me a stringified version of the hex values themselves?

1 answers

solution1
 0  2022-11-25 18:10:10

So I ended up finding the answer, it was to use sys.stdout.buffer.write() , rather than print or sys.stdout.write() since sys.stdout.buffer.write() uses a BufferedWriter which simply operates on raw bytes rather than the other two which operate on text/strings. Thank you to everyone in the comments who helped me!

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Converting Python byte string to UTF-8/ASCII python:mysql error, "Incorrect string value: '\\xF0\\x9F\\x87\\xBA\\xF0\\x9F…' Python: Converting HEX string to bytes Converting string of bytes to Hex in python UnicodeDecodeError: 'utf-8' codec can't decode byte 0x87 in position 1551: invalid start byte Converting a value into 4 byte hex in python Converting from unknown type to UTF-8 in python? Converting utf-8 encoded string to just plain text in python 3 Converting string to bytes gives UnicodeDecodeError: 'utf-8' codec can't decode byte 0xa0 in position 4: invalid start byte Python: Convert utf-8 string to byte string
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM