nightmare icon indicating copy to clipboard operation
nightmare copied to clipboard

Published 20 hours ago verified publisher icon guyinatuxedo

Payloads in Python3 must be sent differently using pwntools

Open BRNMan opened this issue 4 years ago • 7 comments

In Python2 using pwntools, something like this was OK. (From chapter 2.4)

payload = ""
payload += "0"*40 # Padding to the return address
payload += p64(0x4005b6) # Address in least endian, will be new saved return address

However, Python3 doesn't accept appending byte arrays to strings and will throw an error. Instead, to accomplish the same thing, you have to pack the whole payload as a byte array instead of just part of it.

Thankfully, you can accomplish basically the same things with the pwntools pack function, which basically puts whatever you want into a byte array.

payload = pack(0, 40*8, 'little', True) # Padding to the return address
payload += p64(0x4005b6) # Address in least endian, will be new saved return address

This probably deserves to be noted somewhere since you pack a lot of different values throughout the rest of the modules. Maybe under the pwntools page (chapter 1.5)? I'll just leave this issue here in the meantime in case anyone has the same problem.

BRNMan avatar Mar 17 '20 20:03 BRNMan

Alternative, that involves fewer modifications (i.e. only requires adding the b character at 2 places):

payload = b""
payload += b"0"*40 # Padding to the return address
payload += p64(0x4005b6) # Address in least endian, will be new saved return address

jaybosamiya avatar Mar 17 '20 21:03 jaybosamiya

This can be added as a quick note in Chapter 1.5 Pwntools.

SmoothHacker avatar Aug 25 '20 03:08 SmoothHacker

Thank you for this issue. I do realize that the course was done in Python2, and is not 100% compatible with python3. I have plans to switch it over to Python3. I just pushed a comment telling this in the pwntools section of intro to tooling. I plan on leaving this issue open until that transition to Python3 happens. Thank you and have a nice day!

guyinatuxedo avatar Aug 26 '20 10:08 guyinatuxedo

Awesome. Python 2 died 238 days ago so it is good we will embark on this port again. Python 3.9 should be released in 40 days.

cclauss avatar Aug 26 '20 12:08 cclauss

@guyinatuxedo Will you eventually get to this or should we submit a pull request for this issue?

0xDeadcell avatar Feb 19 '21 04:02 0xDeadcell

Pull requests can be helpful.

cclauss avatar Feb 19 '21 07:02 cclauss

why this Segmentation fault (core dumped) :
python3 -c 'print(b"\x00"*20 + b"\x80\xa0\x04\x08")' | ./just_do_it

BTW: it works:
python3 -c 'from pwn import *;import sys;sys.stdout.buffer.write(b"\x00"*20 + p32(0x0804a080)+b"\n")' | ./just_do_it

seamaner avatar Oct 09 '23 04:10 seamaner