Need help with manual py exploit (can't concat str to bytes)

Hello! So I rooted my first 14 boxes last week and now I'm going back to do them again without metasploit. I first did lame which took me forever to realize I just needed to change the shebang to python3 and run it with python3. I tired that same thing again on legacy, but I get the error:

File "ms17-010-exploit.py", line 83, in
ntfea10000 = pack('<BBH', 0, 0, 0xffdd) + 'A'*0xffde
TypeError: can't concat str to bytes"

I assume I got lucky with Lame and can't simply change the shebang and expect it to work without changing the syntax that was removed/added during the transition to python 3?

When I try running the original (../bin/python) exploit (https://www.exploit-db.com/exploits/4203) I get:

ImportError: No module named impacket

I did 'apt search impacket' and the only relevant option was python3-impacket which was already installed. I was kind of expecting an option for python-impacket...I'm pretty confused about the whole eol thing with python 1 & 2.

Maybe manual exploit are just too advanced for me at this point but it seems like making minor changes to the exploit code is the real trick to exploiting unpatched boxes so I really want to get this. Any help would be greatly appreciated!!

Comments

  • @ZanderMiller said:

    I assume I got lucky with Lame and can't simply change the shebang and expect it to work without changing the syntax that was removed/added during the transition to python 3?

    You did. There is normally a lot more which needs changing. For example print needs to be print() etc.

    There is a script 2to3 which might help but like any automated process, it can miss critical things.

    In your current issue, it is possibly down to how python3 has changed the way it treats strings to bytes. You might need to add some .decode() bits or you might need to do some other things, it depends on the exact nature of the problem.

    Realistically you need to work through the script and fully understand what it is doing, then you can identify the bits that need changing.

    It is very rare to be as simple as changing the first line.

    I did 'apt search impacket' and the only relevant option was python3-impacket which was already installed.

    Your script might be looking for the python2 libraries. It starts to get messy when you combine parts of python2 and python3 in the same script and you need to be clear which you are calling. If you have python2 and python3, you might find python2 is the default so if you run python script.py it ignores the shebang line and tries to run with python 2.

    The shebang line only really matters if you run the script as a standalone executable.

    Rather than rely on apt-get for impacket, check out the git repo: https://github.com/SecureAuthCorp/impacket

    Maybe manual exploit are just too advanced for me at this point but it seems like making minor changes to the exploit code is the real trick to exploiting unpatched boxes so I really want to get this. Any help would be greatly appreciated!!

    Manual exploitation makes a significant difference between people who can click-pwn and people who can work out how to exploit a target.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

  • Thanks for your response! I tried 2to3 but no luck. However it looks like .encode() is working! The only issue is that my exploit is almost 600 lines long so I don't think manually adding .encode() to each string is the workable solution. (btw I didn't copy the entire link to the exploit I was using it's https://www.exploit-db.com/exploits/42031)

    Instead of changing it from python to python3, why can't I just run the original python script? When I try 'python myscript.py' it says I'm missing impacket, so I followed the quick start instructions on the link you provided and tried 'pip install impacket' but it just said it is already installed in python3 (even though I assumed pip3 is what installs things to python3).

    From what I read it looks like python2 (which is what I understand to be just python) is no longer on debian/kali, and therefore needs to be added manually. I found this link https://www.kali.org/docs/general-use/using-eol-python-versions/ but it says "When we want to swap back to Python 3, we just need to set the global to be system." and I'm too much of a noob to know how to do that.

    Is it true that I am missing python2 or am I just missing impacket in the proper python2 folder?

  • @ZanderMiller said:

    Instead of changing it from python to python3, why can't I just run the original python script?

    You can.

    When I try 'python myscript.py' it says I'm missing impacket, so I followed the quick start instructions on the link you provided and tried 'pip install impacket' but it just said it is already installed in python3 (even though I assumed pip3 is what installs things to python3).

    It is likely that your default pip is python3-pip. It is also likely that your default python is Python3.

    From what I read it looks like python2 (which is what I understand to be just python) is no longer on debian/kali, and therefore needs to be added manually.

    Ok, I refused to upgrade Kali since the 2020 build broke the root login so I don't know what is current.

    I found this link https://www.kali.org/docs/general-use/using-eol-python-versions/ but it says "When we want to swap back to Python 3, we just need to set the global to be system." and I'm too much of a noob to know how to do that.

    The link talks about using python virtual environments, which is a good idea and certainly worth learning about if you want to use python in a complex manner.

    In a nutshell, you set up a virtual environment with pyenv and then install python 2 in to the environment. Then you can run scripts (or use pip to install modules) for python2 without breaking the python3 install in your live environment.

    This might help: https://github.com/pyenv/pyenv

    Is it true that I am missing python2 or am I just missing impacket in the proper python2 folder?

    It's hard to tell. Try python2 --version and see what it says.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

  • @ZanderMiller said:

    Is it true that I am missing python2 or am I just missing impacket in the proper python2 folder?

    With a recent upgrade on Kali, many Python2 packages have been removed (including pip2) and only a bare minimum of modules remained. In order to get pip2 back (it was removed from the repositories), download the tar archive vom pypi: https://pypi.org/project/pip/#files
    Extract it, and then run sudo python2 setup.py. After wards, you can install Python2 packages (e.g. impacket) with pip2, again.

    Regarding the initial issue (and when you wanted to run the script with Python3):

    File "ms17-010-exploit.py", line 83, in
    ntfea10000 = pack('<BBH', 0, 0, 0xffdd) + 'A'*0xffde
    TypeError: can't concat str to bytes"
    

    In python3, pack returns a byte string, so you would need to change this line (and similar ones) to:

    ntfea10000 = pack('<BBH', 0, 0, 0xffdd) +b 'A'*0xffde
    

    But then, it won't work under Python 2, anymore ;)


    Hack The Box
    GREM | OSCE | GASF | eJPT

  • IT WORKED! I really appreciate the help you two provided. This was my first post on the forum and I have to say it feels great to get help from the community and to get something working after having spent so much time pulling my hair out.

    TazWake, checking the version to see what's installed was a huge help, I kept looking in my usr/bin folder and all the different python folders just made me more confused. I remember coming across the whole version thing before but I totally forgot about it. I kept thinking python2 wasn't there at all but as the -V switch and as HomeSun pointed out, it's there it just doesn't have many modules, like pip.

    My default python version is 2.7.18 and pip was 3 because I didn't have pip2. I tried downloading it from the pypi link HomeSun provided but I had some trouble finding all the right modules to download so I ended up finding this https://linuxize.com/post/how-to-install-pip-on-ubuntu-20.04/ and just used
    curl https://bootstrap.pypa.io/get-pip.py --output get-pip.py
    sudo python2 get-pip.py
    which downloaded pip2 no problem. Then I was able to get impacket and then I stopped getting that str to binary error. However after all that I couldn't get the exploit to work so I used a different one https://github.com/helviojunior/MS17-010/blob/master/send_and_execute.py

    Anyway, thanks again!!

  • Nice work on hacking a solution together.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

Sign In to comment.