I primarily program in Python 3 but doing one of the remote exploitation challenges brought up an issue I had not faced before. I noticed while debugging in GDB that my exploit code was overwriting the desired value, but my value was not what I expected it to be and this turns out to be an issue with printing byte arrays in python 3.

When printing bytes in Python 2 you can get away with this code pretty easily.

python2 -c 'print "A"*10 + "\xd3\xd3\xd3\xd3"' | xxd

00000000: 4141 4141 4141 4141 4141 d3d3 d3d3 0a AAAAAAAAAA.....

in Python 3 it is not as straightforward as printing is now a function and we now have byte arrays so the same code does not work out.

python -c 'print("A"*10 + "\xd3\xd3\xd3\xd3")' | xxd*

00000000: 4141 4141 4141 4141 4141 c393 c393 c393 AAAAAAAAAA......

00000010: c393 0a

notice the hex returned is not the same because it is attempting to use UTF-8 encoding and using byte arrays makes this even worse as python 3's print function will always want to include a byte array identifier on the output " b'value' ". Normally when you are trying to get around this problem you would use the .encode and .decode methods but that would be attempting to turn your byte array back into UTF-8 and will either throw an error or you will not get the value you expect unless your byte array translates cleanly into ascii.

python -c 'print(b"A"*10 + b"\xd3\xd3\xd3\xd3")' | xxd

00000000: 6227 4141 4141 4141 4141 4141 5c78 6433 b'AAAAAAAAAA\xd3

00000010: 5c78 6433 5c78 6433 5c78 6433 270a \xd3\xd3\xd3'

so far the only way I was able to work around this in python 3 is by using sys.stdout.buffer.write as follows.

python -c 'import sys; sys.stdout.buffer.write(b"A"*10 + b"\xd3\xd3\xd3\xd3\n")' | xxd

00000000: 4141 4141 4141 4141 4141 d3d3 d3d3 0a AAAAAAAAAA....

this is a little more convoluted compared to the python 2 code and you also have to make sure to include a newline character in your byte array to get the same result.

Dropping this here in case anyone else runs into this problem but I would love to hear if anyone has another solution or input on this issue.