9

I'm experimenting control-flow hijacking attacks on programs written in C on Linux. I'm trying to perform a simple ret-2-libc attack on a program with the No-eXecutable-stack countermeasure enabled. For this purpose I'm returning to system() function with argument /bin/sh.

But I have a problem: Although my attack works and a shell is spawned successfully, the shell exits immediately after entering the first character! That is, the shell closes after I press any key!

This behavior is also observable in this simple C code:

int main() { system("/bin/sh"); return 0; }

I compile it using: gcc code.c -o system

Why is this? And how can I fix it?

I'm experimenting on Ubuntu-9.04 with kernel 2.6.28 and glibc-2.9-1

Update: The shell becomes interactive if and only if the first key that I press is Enter. That is, if the first character that I enter is a new-line (\n) then the shell remains open and become interactive.

So can anyone explain what's going on here?

thor
  • 21,418
  • 31
  • 87
  • 173
Seyed Mohammad
  • 798
  • 10
  • 29
  • 1
    Given that you can reproduce the problem with standard and legitimate C code shows this isn't related to your exploit attempts, thus this question is better suited for Stack Overflow. –  Feb 17 '15 at 19:48
  • @AndréDaniel True; yet this is not much like a general programming issue and experts in the field of shellcode development can better help. Thus I asked it here. – Seyed Mohammad Feb 17 '15 at 20:19
  • 2
    I cannot reproduce it with your code. It this really the only thing you do there? How do you execute it? – StenSoft Feb 18 '15 at 02:05
  • @StenSoft Yes, that's it. I save that code in a file, compile it with the command I mentioned, and run it with `./system`. – Seyed Mohammad Feb 18 '15 at 08:33

1 Answers1

0

Okay I believe that system is successfully calling /bin/sh but it is calling it with the -c flag.

Try:

/bin/bash -c junk

That should behave similarly to what you are seeing. You need to play around with the registers to setup the system call so that /bin/sh is called without the -c flag.

Mo Beigi
  • 1,614
  • 4
  • 29
  • 50