1

While learning ROP and the uses of gadgets, I've stumbled upon a case where I have a solid one-gadget that executes execl("sh", "-c", "/bin/sh") but does _exit(0x7f) right afterwards.

When testing this gadget I'v found that the shell indeed opens, and closes after a split second when _exit is called.

Gadget found in libc.so.6:

LEA        EAX,[ESI + 0xfffa8b28]=>DAT_0016bb28             ; "-c"
SUB        ESP,0xc
PUSH       0x0
PUSH       dword ptr [ESP + param_2]
PUSH       EAX=>DAT_0016bb28                                ; "-c"
LEA        EAX,[ESI + 0xfffa8b30]=>DAT_0016bb30             ; "sh"
PUSH       EAX=>DAT_0016bb30                                ; "sh"
LEA        EAX,[ESI + 0xfffa8b2b]=>DAT_0016bb2b             ; "/bin/sh"
PUSH       EAX=>DAT_0016bb2b                                ; "/bin/sh"
CALL       execl                                            
ADD        ESP,0x14
PUSH       0x7f
CALL       _Exit

When used in gdb:

process 239607 is executing new program: /bin/dash
sh: 0: -c requires an argument
[Inferior 1 (process 239607) exited with code 02]
(gdb) r
Starting program: /bin/dash
$

When used in a normal execution without a debugger it just stops.

My question is, is this a doomed gadget, or is there a possible way to still use it?

Lior Levin
  • 179
  • 1
  • 13
  • 2
    The `_Exit` is never called, because control was transferred to `sh` which in turn immediately exited on its own due to being invoked incorrectly. If you invoke `sh` correctly, it should stay open. According to the error message it's running `/bin/sh -c` instead of `/bin/sh -c /bin/sh` – that other guy Sep 23 '21 at 18:54
  • 1
    @thatotherguy Hmm. Haven't thought of that. So I just need it to run correctly and I'm good. Thanks! – Lior Levin Sep 23 '21 at 19:06
  • 1
    Always remember: `execl` replaces the current process with another one. The only way any code following an `execl` call runs is if the call fails in some way. So if you can inject an `execl` call, it doesn't matter at all what follows the call. – fuz Sep 23 '21 at 19:45

1 Answers1

1

As @thatotherguy 's mentioned in their comment, apparently the _exit was not called, and the problem was that this gadget had a simple constrain that I couldn't figure out - param2` (which I did not have control over) had to be a certain value.

Fixed by finding another gadget. Thanks for educating!

Lior Levin
  • 179
  • 1
  • 13