Shellcode for a simple stack overflow: Exploited program with shell terminates directly after execve(“/bin/sh”)

Question

I played around with buffer overflows on Linux (amd64) and tried exploiting a simple program, but it failed. I disabled the security features (address space layout randomization

Answer 1

I'm having pretty much the same problem right now with Ubuntu 9.10 in a VM. Disabled all the security measurements of the OS, and simple exploits like "exit the program and set exit-code to 42" do work, but when trying to open a shell, the program just terminates. Output of gdb is identical:

(gdb) run < exploit.0xbffff3b8 
Starting program: /home/seminar/ubung/target/client < exploit.0xbffff3b8

Enter password: Sorry. Wrong password.
Executing new program: /bin/bash

Program exited normally.
(gdb)

Thing is, I need it working in approx. 16 hours for a presentation :-D

---

Update: I found this neat study: www.shell-storm.org/papers/files/539.pdf

On page 16 it says: "If we try to execute a shell, it terminates immediately in this configuration"

In other examples that don't use gets(), they do very well spawn a shell. Unfortunately, they don't give a hint on WHY it doesn't work that way. :(

---

Next Update: It seems it has to do with stdin. The shell cannot properly use the one it gets from the original process. I tried using a minimal shell I found the sourcecode for (evilsh). It crashed at the point where it tried to read input. My guess is, that bash/dash checks for this and just silently exits when something is wrong with stdin.

---

Ok please don't kill me for having this conversation with myself here, but...

I found a solution!

For some reason it is necessary to reopen the inputs. I found a working shellcode here:

http://www.milw0rm.com/shellcode/2040

I don't see a prompt tough, but I can run programs etc. using the shell that opens.