I am experimenting with capture attacks of flow control programs written in C on Linux. I am trying to do a simple ret-2-libc attack on a program with the No-eXecutable-stack countermeasure enabled. To do this, I return to the system() function with the /bin/sh argument.
But I have a problem: although my attack works and the shell is successfully created, the shell exits immediately after entering the first character! That is, the shell closes after pressing any key!
This behavior is also observed in this simple C code:
int main() { system("/bin/sh"); return 0; }
I will compile it using: gcc code.c -o system
Why is this? And how can I fix this?
I am experimenting on Ubuntu-9.04 with kernel 2.6.28 and glibc-2.9-1
Update: The shell becomes interactive if and only if the first key I press is Enter . That is, if the first character I entered is new-line ( \n ), then the shell remains open and becomes interactive.
So can anyone explain what is going on here?
source share