linux 下起shell失败的分析

0x00: 起因

之前在CTF中遇到过一种情况,执行了system("/bin/sh"),新进程也起来了,然而shell并没有起来的情况,很尴尬,于是决定好好分析一下为什么!拖延症的我拖了好久…

尴尬的情况

0x01: 先看源码

我觉得最直观的应该是看linux关于system()调用实现的源码,然后写一个demo,直接起shell的那种,单步调试,对比分析,这样应该最直观了。

  • 首先是源码

首先调用system()函数,其实是调用了do_system()函数

1
2
3
4
int system (const char *line)
{
return __libc_system (line);
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
int __libc_system (const char *line)
{
if (line == NULL)
/* Check that we have a command processor available. It might
?not be available after a chroot(), for example. */
return do_system ("exit 0") == 0; /* 当line为NULL时,返回值为0,及执行bash –c exit 0*/
if (SINGLE_THREAD_P)
return do_system (line);

/*GCC cleanup exception range can cover the

LIBC_CANCEL_ASYNC() and LIBC_CANCEL_RESET():http://sourceware.org/ml/libc-alpha/2011-08/msg00063.html */

int oldtype = LIBC_CANCEL_ASYNC ();
int result = do_system (line);
LIBC_CANCEL_RESET (oldtype);
return result;
}
weak_alias (__libc_system, system)
/* Execute LINE as a shell command, returning its status. */

这里是do_system()函数的分析

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
do_system (const char *line)
{
int status, save;
pid_t pid;
struct sigaction sa;
#ifndef _LIBC_REENTRANT
struct sigaction intr, quit;
#endif
sigset_t omask;
sa.sa_handler = SIG_IGN;
sa.sa_flags = 0;
__sigemptyset (&sa.sa_mask);
DO_LOCK (); /* mutex lock*/
if (ADD_REF () == 0)
{
if (__sigaction (SIGINT, &sa, &intr) < 0) /*执行时 SIGINT被忽略*/
{
SUB_REF ();
goto out;
}
if (__sigaction (SIGQUIT, &sa, &quit) < 0) /*执行时 SIGQUIT被忽略*/
{
save = errno;
SUB_REF ();
goto out_restore_sigint;
}
}
DO_UNLOCK ();
/* We reuse the bitmap in the 'sa' structure. */
__sigaddset (&sa.sa_mask, SIGCHLD);
save = errno;
if (__sigprocmask (SIG_BLOCK, &sa.sa_mask, &omask) < 0) /*执行时设置SIG_BLOCK标志位,SIGCHLD被阻塞,执行失败,则恢复之前的信号的bitmap*/
{
#ifndef _LIBC
if (errno == ENOSYS)
__set_errno (save);
else
#endif
{
DO_LOCK ();
if (SUB_REF () == 0)
{
save = errno;
(void) __sigaction (SIGQUIT, &quit, (struct sigaction *) NULL);
out_restore_sigint:
(void) __sigaction (SIGINT, &intr, (struct sigaction *) NULL);
__set_errno (save);
}
out:
DO_UNLOCK ();
return -1;
}
}
#ifdef CLEANUP_HANDLER
CLEANUP_HANDLER;
#endif
/*执行成功,调用fork,生成子进程执行command命令*/
#ifdef FORK
pid = FORK (); /*调用SYS_CALL生成子进程*/
#else
pid = __fork ();
#endif
if (pid == (pid_t) 0) //
{
/* Child side. */
const char *new_argv[4];
//参数就是:bash -c 你的命令
new_argv[0] = SHELL_NAME;
new_argv[1] = "-c";
new_argv[2] = line;
new_argv[3] = NULL;
/* Restore the signals. */
(void) __sigaction (SIGINT, &intr, (struct sigaction *) NULL);
(void) __sigaction (SIGQUIT, &quit, (struct sigaction *) NULL);
(void) __sigprocmask (SIG_SETMASK, &omask, (sigset_t *) NULL);
INIT_LOCK ();

/* Exec the shell. */
(void) __execve (SHELL_PATH, (char *const *) new_argv, __environ);
_exit (127); /*exec执行失败则返回127*/
}
else if (pid < (pid_t) 0)
/* The fork failed. */
status = -1;
else /*父进程,waitpid*/
/* Parent side. */
{
/* Note the system() is a cancellation point. But since we call
waitpid() which itself is a cancellation point we do not
have to do anything here. */
if (TEMP_FAILURE_RETRY (__waitpid (pid, &status, 0)) != pid)
status = -1; /*waitpid 失败返回1*/
}
#ifdef CLEANUP_HANDLER
CLEANUP_RESET;
#endif
save = errno;
DO_LOCK ();
if ((SUB_REF () == 0
&& (__sigaction (SIGINT, &intr, (struct sigaction *) NULL)
| __sigaction (SIGQUIT, &quit, (struct sigaction *) NULL)) != 0)
|| __sigprocmask (SIG_SETMASK, &omask, (sigset_t *) NULL) != 0)
{
#ifndef _LIBC
/* glibc cannot be used on systems without waitpid. */
if (errno == ENOSYS)
__set_errno (save);
else
#endif
status = -1;
}
DO_UNLOCK ();
return status;
}

关于system函数的返回值:

  1. 当参数为空时,调用do_system (“exit 0”),返回值为NULL
  2. 调用result = do_system (line)

0x02 : 问题分析

1. 先调试自己的一个demo
1
2
3
4
5
6
7
8
#include <stdio.h>

int main(int argc, char const *argv[]){

4write(1,"test\n",5);
4system("/bin/sh");
4return 0;
}

执行到这里的时候
(void) __execve (SHELL_PATH, (char *const *) new_argv, __environ);
gdb里如下所示
gdb

参数是这样的,单步之后,shell就起来了。
gdb

2. 之前有问题的exp

因用的是之前百度杯的pwnme。地址在这里

  • ret到system()的时候gdb里调试
    gdb

  • si单步分析
    和之前的test执行execve()的时候,参数对比,发现第第二个参数(rsi)有问题。
    首先是这个有问题的exp
    gdb
    然后是我自己的demo
    gdb

可以看到因为之前的某个操作,把/bin/sh给清了,这就导致执行了 sh -c null,也就是起了新进程,但是没shell~

0x03 : 解决

调整payload,把/bin/sh放在ret之后,调整下offset就好了。

1
payload = "\x90\x90\x90\x90/bin/sh"

0x04 : 参考