17

I'm writing shellcode to exploit a buffer overflow vulnerability on a server. To do so I have port binding shellcode that I send to the server and then I run (from a linux terminal) the command telnet serverAdress 4444 where 4444 is the port which I have opened up. The hope is that I will receive a shell back that I can use to execute commands. However, I always end up with the command

bin/sh: can't access tty; job control turned off

I can't change any of the server code, and I believe the shellcode is correct because I got it from this website (http://www.tsirogiannis.com/exploits-vulnerabilities-videos-papers-shellcode/linuxx86-port-binding-shellcode-xor-encoded-152-bytes/). From my research, it appears that this may have to do with the mode that my terminal is running in (something called interactive mode...or something like that).

All computers involved are linux machines and the machine that I am on is running the latest version of Ubuntu.

Any ideas what this job control error means and how I can fix it?

Nosrettap
  • 1,041

6 Answers6

8

Just remove /dev/console

cd /dev
rm -f console
ln -s ttyS0 console

edit/change the /etc/inittab content

::askfirst:/bin/sh

to:

ttyS0::askfirst:/bin/sh
slhck
  • 235,242
reusable
  • 96
4

This mean that advanced commands such as Ctrl+Z and Ctrl+C are not available, because sh is not writing to a tty, but to a socket. For this reason, sh will not support background processes (command &) and the associated bg/fg/disown/jobs commands. But note that processes forking themselves and closing their inputs will still work.

You might have noticed that if a background jobs tries to read data from the terminal, the shell stops it (as in, SIGSTOP) and informs you that it has paused the process. If the shell does not do so, you have a race condition and what you write may end up in the background process or in the shell. This makes for an interesting and infuriating mess in your shell session.

Either use a more elaborate shellcode that creates a virtual terminal (but that's not a shellcode anymore once that happens), or just be aware that your ugly hack has limitations.

BatchyX
  • 2,486
  • 17
  • 12
2

If you can change the command of the shell, try:sh +m instead of sh. That worked perfectly for me.

Hack5
  • 171
0

I had the same issue in Debian Mate. I just run an fsck from a live usb on dev/sda1 where / directory was installed.

Hope I helped someone

Avatar
  • 1
0

see also systemd-nspawn and sh: can't access tty; job control turned off #1431

same issue as #8577 and #8704

opening /dev/tty returns ENXIO,
calling setsid -c -w /bin/sh workarounds these 3 issues

nspawn calls setsid()
but not ioctl(STDIN_FILENO, TIOCSCTTY, 1) as setsid -c does

However, regarding posix, opening /dev/tty should not fail. The right solution is probably what @poettering suggest in #8577: allocate /dev/console as a pty instead of mounting it from the outside.

when i do less /dev/tty in a broken terminal (job control is off),
i get less: can't open '/dev/tty': No such device or address

when i do less /dev/tty in a working terminal (job control is on),
less can open and read the file

less /dev/console throws Permission denied in both terminals,
broken and working

note that setsid is available only on unix, see also python's os.setsid

see also QEMU: /bin/sh: can't access tty; job control turned off

Apart from Accepted answer, as a get around cttyhack of busybox can be used.

setsid cttyhack sh
exec /bin/sh
milahu
  • 297
-5

Guys I had the same problem but hopefully I fix it

There is how to fix this problem Reinstall the Kali Linux system then when it came in disk partition you must delete all other disk just only left 1 disk and then hit continue then write all files in one disk hope I helped

BLACK HACK
  • 1