I have a kernel module (which is actually a char device) that has this function, which tries to execute execve "/bin/ls".
CASE A:
I have a process (in userspace) that opens the char device and writes to it. In the write function, I call funct() and it basically executes "/bin/ls", and it outputs the files and folders from the current folder.
CASE B:
If I try to call funct by performing a buffer overflow attack in the kernel (the process will feed a payload to the device), by overwriting a return address on the stack with funct()'s address, there is no "/bin/ls" output, although funct() gets called - "Here: funct" gets printed.
Why is that happening? Is it because the kernel crashes and some post-sys_execve routines are not able to give the control back to the process or to actually print the result of "/bin/ls"? (sys_execve returns with 0 in both cases). What can I do in order to get the respective output to show before the crash/panic takes place?
P.S. The same thing as in CASE B happens if I try to inject a shellcode that puts the right arguments in rdi, rsi and calls sys_execve.
P.S.S. It's for academic purposes.
Code:
static void funct()
{
struct execve_args args;
args.fname = 0x8008090; // userspace address
args.argv = 0x8008220; // userspace address
args.envv = 0x8008210; // userspace address
uprintf("Here: funct\n");
int ret = sys_execve(curthread, &args);
uprintf("Returned with %d\n", ret);
}
CASE A:
I have a process (in userspace) that opens the char device and writes to it. In the write function, I call funct() and it basically executes "/bin/ls", and it outputs the files and folders from the current folder.
CASE B:
If I try to call funct by performing a buffer overflow attack in the kernel (the process will feed a payload to the device), by overwriting a return address on the stack with funct()'s address, there is no "/bin/ls" output, although funct() gets called - "Here: funct" gets printed.
Why is that happening? Is it because the kernel crashes and some post-sys_execve routines are not able to give the control back to the process or to actually print the result of "/bin/ls"? (sys_execve returns with 0 in both cases). What can I do in order to get the respective output to show before the crash/panic takes place?
P.S. The same thing as in CASE B happens if I try to inject a shellcode that puts the right arguments in rdi, rsi and calls sys_execve.
P.S.S. It's for academic purposes.