Sorry, I may be mistaken, but using different function calls (exec(), execv(), execl() and family) won't circumvent the drop-root priveledges problem.

The only way to stop the program from dropping root priv's is to use a portion of the shellcode to insert assembly instructions which will forcfully pick up those privledges again.

Using exec() used in conjunction with a command-shell-script is the simplest of overflow methods, but it is not used to stop the program from dropping priv's, and similarly using execv() just creates an array which represents a linux environment and attaches this to the program, wherein the shell will be stashed, this is used when the buffer to overflow is to small (Erickson: the AOE).

Personally:

I loved the Art of exploitation, it is a brilliant book for hackers, but Cryptic_prime, dude, you said Well as I said I loved that book, but it is by no means the best on shellcoding, I mean there are tons of others and the AOE is an excellent contribution to hacking. OK, to substantiate what I'm saying you should check this book out: "Buffer Overflow Attacks - Detect, Exploit and Prevent" (Publisher: Syngress; Author: James C. Foster) now that's a book and a half on overflows.

Dude, PM me if you wanna talk about aquiring a copy!!!

I've read a summary about the book on ThinkGeek, but I have yet to pick it up. I might actually order it tomorrow at work and see what it's like. (I work at Barnes and Noble).

Great choice in OS also man. I'm currently running SuSE 9.3 Pro as well. It's just so flexible!

Problem Solved - good info for all to know.

OK, I think I have solved the great mystery.

If you pull out your copy of "Hacking: The Art of Exploitation" (what? everyone doesn't have a copy?!), and turn to page 129-135, you will find the solution.

Apparently, the /bin/sh call drops privilages (according to Erickson).
So you have to use one of the execv() calls.

I was using execl(), but not in the right way...I was using excel() which later called
/bin/sh which then dropped the privelages.

The best book ever on shellcoding is "art of exploitation."
Amazing amount of info.

Anyway thanks for the help Voltage Spike.

That's odd...everything I've read said to set this bit to be able to exploit it...

hmmm....just as an experiment to test this, I exploited a test program with and without this sticky bit. I made a version with and without setuid(0) inside the program just to make sure...got some interesting results:

Results (ran as attacker):

With sticky bit: no root shell.
Without sticky bit: no root shell.
With sticky bit and with setuid(0): root shell (yeah!)
Without sticky bit and with setuid(0): no root shell.

My head asplode....

The "s" portion of your chmod command is the SUID bit, and you set the owner to root. As I said, this will not work as your system is protecting root from making a bad mistake.

I have a seperate user called 'attacker' that I run everything as.
I am even logged into X as this user and 'su' to root to set permissions, etc. (just to be SURE I am 'attacker')

Speaking of permissions...this is what I am using for the vulnerable executable:

chmod 0755 vuln
chmod ug+s vuln
chown root.users vuln

So, the exploiting program is run as 'attacker', it runs the vulnerable program from within itself using the execl().

Thx.

I'm not sure how helpful this will be, but are you running the shell code as root or merely SUID? I ask because I have run into problems in the past that stemmed from my Linux machine refusing to honor the SUID bit for shell scripts when the user was root.