> On Thu, 18 Dec 1997, C. Scott Ananian wrote:
>
> > On Thu, 18 Dec 1997 Jon Lewis <jlewis@inorganic5.fdt.net> wrote:
> > My understanding is that the current nonexec-stack patch works so well
> > because it cleverly disables itself when it detects code that will break.
> > Although this does make it compatible, it doesn't make it secure.
> > Solutions to these problems have been rumoured for Linux 2.3.X.
>
> I want to point out that I have offered cash for someone to find an
> exploit that still works with no-exec stack... Yes, it's still possible
> BUT very difficult. The hack must either look like a trampolene or be in
> an app where a tram is occuring..
Writing that exploit it pretty easy. You just have to guess the
address of a
exec("/bin/sh");
code fragment in libc (e.g. in system()) or in the program itself. Then put
this address on the stack and wait for the program to jump to it.
If you know the distribution or the libc version that's very easy to do.
The virtual memory address at which libc will be loaded is easy to guess
too.
-Andi