>> I want to point out that I have offered cash for someone to
>> find an exploit that still works with no-exec stack...
Since nobody collected, the patch is quite good.
>> Yes, it's still possible BUT very difficult. The hack must either
>> look like a trampolene or be in an app where a tram is occuring..
>
> Writing that exploit it pretty easy. You just have to guess the
> address of a
>
> exec("/bin/sh");
>
> code fragment in libc (e.g. in system()) or in the program itself.
> Then put this address on the stack and wait for the program to
> jump to it.
You'd think so, but some versions of the patch have a solution.
There are actually 2 solutions:
1. Randomize the stack and/or library location.
(and of course failed exploits get logged)
2. Map the library with a '\0' in the address.
It is impossible to get such an address past strcpy().
Anyway, this is an imperfect world. The patch is good.