On Wed, Nov 06, 2002 at 10:14:34AM +0800, John Summerfield was heard to remark: > On Wed, 6 Nov 2002 04:39, you wrote: > > x86 alas doesnt support page level "no execute". Other platforms do and > > can run with nonexec stacks. People still exploit them. The libraries > > are mostly mapped read only on Linux, people don't need to modify them. > > You put arguments on the stack, and corrupt the return code to call the > > right C library function. > > In IA32, you cannot execute stack-segment code. > > Because of the way Linux (and other oses) are designed, with a single address > space per process, the stack segment and code segment are the same storage, > and that's how you get to put executable code on the stack and have it > execute.
I don't know ia32. You don't need to put code into the stack. You only need to modify the return address, and have a subroutine return to a different location. To modify the return address, you only need write access to the stack, you don't need execute permissions. --linas -- pub 1024D/01045933 2001-02-01 Linas Vepstas (Labas!) <[EMAIL PROTECTED]> PGP Key fingerprint = 8305 2521 6000 0B5E 8984 3F54 64A9 9A82 0104 5933