Execute non-executable binary file.
Inspect Python version.
$ python3 --version
Python 3.10.6
Inspect mounted filesystem that does not permit direct execution of any binaries.
$ mount
/dev/sdb1 on /opt/files type ext4 (rw,nosuid,nodev,noexec,relatime,errors=remount-ro)
Try to execute binary file.
$ /opt/files/bin/ls
bash: /opt/files/ls: Permission denied
Create a simple Python script that uses os.memfd_create function which is available since Python 3.8 to create an anonymous file and os.execv to execute it. See miscellaneous operating system interfaces.
#!/usr/bin/env python3
"""
Execute non-executable binary file
https://sleeplessbeastie.eu/2022/10/19/how-to-execute-non-executable-binary/
"""
import os, sys
sys.tracebacklimit =
if len(sys.argv) >= 2:
command_file = str(sys.argv[1])
command_params = sys.argv[2:]
if os.path.exists(command_file):
command_executable = os.access(command_file, os.X_OK)
print()
print(f';Command: {command_file}';)
print(f';Params: {command_params}';)
print(f';Executable: {command_executable}';)
print()
memfd_obj = os.memfd_create(';';)
file_obj = os.open(command_file, os.O_RDONLY)
with os.fdopen(memfd_obj, ';wb';) as fd:
fd.write(os.read(file_obj, os.path.getsize(file_obj)))
print(';Output:';)
a =os.execv(f"/proc/self/fd/{memfd_obj}", [command_file, *command_params],)
else:
raise RuntimeError("Error: Command file does not exist")
else:
print("Usage:")
print(f'; {__file__} command_file command_params';)
Execute non-executable binary.
$ python3 execute.py /opt/files/ls --version
Command: /opt/files/ls Params: ['--version'] Executable: False Output: ls (GNU coreutils) 8.32 Copyright (C) 2020 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.
Awesome! There are some limitations, but I will leave it to you to discover.
