Execute non-executable binary file.
Inspect Python version.
$ python3 --version
Python 3.10.6
Inspect mounted filesystem that does not permit direct execution of any binaries.
$ mount
/dev/sdb1 on /opt/files type ext4 (rw,nosuid,nodev,noexec,relatime,errors=remount-ro)
Try to execute binary file.
$ /opt/files/bin/ls
bash: /opt/files/ls: Permission denied
Create a simple Python script that uses os.memfd_create
function which is available since Python 3.8 to create an anonymous file and os.execv
to execute it. See miscellaneous operating system interfaces.
#!/usr/bin/env python3 """ Execute non-executable binary file https://sleeplessbeastie.eu/2022/10/19/how-to-execute-non-executable-binary/ """ import os, sys sys.tracebacklimit = if len(sys.argv) >= 2: command_file = str(sys.argv[1]) command_params = sys.argv[2:] if os.path.exists(command_file): command_executable = os.access(command_file, os.X_OK) print() print(f';Command: {command_file}';) print(f';Params: {command_params}';) print(f';Executable: {command_executable}';) print() memfd_obj = os.memfd_create(';';) file_obj = os.open(command_file, os.O_RDONLY) with os.fdopen(memfd_obj, ';wb';) as fd: fd.write(os.read(file_obj, os.path.getsize(file_obj))) print(';Output:';) a =os.execv(f"/proc/self/fd/{memfd_obj}", [command_file, *command_params],) else: raise RuntimeError("Error: Command file does not exist") else: print("Usage:") print(f'; {__file__} command_file command_params';)
Execute non-executable binary.
$ python3 execute.py /opt/files/ls --version
Command: /opt/files/ls Params: ['--version'] Executable: False Output: ls (GNU coreutils) 8.32 Copyright (C) 2020 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.
Awesome! There are some limitations, but I will leave it to you to discover.