Originally Posted by Hookups

The posted binary is not the exact same as md5sums do not match. However, the file size is spot on. Also the same characteristics. Namely, the binary looks to be broken, but still loadable by the linux kernel:

---
[badfile@host badfiles]$ readelf -a ./mount
ELF Header:
Magic: 7f 45 4c 46 00 00 00 00 00 00 00 00 00 00 00 00
Class: none
Data: none
Version: 0
OS/ABI: UNIX - System V
ABI Version: 0
Type: EXEC (Executable file)
Machine: Intel 80386
Version: 0x1
Entry point address: 0x1df26054
Start of program headers: 52 (bytes into file)
Start of section headers: 0 (bytes into file)
Flags: 0x0
Size of this header: 52 (bytes)
Size of program headers: 32 (bytes)
Number of program headers: 1
Size of section headers: 0 (bytes)
Number of section headers: 0
Section header string table index: 0

There are no sections in this file.

There are no section groups in this file.

Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
LOAD 0x000000 0x1df26000 0x1df26000 0x8453f 0x13e000 RWE 0x1000

There is no dynamic section in this file.

There are no relocations in this file.

There are no unwind sections in this file.

No version information found in this file.
[badfile@host badfiles]$ objdump -d ./mount
objdump: ./mount: File format not recognized
[badfile@host badfiles]$ file ./mount
mount: ELF invalid class invalid byte order (SYSV)
---

strace as unprivileged user show one system call to 'sysinfo()' with the argument of '0'. It returns an error:

---
[badfile@host evil_mount]$ strace ./mount
execve("./mount", ["./mount"], [/* 22 vars */]) = 0
sysinfo(0) = -1 EFAULT (Bad address)
---

Going to look further into the binary from an analysis workstation I have setup and see if I can get any more information.

Cheers,
Hookups