Now, about getting around non-executable stack in an exploit: yes, this is
possible, and the return-into-libc method is probably the best.....
As for remote exploits, it is possible to do the same way, if the attacker
knows the exact version of libc (even the version of the compiler that libc
was compiled with is important).
Considering that most users don't compile their own libc, but use one of
a few standard distributions (or recompiled libc from HJ), this
requirement is not hard. This will especially be true of random
companies who have chosen to use Linux as their Firewall, Web Server, or
whatever.
- Ted