Re: Stack pivot, W^X break

[fro]

Thanks Steve,
 
Here's what I get (I'm using the first versionof the POC compiled from the same 
link as you) and I've included output from the stack pivot bypass as well (this 
one pops a shell).
 
humpty$ sysctl kern.version
kern.version=OpenBSD 7.8-current (GENERIC.MP) #108: Wed Jan 14 05:22:24 MST 2026
    dera...@arm64.openbsd.org:/usr/src/sys/arch/arm64/compile/GENERIC.MP
humpty$ ./wx-break
[*] Mapped Content: malicious code
[!] RX memory updated thru a backing file write.
humpty$ ./stackpivot-jumpback-bypass
[*] Allocated heap stack at 0x19fa178000 - 0x19fa278000
[*] Main stack return set to 0x604ba52840
[*] Pivoting SP to 0x19fa277fe0 and jumping to intermediate_stage...
[*] Back on main stack. Calling execve...
humpty$

Cheers 
 
 
Sent: Wednesday, January 14, 2026 at 9:18 PM
From: "Steve Williams" <st...@williamsitconsulting.com>
To: f...@disciples.com
Cc: misc@openbsd.org
Subject: Re: Stack pivot, W^X break
Hi,
Compiling the code from 
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/107 running amd64
mini$ ./a.out
a.out[17607]: pinsyscalls addr fe8d9e4b01f code 59, pinoff 0xffffffff (pin 330 
fe942960000-fe94296e8d0 e8d0) (libcpin 331 fe96300f000-fe9630c7000 b8000) error 
78
Abort trap (core dumped)
mini$ su
Password:
mini# ./a.out
a.out[52715]: pinsyscalls addr 32e2ddbf01f code 59, pinoff 0xffffffff (pin 330 
32ec636b000-32ec63798d0 e8d0) (libcpin 331 32e86fe1000-32e87099000 b8000) error 
78
Abort trap
 
My system is a ProtectLI FW2B running an Intel Celeron J3060
OpenBSD 7.8 (GENERIC.MP) #1: Sat Nov 29 11:02:59 MST 2025
    
r...@syspatch-78-amd64.openbsd.org:/usr/src/sys/arch/[mailto:r...@syspatch-78-amd64.openbsd.org:/usr/src/sys/arch/]amd64/compile/GENERIC.MP
 

On 1/14/2026 6:24 PM, f...@disciples.com[mailto:f...@disciples.com] wrote:
On arm64 (in case that matters) the wx-break one isn't failing for me. I must 
be overlooking something.

The stackpivot jumpback one is also not failing anywhere that I'm seeing.

Sent: Wednesday, January 14, 2026 at 1:46 AM
From: "Janne Johansson" <icepic...@gmail.com>[mailto:icepic...@gmail.com]
To: f...@disciples.com[mailto:f...@disciples.com]
Cc: misc@openbsd.org[mailto:misc@openbsd.org]
Subject: Re: Stack pivot, W^X break

And since I'm bringing this up, there's also 
this:https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/107[https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/107]
Obviously, the link there is for HardenedBSD but the script seems to work the 
same on OpenBSD as well.
No, it fails on pinsyscalls.
And to be specific, the jump works, the program doesn't.

-- 
May the most significant bit of your life be positive.