It looks like the author of these has posted an updated POC of the W^X break script since the start of this thread.
Here: https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/107#note_47812 Quoting, they say this: "I have seen on openbsd-misc that people are rightfully claiming this break does not work on OpenBSD due to pinsyscalls. That said, this is only because I was lazy when writing the poc, this break has otherwise nothing to do with pinsyscalls. Also note this break works regardless of whether the executable memory was mapped MAP_PRIVATE or MAP_SHARED. Below is an update poc that pops a shell despite pinsyscalls on OpenBSD using a simple libc trampoline" I can also confirm that this works as they say. > Sent: Thursday, January 15, 2026 at 8:30 AM > From: [email protected] > To: "Steve Williams" <[email protected]> > Cc: [email protected] > Subject: Re: Stack pivot, W^X break > > Thanks Steve, > > Here's what I get (I'm using the first versionof the POC compiled from the > same link as you) and I've included output from the stack pivot bypass as > well (this one pops a shell). > > humpty$ sysctl kern.version > kern.version=OpenBSD 7.8-current (GENERIC.MP) #108: Wed Jan 14 05:22:24 MST > 2026 > [email protected]:/usr/src/sys/arch/arm64/compile/GENERIC.MP > humpty$ ./wx-break > [*] Mapped Content: malicious code > [!] RX memory updated thru a backing file write. > humpty$ ./stackpivot-jumpback-bypass > [*] Allocated heap stack at 0x19fa178000 - 0x19fa278000 > [*] Main stack return set to 0x604ba52840 > [*] Pivoting SP to 0x19fa277fe0 and jumping to intermediate_stage... > [*] Back on main stack. Calling execve... > humpty$ > > Cheers > > > Sent: Wednesday, January 14, 2026 at 9:18 PM > From: "Steve Williams" <[email protected]> > To: [email protected] > Cc: [email protected] > Subject: Re: Stack pivot, W^X break > Hi, > Compiling the code from > https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/107 running amd64 > mini$ ./a.out > a.out[17607]: pinsyscalls addr fe8d9e4b01f code 59, pinoff 0xffffffff (pin > 330 fe942960000-fe94296e8d0 e8d0) (libcpin 331 fe96300f000-fe9630c7000 b8000) > error 78 > Abort trap (core dumped) > mini$ su > Password: > mini# ./a.out > a.out[52715]: pinsyscalls addr 32e2ddbf01f code 59, pinoff 0xffffffff (pin > 330 32ec636b000-32ec63798d0 e8d0) (libcpin 331 32e86fe1000-32e87099000 b8000) > error 78 > Abort trap > > My system is a ProtectLI FW2B running an Intel Celeron J3060 > OpenBSD 7.8 (GENERIC.MP) #1: Sat Nov 29 11:02:59 MST 2025 > > [email protected]:/usr/src/sys/arch/[mailto:[email protected]:/usr/src/sys/arch/]amd64/compile/GENERIC.MP > > > On 1/14/2026 6:24 PM, [email protected][mailto:[email protected]] wrote: > On arm64 (in case that matters) the wx-break one isn't failing for me. I must > be overlooking something. > > The stackpivot jumpback one is also not failing anywhere that I'm seeing. > > Sent: Wednesday, January 14, 2026 at 1:46 AM > From: "Janne Johansson" <[email protected]>[mailto:[email protected]] > To: [email protected][mailto:[email protected]] > Cc: [email protected][mailto:[email protected]] > Subject: Re: Stack pivot, W^X break > > And since I'm bringing this up, there's also > this:https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/107[https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/107] > Obviously, the link there is for HardenedBSD but the script seems to work the > same on OpenBSD as well. > No, it fails on pinsyscalls. > And to be specific, the jump works, the program doesn't. > > -- > May the most significant bit of your life be positive. > > >
