{"id":19456750,"url":"https://github.com/x0reaxeax/exec-prot-bypass","last_synced_at":"2025-04-25T05:31:05.806Z","repository":{"id":134816765,"uuid":"459999417","full_name":"x0reaxeax/exec-prot-bypass","owner":"x0reaxeax","description":"Bypassing Linux Executable Space Protection using 20+ years old tools (CVE-2022-25265).","archived":false,"fork":false,"pushed_at":"2022-02-19T18:06:01.000Z","size":11,"stargazers_count":10,"open_issues_count":0,"forks_count":2,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-04-23T18:58:19.333Z","etag":null,"topics":["cve-2022-25265","dep-bypass","exploit","linux","noexec"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/x0reaxeax.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-02-16T12:42:24.000Z","updated_at":"2024-12-23T08:19:17.000Z","dependencies_parsed_at":null,"dependency_job_id":"d146eed5-1e6d-4ad4-b5f6-df167102d4a7","html_url":"https://github.com/x0reaxeax/exec-prot-bypass","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x0reaxeax%2Fexec-prot-bypass","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x0reaxeax%2Fexec-prot-bypass/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x0reaxeax%2Fexec-prot-bypass/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x0reaxeax%2Fexec-prot-bypass/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/x0reaxeax","download_url":"https://codeload.github.com/x0reaxeax/exec-prot-bypass/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250760696,"owners_count":21482851,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cve-2022-25265","dep-bypass","exploit","linux","noexec"],"created_at":"2024-11-10T17:18:21.734Z","updated_at":"2025-04-25T05:31:05.801Z","avatar_url":"https://github.com/x0reaxeax.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Executable Space Protection Bypass (CVE-2022-25265)\n\nThis POC demonstrates execution of bytes located in supposedly non-executable region of binary, therefore completely bypassing executable-space protection.  \n\nThe root cause of this can be found here:\nhttps://github.com/torvalds/linux/blob/master/arch/x86/include/asm/elf.h#L280  \n\n## Brief\nAs it turns out, binary files built on either systems lacking NX or IA32 systems with NX, which do NOT contain the `PT_GNU_STACK` header will be marked with `exec-all`.  \nThis allows for complete RWX to/from everywhere in the binary.  \n\n\nTo achieve this, we use \"historical\" building tools.  \nIn this case, gcc 3.2.2 running on x86 Slackware9 with Linux 2.4.20  \nWe will end up with a binary file which can be executed on modern Linux systems, in this case **Linux 5.16.1**\n\nThe very same effect MIGHT be achievable with specific linker arguments/scripts, although I have NOT verified this.\n\nThe following code will copy assembled bytes of function `dummy()` to character array `harmless_str_buf` and execute the destination array as function.  \n\n[Demo with reverse shell](https://youtu.be/zj5z7eB_frk)\n\n# *** DISCLAIMER ***\nThis demonstration serves completely for educational purposes.\nUnder no circumstances can the author of this code be held responsible\nfor any direct or indirect damage caused by misusing any provided code and/or information. \n\nSee [LICENSE](https://github.com/x0reaxeax/exec-prot-bypass/blob/main/LICENSE) for more details\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fx0reaxeax%2Fexec-prot-bypass","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fx0reaxeax%2Fexec-prot-bypass","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fx0reaxeax%2Fexec-prot-bypass/lists"}