HackTricks-wiki
diff --git a/‎src/SUMMARY.md‎
Lines changed: 7 additions & 0 deletions b/‎src/SUMMARY.md‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎src/binary-exploitation/common-binary-protections-and-bypasses/no-exec-nx.md‎
Lines changed: 59 additions & 5 deletions b/‎src/binary-exploitation/common-binary-protections-and-bypasses/no-exec-nx.md‎
Lines changed: 59 additions & 5 deletions
diff --git a/‎src/binary-exploitation/common-exploiting-problems-unsafe-relocation-fixups.md‎
Lines changed: 90 additions & 0 deletions b/‎src/binary-exploitation/common-exploiting-problems-unsafe-relocation-fixups.md‎
Lines changed: 90 additions & 0 deletions
@@ -91,6 +91,7 @@
   - [Defi/AMM Hook Precision](blockchain/blockchain-and-crypto-currencies/defi-amm-hook-precision.md)
   - [Defi Amm Virtual Balance Cache Exploitation](blockchain/blockchain-and-crypto-currencies/defi-amm-virtual-balance-cache-exploitation.md)
   - [Mutation Testing With Slither](blockchain/smart-contract-security/mutation-testing-with-slither.md)
+  - [Value Centric Web3 Red Teaming](blockchain/blockchain-and-crypto-currencies/value-centric-web3-red-teaming.md)
 - [Lua Sandbox Escape](generic-methodologies-and-resources/lua/bypass-lua-sandboxes/README.md)
 
 # 🧙‍♂️ Generic Hacking
@@ -338,6 +339,7 @@
   - [Windows Credentials Protections](windows-hardening/stealing-credentials/credentials-protections.md)
   - [Mimikatz](windows-hardening/stealing-credentials/credentials-mimikatz.md)
   - [WTS Impersonator](windows-hardening/stealing-credentials/wts-impersonator.md)
+  - [Windows Registry Hive Exploitation](windows-hardening/windows-local-privilege-escalation/windows-registry-hive-exploitation.md)
 - [Basic Win CMD for Pentesters](windows-hardening/basic-cmd-for-pentesters.md)
 - [Basic PowerShell for Pentesters](windows-hardening/basic-powershell-for-pentesters/README.md)
   - [PowerView/SharpView](windows-hardening/basic-powershell-for-pentesters/powerview.md)
@@ -440,6 +442,7 @@
   - [Buckets](network-services-pentesting/pentesting-web/buckets/README.md)
     - [Firebase Database](network-services-pentesting/pentesting-web/buckets/firebase-database.md)
   - [CGI](network-services-pentesting/pentesting-web/cgi.md)
+  - [Custom Protocols](network-services-pentesting/pentesting-web/custom-protocols.md)
   - [Django](network-services-pentesting/pentesting-web/django.md)
   - [Dotnet Soap Wsdl Client Exploitation](network-services-pentesting/pentesting-web/dotnet-soap-wsdl-client-exploitation.md)
   - [DotNetNuke (DNN)](network-services-pentesting/pentesting-web/dotnetnuke-dnn.md)
@@ -821,6 +824,7 @@
   - [Windows Seh Overflow](binary-exploitation/stack-overflow/windows-seh-overflow.md)
 - [Array Indexing](binary-exploitation/array-indexing.md)
 - [Chrome Exploiting](binary-exploitation/chrome-exploiting.md)
+- [Common Exploiting Problems Unsafe Relocation Fixups](binary-exploitation/common-exploiting-problems-unsafe-relocation-fixups.md)
 - [Integer Overflow](binary-exploitation/integer-overflow-and-underflow.md)
 - [Format Strings](binary-exploitation/format-strings/README.md)
   - [Format Strings - Arbitrary Read Example](binary-exploitation/format-strings/format-strings-arbitrary-read-example.md)
@@ -870,13 +874,16 @@
   - [WWW2Exec - .dtors & .fini_array](binary-exploitation/arbitrary-write-2-exec/www2exec-.dtors-and-.fini_array.md)
   - [WWW2Exec - GOT/PLT](binary-exploitation/arbitrary-write-2-exec/aw2exec-got-plt.md)
   - [WWW2Exec - \_\_malloc_hook & \_\_free_hook](binary-exploitation/arbitrary-write-2-exec/aw2exec-__malloc_hook.md)
+  - [Virtualbox Slirp Nat Packet Heap Exploitation](binary-exploitation/libc-heap/virtualbox-slirp-nat-packet-heap-exploitation.md)
 - [Common Exploiting Problems](binary-exploitation/common-exploiting-problems.md)
 - [Adreno A7xx Sds Rb Priv Bypass Gpu Smmu Kernel Rw](binary-exploitation/linux-kernel-exploitation/adreno-a7xx-sds-rb-priv-bypass-gpu-smmu-kernel-rw.md)
 - [Af Unix Msg Oob Uaf Skb Primitives](binary-exploitation/linux-kernel-exploitation/af-unix-msg-oob-uaf-skb-primitives.md)
+- [Arm64 Static Linear Map Kaslr Bypass](binary-exploitation/linux-kernel-exploitation/arm64-static-linear-map-kaslr-bypass.md)
 - [Ksmbd Streams Xattr Oob Write Cve 2025 37947](binary-exploitation/linux-kernel-exploitation/ksmbd-streams_xattr-oob-write-cve-2025-37947.md)
 - [Linux kernel exploitation - toctou](binary-exploitation/linux-kernel-exploitation/posix-cpu-timers-toctou-cve-2025-38352.md)
 - [PS5 compromission](binary-exploitation/freebsd-ptrace-rfi-vm_map-prot_exec-bypass-ps5.md)
 - [Windows Exploiting (Basic Guide - OSCP lvl)](binary-exploitation/windows-exploiting-basic-guide-oscp-lvl.md)
+- [Windows Vectored Overloading](binary-exploitation/windows-vectored-overloading.md)
 - [iOS Exploiting](binary-exploitation/ios-exploiting/README.md)
   - [ios CVE-2020-27950-mach_msg_trailer_t](binary-exploitation/ios-exploiting/CVE-2020-27950-mach_msg_trailer_t.md)
   - [ios CVE-2021-30807-IOMobileFrameBuffer](binary-exploitation/ios-exploiting/CVE-2021-30807-IOMobileFrameBuffer.md)
 
@@ -6,14 +6,68 @@
 
 The **No-Execute (NX)** bit, also known as **Execute Disable (XD)** in Intel terminology, is a hardware-based security feature designed to **mitigate** the effects of **buffer overflow** attacks. When implemented and enabled, it distinguishes between memory regions that are intended for **executable code** and those meant for **data**, such as the **stack** and **heap**. The core idea is to prevent an attacker from executing malicious code through buffer overflow vulnerabilities by putting the malicious code in the stack for example and directing the execution flow to it.
 
+Modern operating systems enforce NX through the page table attributes that back the ELF program headers. For example, the `PT_GNU_STACK` header combined with the `GNU_PROPERTY_X86_FEATURE_1_SHSTK` or `GNU_PROPERTY_X86_FEATURE_1_IBT` properties let the loader know whether the stack should be **RW** or **RWX**. When NX is enabled and the binary was linked with a non-executable stack (`-z noexecstack`), any attempt to pivot execution into attacker-controlled data pages (stack, heap, mmap'ed buffers, etc.) will raise a fault unless those pages were explicitly marked as executable.
+
+### Detecting NX quickly
+
+- `checksec --file ./vuln` will display `NX enabled` or `NX disabled` based on the `GNU_STACK` program header.
+- `readelf -W -l ./vuln | grep GNU_STACK` exposes the stack permissions; the presence of an `E` flag indicates that the stack is executable. Example:
+
+```bash
+$ readelf -W -l ./vuln | grep GNU_STACK
+  GNU_STACK      0x000000 0x000000 0x000000 0x000000 0x000000 RW  0x10
+```
+
+- `execstack -q ./vuln` (from `prelink`) is handy when auditing large collections of binaries because it prints `X` for binaries that still have an executable stack.
+- At runtime, `/proc/<pid>/maps` will show whether an allocation is `rwx`, `rw-`, `r-x`, etc., which is useful when verifying JIT engines or custom allocators.
+
 ## Bypasses
 
-- It's possible to use techniques such as [**ROP**](../rop-return-oriented-programing/index.html) **to bypass** this protection by executing chunks of executable code already present in the binary.
-  - [**Ret2libc**](../rop-return-oriented-programing/ret2lib/index.html)
-  - [**Ret2syscall**](../rop-return-oriented-programing/rop-syscall-execv/index.html)
-  - **Ret2...**
+### Code-reuse primitives
 
-{{#include ../../banners/hacktricks-training.md}}
+It's possible to use techniques such as [**ROP**](../rop-return-oriented-programing/index.html) **to bypass** this protection by executing chunks of executable code already present in the binary. Typical chains include:
+
+- [**Ret2libc**](../rop-return-oriented-programing/ret2lib/index.html)
+- [**Ret2syscall**](../rop-return-oriented-programing/rop-syscall-execv/index.html)
+- [**Ret2dlresolve**](../rop-return-oriented-programing/ret2dlresolve.md) when the binary does not import `system`/`execve`
+- [**Ret2csu**](../rop-return-oriented-programing/ret2csu.md) or [**Ret2vdso**](../rop-return-oriented-programing/ret2vdso.md) to synthesize syscalls
+- **Ret2...** — any dispatcher that lets you stitch controlled register state with existing executable code to invoke syscalls or library gadgets.
+
+The workflow is usually: (1) leak a code or libc pointer through an info leak, (2) resolve function bases, and (3) craft a chain that never needs attacker-controlled executable bytes.
+
+### Sigreturn Oriented Programming (SROP)
+
+SROP builds a fake `sigframe` on a writable page and pivots execution to `sys_rt_sigreturn` (or the relevant ABI equivalent). The kernel then “restores” the crafted context, instantly granting full control over all general-purpose registers, `rip`, and `eflags`. Recent CTF challenges (e.g., the *Hostel* task in n00bzCTF 2023) show how SROP chains first invoke `mprotect` to flip the stack to `RWX`, then reuse the same stack for shellcode, effectively bypassing NX even when only a single `syscall; ret` gadget is available. Check the dedicated [SROP page](../rop-return-oriented-programing/srop-sigreturn-oriented-programming/README.md) for more architecture-specific tricks.
 
+### Ret2mprotect / ret2syscall to flip permissions
 
+If you can call `mprotect`, `pkey_mprotect`, or even `dlopen`, you can legitimately request an executable mapping before running shellcode. A small `pwntools` skeleton looks like:
 
+```python
+from pwn import *
+elf = ELF("./vuln")
+rop = ROP(elf)
+rop.mprotect(elf.bss(), 0x1000, 7)
+payload = flat({offset: rop.chain(), offset+len(rop.chain()): asm(shellcraft.sh())})
+```
+
+The same idea applies to `ret2syscall` chains that set `rax=__NR_mprotect`, point `rdi` to a `mmap`/`.bss` page, store the desired length in `rsi`, and set `rdx=7` (`PROT_RWX`). Once a RWX region exists, execution can safely jump into attacker-controlled bytes.
+
+### RWX primitives from JIT engines and kernels
+
+JIT engines, interpreters, GPU drivers, and kernel subsystems that dynamically emit code are a common way to regain executable memory even under strict NX policies. The 2024 Linux kernel vulnerability **CVE-2024-42067** showed that failures in `set_memory_rox()` left eBPF JIT pages writable *and* executable, letting attackers spray gadgets or entire shellcode blobs inside the kernel despite NX/W^X expectations. Exploits that gain control over a JIT compiler (BPF, JavaScript, Lua, etc.) can therefore arrange for their payload to live in those RWX arenas and only need a single function pointer overwrite to jump into them.
+
+### Non-return code reuse (JOP/COP)
+
+If `ret` instructions are hardened (e.g., CET/IBT) or the binary lacks expressive `ret` gadgets, pivot to **Jump-Oriented Programming (JOP)** or **Call-Oriented Programming (COP)**. These techniques build dispatchers that use `jmp [reg]` or `call [reg]` sequences found in the binary or loaded libraries. They still respect NX because they reuse existing executable code, but they sidestep mitigations that specifically watch for large chains of `ret` instructions.
+
+{{#ref}}
+../rop-return-oriented-programing/README.md
+{{#endref}}
+
+## References
+
+- [CVE-2024-42067 - Linux kernel eBPF JIT set\_memory\_rox failure](https://nvd.nist.gov/vuln/detail/CVE-2024-42067)
+- [n00bzCTF 2023 - Hostel (SROP) writeup](https://ctftime.org/writeup/37315)
+
+{{#include ../../banners/hacktricks-training.md}}
@@ -0,0 +1,90 @@
+# Unsafe Relocation Fixups in Asset Loaders
+
+{{#include ../banners/hacktricks-training.md}}
+
+## Why asset relocations matter
+
+Many legacy game engines (Granny 3D, Gamebryo, etc.) load complex assets by:
+
+1. Parsing a header and section table.
+2. Allocating one heap buffer per section.
+3. Building a `SectionArray` that stores the base pointer of every section.
+4. Applying relocation tables so that pointers embedded inside the section data get patched to the right target section + offset.
+
+When the relocation handler blindly trusts attacker-controlled metadata, every relocation becomes a potential arbitrary read/write primitive. In *Anno 1404: Venice*, `granny2.dll` ships the following helper:
+
+<details>
+<summary>`GrannyGRNFixUp_0` (trimmed)</summary>
+
+```c
+int *__cdecl GrannyGRNFixUp_0(DWORD RelocationCount,
+                               Relocation *PointerFixupArray,
+                               int *SectionArray,
+                               char *destination)
+{
+  while (RelocationCount--) {
+    int target_base = SectionArray[PointerFixupArray->SectionNumber]; // unchecked index
+    int *patch_site = (int *)(destination + PointerFixupArray->SectionOffset); // unchecked offset
+    *patch_site = target_base ;
+    if (target_base)
+      *patch_site = target_base + PointerFixupArray->Offset;
+    ++PointerFixupArray;
+  }
+  return SectionArray;
+}
+```
+
+</details>
+
+`SectionNumber` is never range-checked and `SectionOffset` is never validated against the current section size. Crafting relocation entries with negative offsets or oversized indices lets you walk outside the section you control and stomp allocator metadata such as the section pointer array itself.
+
+## Stage 1 – Writing backwards into loader metadata
+
+The goal is to make the relocation table of **section 0** overwrite entries of `SectionContentArray` (which mirrors `SectionArray` and is stored right before the first section buffer). Because Granny’s custom allocator prepends **0x1F** bytes and the NT heap adds its own **0x10**-byte header plus alignment, an attacker can precalculate the distance between the start of the first section (`destination`) and the section-pointer array.
+
+In the tested build, forcing the loader to allocate a `GrannyFile` structure that is exactly **0x4000 bytes** makes the section-pointer arrays land right before the first section buffer. Solving
+
+```
+0x20 (header) + 0x20 (section descriptors)
++ n * 1 (section types) + n * 1 (flags)
++ n * 4 (pointer table) = 0x4000
+```
+
+gives **n = 2720** sections. A relocation entry with `SectionOffset = -0x3FF0` ( `0x4000 - 0x20 - 0x20 + 0x30` ) now resolves to `SectionContentArray[1]` even though the destination section thinks it is patching internal pointers.
+
+## Stage 2 – Deterministic heap layout on Windows 10
+
+Windows 10 NT Heap routes allocations **≤ RtlpLargestLfhBlock (0x4000)** to the randomized LFH and larger ones to the deterministic backend allocator. By keeping the `GrannyFile` metadata slightly above that threshold (using the 2720 sections trick) and preloading several malicious `.gr2` assets, you can make:
+
+- Allocation #1 (metadata + section pointer arrays) land in a >0x4000 backend chunk.
+- Allocation #2 (section 0 contents) land immediately after allocation #1.
+- Allocation #3 (section 1 contents) land right after allocation #2, giving you a predictable target for subsequent relocations.
+
+Process Monitor confirmed that assets are streamed on demand, so repeatedly requesting crafted units/buildings is enough to “prime” the heap layout without touching the executable image.
+
+## Stage 3 – Converting the primitive into RCE
+
+1. **Corrupt `SectionContentArray[1]`.** Section 0’s relocation table overwrites it by using the `-0x3FF0` offset. Point it at any writable region you control (e.g., later section data).
+2. **Recycle the corrupted pointer.** Section 1’s relocation table now treats `SectionNumber = 1` as whatever pointer you injected. The handler writes `SectionArray[1] + Offset` to `destination + SectionOffset`, giving you an arbitrary 4-byte write for every relocation entry.
+3. **Hit reliable dispatchers.** In Anno 1404 the target of choice was the `granny2.dll` allocator callbacks (no ASLR, DEP disabled). Overwriting the function pointer that `granny2.dll` uses for the next `Malloc`/`Free` call immediately diverts execution to attacker-controlled code loaded from the trojanized asset.
+
+Because both `granny2.dll` and the injected `.gr2` buffers reside at stable addresses when ASLR/DEP are disabled, the attack reduces to building a small ROP chain or raw shellcode and pointing the callback at it.
+
+## Practical checklist
+
+- Look for asset loaders that maintain `SectionArray` / relocation tables.
+- Diff relocation handlers for missing bounds on indices/offsets.
+- Measure the allocator headers added by both the game’s allocator wrapper and the underlying OS heap to compute backwards offsets precisely.
+- Force deterministic placement by:
+  - inflating metadata (many empty sections) until allocation size > `RtlpLargestLfhBlock`;
+  - repeatedly loading the malicious asset to fill backend holes.
+- Use a two-stage relocation table (first to retarget `SectionArray`, second to spray writes) and overwrite function pointers that will fire during normal rendering (allocator callbacks, virtual tables, animation dispatchers, etc.).
+
+Once you gain an arbitrary file write (e.g., via the path traversal in the multiplayer save transfer), repackaging RDA archives with the crafted `.gr2` gives you a clean delivery vector that is automatically decompressed by remote clients.
+
+## References
+
+- [Synacktiv – Exploiting Anno 1404](https://www.synacktiv.com/publications/exploiting-anno-1404.html)
+- [W. Yason – Windows 10 Segment Heap Internals (BlackHat USA 2016)](https://blackhat.com/docs/us-16/materials/us-16-Yason-Windows-10-Segment-Heap-Internals-wp.pdf)
+
+{{#include ../banners/hacktricks-training.md}}