Merge pull request #1679 from HackTricks-wiki/update_Exploiting_Anno_1404_20251216_183640

Exploiting Anno 1404

Author: carlospolop

src/SUMMARY.md

@@ -442,6 +442,7 @@
   - [Buckets](network-services-pentesting/pentesting-web/buckets/README.md)
     - [Firebase Database](network-services-pentesting/pentesting-web/buckets/firebase-database.md)
   - [CGI](network-services-pentesting/pentesting-web/cgi.md)
+  - [Custom Protocols](network-services-pentesting/pentesting-web/custom-protocols.md)
   - [Django](network-services-pentesting/pentesting-web/django.md)
   - [Dotnet Soap Wsdl Client Exploitation](network-services-pentesting/pentesting-web/dotnet-soap-wsdl-client-exploitation.md)
   - [DotNetNuke (DNN)](network-services-pentesting/pentesting-web/dotnetnuke-dnn.md)
@@ -823,6 +824,7 @@
   - [Windows Seh Overflow](binary-exploitation/stack-overflow/windows-seh-overflow.md)
 - [Array Indexing](binary-exploitation/array-indexing.md)
 - [Chrome Exploiting](binary-exploitation/chrome-exploiting.md)
+- [Common Exploiting Problems Unsafe Relocation Fixups](binary-exploitation/common-exploiting-problems-unsafe-relocation-fixups.md)
 - [Integer Overflow](binary-exploitation/integer-overflow-and-underflow.md)
 - [Format Strings](binary-exploitation/format-strings/README.md)
   - [Format Strings - Arbitrary Read Example](binary-exploitation/format-strings/format-strings-arbitrary-read-example.md)

src/binary-exploitation/common-exploiting-problems-unsafe-relocation-fixups.md

@@ -0,0 +1,90 @@
+# Unsafe Relocation Fixups in Asset Loaders
+
+{{#include ../banners/hacktricks-training.md}}
+
+## Why asset relocations matter
+
+Many legacy game engines (Granny 3D, Gamebryo, etc.) load complex assets by:
+
+1. Parsing a header and section table.
+2. Allocating one heap buffer per section.
+3. Building a `SectionArray` that stores the base pointer of every section.
+4. Applying relocation tables so that pointers embedded inside the section data get patched to the right target section + offset.
+
+When the relocation handler blindly trusts attacker-controlled metadata, every relocation becomes a potential arbitrary read/write primitive. In *Anno 1404: Venice*, `granny2.dll` ships the following helper:
+
+<details>
+<summary>`GrannyGRNFixUp_0` (trimmed)</summary>
+
+```c
+int *__cdecl GrannyGRNFixUp_0(DWORD RelocationCount,
+                               Relocation *PointerFixupArray,
+                               int *SectionArray,
+                               char *destination)
+{
+  while (RelocationCount--) {
+    int target_base = SectionArray[PointerFixupArray->SectionNumber]; // unchecked index
+    int *patch_site = (int *)(destination + PointerFixupArray->SectionOffset); // unchecked offset
+    *patch_site = target_base ;
+    if (target_base)
+      *patch_site = target_base + PointerFixupArray->Offset;
+    ++PointerFixupArray;
+  }
+  return SectionArray;
+}
+```
+
+</details>
+
+`SectionNumber` is never range-checked and `SectionOffset` is never validated against the current section size. Crafting relocation entries with negative offsets or oversized indices lets you walk outside the section you control and stomp allocator metadata such as the section pointer array itself.
+
+## Stage 1 – Writing backwards into loader metadata
+
+The goal is to make the relocation table of **section 0** overwrite entries of `SectionContentArray` (which mirrors `SectionArray` and is stored right before the first section buffer). Because Granny’s custom allocator prepends **0x1F** bytes and the NT heap adds its own **0x10**-byte header plus alignment, an attacker can precalculate the distance between the start of the first section (`destination`) and the section-pointer array.
+
+In the tested build, forcing the loader to allocate a `GrannyFile` structure that is exactly **0x4000 bytes** makes the section-pointer arrays land right before the first section buffer. Solving
+
+```
+0x20 (header) + 0x20 (section descriptors)
++ n * 1 (section types) + n * 1 (flags)
++ n * 4 (pointer table) = 0x4000
+```
+
+gives **n = 2720** sections. A relocation entry with `SectionOffset = -0x3FF0` ( `0x4000 - 0x20 - 0x20 + 0x30` ) now resolves to `SectionContentArray[1]` even though the destination section thinks it is patching internal pointers.
+
+## Stage 2 – Deterministic heap layout on Windows 10
+
+Windows 10 NT Heap routes allocations **≤ RtlpLargestLfhBlock (0x4000)** to the randomized LFH and larger ones to the deterministic backend allocator. By keeping the `GrannyFile` metadata slightly above that threshold (using the 2720 sections trick) and preloading several malicious `.gr2` assets, you can make:
+
+- Allocation #1 (metadata + section pointer arrays) land in a >0x4000 backend chunk.
+- Allocation #2 (section 0 contents) land immediately after allocation #1.
+- Allocation #3 (section 1 contents) land right after allocation #2, giving you a predictable target for subsequent relocations.
+
+Process Monitor confirmed that assets are streamed on demand, so repeatedly requesting crafted units/buildings is enough to “prime” the heap layout without touching the executable image.
+
+## Stage 3 – Converting the primitive into RCE
+
+1. **Corrupt `SectionContentArray[1]`.** Section 0’s relocation table overwrites it by using the `-0x3FF0` offset. Point it at any writable region you control (e.g., later section data).
+2. **Recycle the corrupted pointer.** Section 1’s relocation table now treats `SectionNumber = 1` as whatever pointer you injected. The handler writes `SectionArray[1] + Offset` to `destination + SectionOffset`, giving you an arbitrary 4-byte write for every relocation entry.
+3. **Hit reliable dispatchers.** In Anno 1404 the target of choice was the `granny2.dll` allocator callbacks (no ASLR, DEP disabled). Overwriting the function pointer that `granny2.dll` uses for the next `Malloc`/`Free` call immediately diverts execution to attacker-controlled code loaded from the trojanized asset.
+
+Because both `granny2.dll` and the injected `.gr2` buffers reside at stable addresses when ASLR/DEP are disabled, the attack reduces to building a small ROP chain or raw shellcode and pointing the callback at it.
+
+## Practical checklist
+
+- Look for asset loaders that maintain `SectionArray` / relocation tables.
+- Diff relocation handlers for missing bounds on indices/offsets.
+- Measure the allocator headers added by both the game’s allocator wrapper and the underlying OS heap to compute backwards offsets precisely.
+- Force deterministic placement by:
+  - inflating metadata (many empty sections) until allocation size > `RtlpLargestLfhBlock`;
+  - repeatedly loading the malicious asset to fill backend holes.
+- Use a two-stage relocation table (first to retarget `SectionArray`, second to spray writes) and overwrite function pointers that will fire during normal rendering (allocator callbacks, virtual tables, animation dispatchers, etc.).
+
+Once you gain an arbitrary file write (e.g., via the path traversal in the multiplayer save transfer), repackaging RDA archives with the crafted `.gr2` gives you a clean delivery vector that is automatically decompressed by remote clients.
+
+## References
+
+- [Synacktiv – Exploiting Anno 1404](https://www.synacktiv.com/publications/exploiting-anno-1404.html)
+- [W. Yason – Windows 10 Segment Heap Internals (BlackHat USA 2016)](https://blackhat.com/docs/us-16/materials/us-16-Yason-Windows-10-Segment-Heap-Internals-wp.pdf)
+
+{{#include ../banners/hacktricks-training.md}}

src/binary-exploitation/common-exploiting-problems.md

@@ -210,6 +210,10 @@ No memory safety bug is required—simply observing serialization order of point
 
 ## Related pages
 
+{{#ref}}
+common-exploiting-problems-unsafe-relocation-fixups.md
+{{#endref}}
+
 {{#ref}}
 ../mobile-pentesting/android-app-pentesting/reversing-native-libraries.md
 {{#endref}}

src/network-services-pentesting/pentesting-web/README.md

@@ -76,6 +76,7 @@ Some **tricks** for **finding vulnerabilities** in different well known **techno
 - [**Artifactory**](artifactory-hacking-guide.md)
 - [**Buckets**](buckets/index.html)
 - [**CGI**](cgi.md)
+- [**Custom UDP RPC Protocols**](custom-protocols.md)
 - [**Dotnet SOAP WSDL client exploitation**](dotnet-soap-wsdl-client-exploitation.md)
 - [**Drupal**](drupal/index.html)
 - [**Flask**](flask.md)

src/network-services-pentesting/pentesting-web/custom-protocols.md

@@ -0,0 +1,114 @@
+# Custom UDP RPC Enumeration & File-Transfer Abuse
+
+{{#include ../../banners/hacktricks-training.md}}
+
+## Mapping proprietary RPC objects with Frida
+
+Older multiplayer titles often embed home-grown RPC stacks on top of UDP. In *Anno 1404: Venice* this is implemented inside `NetComEngine3.dll` via the `RMC_CallMessage` dispatcher, which parses 5 fields from every datagram:
+
+| Field | Purpose |
+| --- | --- |
+| `ID` | RPC verb (16-bit) |
+| `Flags` | Transport modifiers (reliability, ordering) |
+| `Source` | Object ID of the caller |
+| `TargetObject` | Remote object instance |
+| `Method` | Method index inside the target class |
+
+Two helper functions – `ClassToMethodName()` and `TargetName()` – translate raw IDs into human-readable strings for logging. By brute-forcing 24‑bit object IDs and 16‑bit method IDs and calling those helpers we can enumerate the entire remotely reachable surface without traffic captures or symbol leaks.
+
+<details>
+<summary>Frida surface enumerator (trimmed)</summary>
+
+```javascript
+'use strict';
+
+const classToMethod = Module.getExportByName('NetComEngine3.dll', 'ClassToMethodName');
+const targetName = Module.getExportByName('NetComEngine3.dll', 'TargetName');
+
+function tryID(objID, methodID) {
+  const method = new NativeFunction(classToMethod, 'pointer', ['pointer', 'uint']);
+  const target = new NativeFunction(targetName, 'pointer', ['pointer']);
+  const buf = Memory.alloc(Process.pointerSize);
+  buf.writeU32(objID);
+  const m = method(buf, methodID);
+  if (!m.isNull()) {
+    const t = target(buf);
+    console.log(objID.toString(16), '=', t.readUtf16String());
+    console.log('  -', methodID, '=', m.readUtf16String());
+  }
+}
+
+for (let obj = 0; obj < 0x9000000; obj += 0x400000) {
+  for (let meth = 0; meth < 0x40; meth++) {
+    tryID(obj, meth);
+  }
+}
+```
+
+</details>
+
+Running `frida -l explore-surface.js Addon.exe` emitted the complete RPC map, including the `Player` object (`0x7400000`) and its file-transfer verbs `OnSendFileInit`, `OnSendFileData`, `OnReceivedFileData`, and `OnCancelSendFile`. The same workflow applies to any binary protocol that exposes internal reflection helpers: intercept the dispatcher, brute-force IDs, and log what the engine already knows about each callable method.
+
+### Tips
+
+- Use the engine’s own logging buffers (`WString::Format` in this case) to avoid reimplementing undocumented string encodings.
+- Dump `Flags` to identify reliability features (ACK, resend requests) before attempting fuzzing; custom UDP stacks frequently drop malformed packets silently.
+- Store the enumerated map – it serves as a fuzzing corpus and makes it obvious which objects manipulate the filesystem, world state, or in-game scripting.
+
+## Subverting file-transfer RPCs
+
+Multiplayer save synchronization used a two-packet handshake:
+
+1. `OnSendFileInit` — carries the UTF‑16 filename the client should use when saving the incoming payload.
+2. `OnSendFileData` — streams raw file contents in fixed-size chunks.
+
+Because the server serializes the filename through `ByteStreamWriteString()` right before sending, a Frida hook can swap the pointer to a traversal payload while keeping packet sizes intact.
+
+<details>
+<summary>Filename swapper</summary>
+
+```javascript
+const writeStr = ptr('0x1003A250');
+const ByteStreamWriteString = new NativeFunction(writeStr, 'pointer', ['pointer', 'pointer']);
+const evil = Memory.allocUtf16String('..\\..\\..\\..\\Sauvegarde.sww');
+
+Interceptor.attach(writeStr, {
+  onEnter(args) {
+    const src = args[1].readPointer();
+    const value = src.readUtf16String();
+    if (value && value.indexOf('Sauvegarde.sww') !== -1) {
+      args[1].writePointer(evil);
+    }
+  }
+});
+```
+
+</details>
+
+Victim clients performed zero sanitisation and wrote the received save to whatever path the hostile host supplied, e.g. dropping into `C:\User\user` instead of the intended `...\Savegames\MPShare` tree. On Windows installations of Anno 1404 the game directory is world-writable, so the traversal instantly becomes an arbitrary file write primitive:
+
+- **Drop DLLs** for classic search-order hijacking on next launch, or
+- **Overwrite asset archives** (RDA files) so that weaponized models, textures, or scripts are loaded live during the same session.
+
+### Defending / attacking other targets
+
+- Look for RPC verbs named `SendFile`, `Upload`, `ShareSave`, etc., then intercept the serialization helper responsible for filenames or target directories.
+- Even if filenames are length-checked, many stacks forget to canonicalize `..\` or mixed `/` vs `\` sequences; brute-force all separators.
+- When the receiver stores files under the game install path, check ACLs via `icacls` to confirm whether an unprivileged user can drop code there.
+
+## Turning path traversal into live asset execution
+
+Once you can upload arbitrary bytes, replace any frequently loaded asset:
+
+1. **Unpack the archive.** RDA archives are DEFLATE-based containers whose metadata is optionally XOR-obfuscated with `srand(0xA2C2A)` seeded streams. Tools like [RDAExplorer](https://github.com/lysanntranvouez/RDAExplorer) re-pack archives after edits.
+2. **Inject a malicious `.gr2`.** The trojanized Granny 3D file carries the relocation exploit that overwrites `SectionContentArray` and, through a two-stage relocation sequence, gains an arbitrary 4-byte write inside `granny2.dll`.
+3. **Hijack allocator callbacks.** With ASLR disabled and DEP off, replacing the `malloc/free` function pointers in `granny2.dll` redirects the next allocation to your shellcode, giving immediate RCE without waiting for the victim to restart the game.
+
+This pattern generalises to any title that streams structured assets from binary archives: combine RPC-level traversal for delivery and unsafe relocation processing for code execution.
+
+## References
+
+- [Synacktiv – Exploiting Anno 1404](https://www.synacktiv.com/publications/exploiting-anno-1404.html)
+- [RDA File Format notes](https://github.com/lysanntranvouez/RDAExplorer/wiki/RDA-File-Format)
+
+{{#include ../../banners/hacktricks-training.md}}