HackTricks-wiki · 7Rocky · Mar 24, 2026
diff --git a/src/SUMMARY.md b/src/SUMMARY.md
@@ -825,7 +825,7 @@
     - [Ret2win - arm64](binary-exploitation/stack-overflow/ret2win/ret2win-arm64.md)
   - [Stack Shellcode](binary-exploitation/stack-overflow/stack-shellcode/README.md)
     - [Stack Shellcode - arm64](binary-exploitation/stack-overflow/stack-shellcode/stack-shellcode-arm64.md)
-  - [Stack Pivoting - EBP2Ret - EBP chaining](binary-exploitation/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md)
+  - [Stack Pivoting](binary-exploitation/stack-overflow/stack-pivoting.md)
   - [Uninitialized Variables](binary-exploitation/stack-overflow/uninitialized-variables.md)
   - [ROP & JOP](binary-exploitation/rop-return-oriented-programing/README.md)
   - [BROP - Blind Return Oriented Programming](binary-exploitation/rop-return-oriented-programing/brop-blind-return-oriented-programming.md)
@@ -836,15 +836,15 @@
     - [Leaking libc address with ROP](binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/README.md)
       - [Leaking libc - template](binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/rop-leaking-libc-template.md)
     - [One Gadget](binary-exploitation/rop-return-oriented-programing/ret2lib/one-gadget.md)
-    - [Ret2lib + Printf leak - arm64](binary-exploitation/rop-return-oriented-programing/ret2lib/ret2lib-+-printf-leak-arm64.md)
+    - [Ret2lib + Printf leak - arm64](binary-exploitation/rop-return-oriented-programing/ret2lib/ret2lib-printf-leak-arm64.md)
   - [Ret2syscall](binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/README.md)
-    - [Ret2syscall - ARM64](binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/ret2syscall-arm64.md)
+    - [Ret2syscall - arm64](binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/ret2syscall-arm64.md)
   - [Ret2vDSO](binary-exploitation/rop-return-oriented-programing/ret2vdso.md)
   - [SROP - Sigreturn-Oriented Programming](binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/README.md)
-    - [SROP - ARM64](binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/srop-arm64.md)
+    - [SROP - arm64](binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/srop-arm64.md)
   - [Mediatek Xflash Carbonara Da2 Hash Bypass](hardware-physical-access/firmware-analysis/mediatek-xflash-carbonara-da2-hash-bypass.md)
   - [Synology Encrypted Archive Decryption](hardware-physical-access/firmware-analysis/synology-encrypted-archive-decryption.md)
-  - [Windows Seh Overflow](binary-exploitation/stack-overflow/windows-seh-overflow.md)
+  - [Windows SEH Overflow](binary-exploitation/stack-overflow/windows-seh-overflow.md)
 - [Array Indexing](binary-exploitation/array-indexing.md)
 - [Chrome Exploiting](binary-exploitation/chrome-exploiting.md)
 - [Common Exploiting Problems Unsafe Relocation Fixups](binary-exploitation/common-exploiting-problems-unsafe-relocation-fixups.md)

diff --git a/src/binary-exploitation/basic-stack-binary-exploitation-methodology/README.md b/src/binary-exploitation/basic-stack-binary-exploitation-methodology/README.md
@@ -101,7 +101,7 @@ Something to take into account is that usually **just one exploitation of a vuln
 
 #### Via EBP/RBP
 
-- [**Stack Pivoting / EBP2Ret / EBP Chaining**](../stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md): Control the ESP to control RET through the stored EBP in the stack.
+- [**Stack Pivoting**](../stack-overflow/stack-pivoting.md): Control the ESP to control RET through the stored EBP in the stack.
   - Useful for **off-by-one** stack overflows
   - Useful as an alternate way to end controlling EIP while abusing EIP to construct the payload in memory and then jumping to it via EBP
 

diff --git a/src/binary-exploitation/common-binary-protections-and-bypasses/aslr/ret2ret.md b/src/binary-exploitation/common-binary-protections-and-bypasses/aslr/ret2ret.md
@@ -1,12 +1,12 @@
-# Ret2ret & Reo2pop
+# Ret2ret & Ret2pop
 
 {{#include ../../../banners/hacktricks-training.md}}
 
 ## Ret2ret
 
 The main **goal** of this technique is to try to **bypass ASLR by abusing an existing pointer in the stack**.
 
-Basically, stack overflows are usually caused by strings, and **strings end with a null byte at the end** in memory. This allows to try to reduce the place pointed by na existing pointer already existing n the stack. So if the stack contained `0xbfffffdd`, this overflow could transform it into `0xbfffff00` (note the last zeroed byte).
+Basically, stack overflows are usually caused by strings, and **strings end with a null byte at the end** in memory. This allows to try to reduce the place pointed by an existing pointer already existing on the stack. So if the stack contained `0xbfffffdd`, this overflow could transform it into `0xbfffff00` (note the last zeroed byte).
 
 If that address points to our shellcode in the stack, it's possible to make the flow reach that address by **adding addresses to the `ret` instruction** util this one is reached.
 

diff --git a/src/binary-exploitation/rop-return-oriented-programing/README.md b/src/binary-exploitation/rop-return-oriented-programing/README.md
@@ -316,7 +316,7 @@ rop-syscall-execv/
 
 
 {{#ref}}
-../stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md
+../stack-overflow/stack-pivoting.md
 {{#endref}}
 
 ## Other Examples & References

diff --git a/src/binary-exploitation/rop-return-oriented-programing/ret2lib/README.md b/src/binary-exploitation/rop-return-oriented-programing/ret2lib/README.md
@@ -136,7 +136,7 @@ Also in ARM64 an instruction does what the instruction does (it's not possible t
 Check the example from:
 
 {{#ref}}
-ret2lib-+-printf-leak-arm64.md
+ret2lib-printf-leak-arm64.md
 {{#endref}}
 
 ## Ret-into-printf (or puts)

diff --git a/...ng/ret2lib/ret2lib-+-printf-leak-arm64.md → ...ming/ret2lib/ret2lib-printf-leak-arm64.md b/...ng/ret2lib/ret2lib-+-printf-leak-arm64.md → ...ming/ret2lib/ret2lib-printf-leak-arm64.md
@@ -1,4 +1,4 @@
-# Ret2lib + Printf leak - arm64
+# Ret2lib + Printf leak - ARM64
 
 {{#include ../../../banners/hacktricks-training.md}}
 

diff --git a/src/binary-exploitation/stack-overflow/ret2win/ret2win-arm64.md b/src/binary-exploitation/stack-overflow/ret2win/ret2win-arm64.md
@@ -515,7 +515,7 @@ gdb-multiarch ./ret2win -ex 'target remote :1234'
 
 
 {{#ref}}
-../../rop-return-oriented-programing/ret2lib/ret2lib-+-printf-leak-arm64.md
+../../rop-return-oriented-programing/ret2lib/ret2lib-printf-leak-arm64.md
 {{#endref}}
 
 

diff --git a/...ow/stack-pivoting-ebp2ret-ebp-chaining.md → ...oitation/stack-overflow/stack-pivoting.md b/...ow/stack-pivoting-ebp2ret-ebp-chaining.md → ...oitation/stack-overflow/stack-pivoting.md
@@ -1,4 +1,4 @@
-# Stack Pivoting - EBP2Ret - EBP chaining
+# Stack Pivoting
 
 {{#include ../../banners/hacktricks-training.md}}
 
@@ -11,7 +11,6 @@ As a reminder, on x86/x86-64 **`leave`** is equivalent to:
 ```
 mov       rsp, rbp   ; mov esp, ebp on x86
 pop       rbp        ; pop ebp on x86
-ret
 ```
 
 And as the saved **EBP/RBP is in the stack** before the saved EIP/RIP, it's possible to control it by controlling the stack.

diff --git a/...forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md b/...forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md
@@ -83,7 +83,7 @@ call qword ptr [rax]     ; one attacker-chosen gadget per object
 See Windows x64 pivot/gadget building details here:
 
 {{#ref}}
-../../../binary-exploitation/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md
+../../../binary-exploitation/stack-overflow/stack-pivoting.md
 {{#endref}}
 
 and general ROP guidance here: