re4

.github/pull_request_template.md

@@ -5,3 +5,4 @@ We value your knowledge and encourage you to share content. Please ensure that y
 
 
 Thank you for contributing to HackTricks!
+

LICENSE.md

@@ -204,3 +204,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 {% endhint %}
 
 
+

SUMMARY.md

@@ -867,3 +867,4 @@
 * [Post Exploitation](todo/post-exploitation.md)
 * [Investment Terms](todo/investment-terms.md)
 * [Cookies Policy](todo/cookies-policy.md)
+

android-forensics.md

@@ -51,3 +51,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

backdoors/icmpsh.md

@@ -62,3 +62,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 {% endhint %}
 
 
+

backdoors/salseo.md

@@ -202,3 +202,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/arbitrary-write-2-exec/README.md

@@ -1,2 +1,3 @@
 # Arbitrary Write 2 Exec
 
+

binary-exploitation/arbitrary-write-2-exec/aw2exec-__malloc_hook.md

@@ -97,3 +97,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/arbitrary-write-2-exec/aw2exec-got-plt.md

@@ -113,3 +113,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/arbitrary-write-2-exec/www2exec-.dtors-and-.fini_array.md

@@ -84,3 +84,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/arbitrary-write-2-exec/www2exec-atexit.md

@@ -266,3 +266,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/array-indexing.md

@@ -29,3 +29,4 @@ However he you can find some nice **examples**:
   * 64bits, no relro, canary, nx, no pie. There is an off-by-one in an array in the stack that allows to control a pointer granting WWW (it write the sum of all the numbers of the array in the overwritten address by the of-by-one in the array). The stack is controlled so the GOT `exit` address is overwritten with `pop rdi; ret`, and in the stack is added the address to `main` (looping back to `main`). The a ROP chain to leak the address of put in the GOT using puts is used (`exit` will be called so it will call `pop rdi; ret` therefore executing this chain in the stack). Finally a new ROP chain executing ret2lib is used.
 * [https://guyinatuxedo.github.io/14-ret\_2\_system/tu\_guestbook/index.html](https://guyinatuxedo.github.io/14-ret\_2\_system/tu\_guestbook/index.html)
   * 32 bit, no relro, no canary, nx, pie. Abuse a bad indexing to leak addresses of libc and heap from the stack. Abuse the buffer overflow o do a ret2lib calling `system('/bin/sh')` (the heap address is needed to bypass a check).
+

binary-exploitation/basic-stack-binary-exploitation-methodology/README.md

@@ -135,3 +135,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/basic-stack-binary-exploitation-methodology/elf-tricks.md

@@ -420,3 +420,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/basic-stack-binary-exploitation-methodology/tools/README.md

@@ -267,3 +267,4 @@ Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/grte.png" alt="
 
 </details>
 {% endhint %}
+

binary-exploitation/basic-stack-binary-exploitation-methodology/tools/pwntools.md

@@ -200,3 +200,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/common-binary-protections-and-bypasses/README.md

@@ -59,3 +59,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/common-binary-protections-and-bypasses/aslr/README.md

@@ -330,3 +330,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/common-binary-protections-and-bypasses/aslr/ret2plt.md

@@ -107,3 +107,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/common-binary-protections-and-bypasses/aslr/ret2ret.md

@@ -57,3 +57,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/common-binary-protections-and-bypasses/cet-and-shadow-stack.md

@@ -49,3 +49,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/common-binary-protections-and-bypasses/libc-protections.md

@@ -109,3 +109,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/common-binary-protections-and-bypasses/memory-tagging-extension-mte.md

@@ -108,3 +108,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/common-binary-protections-and-bypasses/no-exec-nx.md

@@ -40,3 +40,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/common-binary-protections-and-bypasses/pie/README.md

@@ -56,3 +56,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/common-binary-protections-and-bypasses/pie/bypassing-canary-and-pie.md

@@ -122,3 +122,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/common-binary-protections-and-bypasses/relro.md

@@ -59,3 +59,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/README.md

@@ -101,3 +101,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/bf-forked-stack-canaries.md

@@ -133,3 +133,4 @@ Check also the presentation of [https://www.slideshare.net/codeblue\_jp/master-c
 
 * [https://guyinatuxedo.github.io/07-bof\_static/dcquals16\_feedme/index.html](https://guyinatuxedo.github.io/07-bof\_static/dcquals16\_feedme/index.html)
   * 64 bits, no PIE, nx, BF canary, write in some memory a ROP to call `execve` and jump there.
+

binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/print-stack-canary.md

@@ -57,3 +57,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/common-exploiting-problems.md

@@ -62,3 +62,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/format-strings/README.md

@@ -275,3 +275,4 @@ Support HackTricks
 * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
 * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
 {% endhint %}
+

binary-exploitation/format-strings/format-strings-arbitrary-read-example.md

@@ -208,3 +208,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/format-strings/format-strings-template.md

@@ -169,3 +169,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/integer-overflow.md

@@ -141,3 +141,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/ios-exploiting.md

@@ -209,3 +209,4 @@ void iosurface_kwrite64(uint64_t addr, uint64_t value) {
 4. **Abuse Use-After-Free**: Modify pointers in the IOSurface object to enable arbitrary **kernel read/write** via IOSurface methods.
 
 With these primitives, the exploit provides controlled **32-bit reads** and **64-bit writes** to kernel memory. Further jailbreak steps could involve more stable read/write primitives, which may require bypassing additional protections (e.g., PPL on newer arm64e devices).
+

binary-exploitation/libc-heap/README.md

@@ -528,3 +528,4 @@ Functions involved in heap will perform certain check before performing its acti
 
 * [https://azeria-labs.com/heap-exploitation-part-1-understanding-the-glibc-heap-implementation/](https://azeria-labs.com/heap-exploitation-part-1-understanding-the-glibc-heap-implementation/)
 * [https://azeria-labs.com/heap-exploitation-part-2-glibc-heap-free-bins/](https://azeria-labs.com/heap-exploitation-part-2-glibc-heap-free-bins/)
+

binary-exploitation/libc-heap/bins-and-memory-allocations.md

@@ -666,3 +666,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/libc-heap/double-free.md

@@ -156,3 +156,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/libc-heap/fast-bin-attack.md

@@ -180,3 +180,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/libc-heap/heap-memory-functions/README.md

@@ -31,3 +31,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/libc-heap/heap-memory-functions/free.md

@@ -410,3 +410,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/libc-heap/heap-memory-functions/heap-functions-security-checks.md

@@ -187,3 +187,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/libc-heap/heap-memory-functions/malloc-and-sysmalloc.md

@@ -1770,3 +1770,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/libc-heap/heap-memory-functions/unlink.md

@@ -107,3 +107,4 @@ Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/grte.png" alt="
 
 </details>
 {% endhint %}
+

binary-exploitation/libc-heap/heap-overflow.md

@@ -75,3 +75,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/libc-heap/house-of-einherjar.md

@@ -73,3 +73,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/libc-heap/house-of-force.md

@@ -90,3 +90,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/libc-heap/house-of-lore.md

@@ -71,3 +71,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/libc-heap/house-of-orange.md

@@ -99,3 +99,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/libc-heap/house-of-rabbit.md

@@ -135,3 +135,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/libc-heap/house-of-roman.md

@@ -143,3 +143,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/libc-heap/house-of-spirit.md

@@ -142,3 +142,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/libc-heap/large-bin-attack.md

@@ -85,3 +85,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/libc-heap/off-by-one-overflow.md

@@ -139,3 +139,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/libc-heap/overwriting-a-freed-chunk.md

@@ -47,3 +47,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/libc-heap/tcache-bin-attack.md

@@ -71,3 +71,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/libc-heap/unlink-attack.md

@@ -153,3 +153,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/libc-heap/unsorted-bin-attack.md

@@ -99,3 +99,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/libc-heap/use-after-free/README.md

@@ -44,3 +44,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/libc-heap/use-after-free/first-fit.md

@@ -75,3 +75,4 @@ d = malloc(20);   // a
   * It's possible to alloc some memory, write the desired value, free it, realloc it and as the previous data is still there, it will treated according the new expected struct in the chunk making possible to set the value ot get the flag.
 * [**https://guyinatuxedo.github.io/26-heap\_grooming/swamp19\_heapgolf/index.html**](https://guyinatuxedo.github.io/26-heap\_grooming/swamp19\_heapgolf/index.html)
   * In this case it's needed to write 4 inside an specific chunk which is the first one being allocated (even after force freeing all of them). On each new allocated chunk it's number in the array index is stored. Then, allocate 4 chunks (+ the initialy allocated), the last one will have 4 inside of it, free them and force the reallocation of the first one, which will use the last chunk freed which is the one with 4 inside of it.
+

binary-exploitation/rop-return-oriented-programing/README.md

@@ -222,3 +222,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/rop-return-oriented-programing/brop-blind-return-oriented-programming.md

@@ -149,3 +149,4 @@ Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" d
 
 </details>
 {% endhint %}
+

binary-exploitation/rop-return-oriented-programing/ret2csu.md

@@ -209,3 +209,4 @@ Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" d
 
 </details>
 {% endhint %}
+

binary-exploitation/rop-return-oriented-programing/ret2dlresolve.md

@@ -222,3 +222,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/rop-return-oriented-programing/ret2esp-ret2reg.md

@@ -218,3 +218,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/rop-return-oriented-programing/ret2lib/README.md

@@ -191,3 +191,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/rop-return-oriented-programing/ret2lib/one-gadget.md

@@ -62,3 +62,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/rop-return-oriented-programing/ret2lib/ret2lib-+-printf-leak-arm64.md

@@ -241,3 +241,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/README.md

@@ -329,3 +329,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/rop-leaking-libc-template.md

@@ -256,3 +256,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/rop-return-oriented-programing/ret2vdso.md

@@ -94,3 +94,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/README.md

@@ -220,3 +220,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/ret2syscall-arm64.md

@@ -155,3 +155,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/README.md

@@ -170,3 +170,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/srop-arm64.md

@@ -216,3 +216,4 @@ Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/grte.png" alt="
 
 </details>
 {% endhint %}
+

binary-exploitation/stack-overflow/README.md

@@ -128,3 +128,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/stack-overflow/pointer-redirecting.md

@@ -53,3 +53,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/stack-overflow/ret2win/README.md

@@ -139,3 +139,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+

binary-exploitation/stack-overflow/ret2win/ret2win-arm64.md

@@ -214,3 +214,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 
 </details>
 {% endhint %}
+