Merge branch 'master' of github.com:HackTricks-wiki/hacktricks

Author: carlospolop

src/AI/AI-llm-architecture/3.-token-embeddings.md

@@ -173,6 +173,29 @@ Combined Embedding = Token Embedding + Positional Embedding
 - **Contextual Awareness:** The model can differentiate between tokens based on their positions.
 - **Sequence Understanding:** Enables the model to understand grammar, syntax, and context-dependent meanings.
 
+## **Positional Embeddings in Modern LLMs**
+
+### **Rotary Positional Embeddings (RoPE)**
+
+RoPE encodes position by applying a position-dependent rotation to pairs of dimensions in the query/key vectors, turning absolute positions into relative phase differences. This provides relative position information while keeping embedding dimensionality unchanged and is widely used in recent decoder-only LLMs.
+
+For how token and positional embeddings are combined inside the model, see [the LLM architecture page](5.-llm-architecture.md).
+
+### **Extending Context Windows in RoPE-Based Models**
+
+Recent work shows that context length is often limited by the positional encoding scheme rather than the token embedding matrix itself.
+
+- **Position Interpolation (PI):** Rescales position indices so longer sequences map into the range seen during training, enabling extension with minimal fine-tuning. Example:
+
+```python
+# Position Interpolation (PI) intuition
+orig_ctx = 2048
+new_ctx = 8192
+scaled_pos = pos * (orig_ctx / new_ctx)
+```
+
+- **YaRN:** A compute-efficient RoPE extension strategy that modifies RoPE scaling/interpolation to extrapolate to longer contexts with fewer additional training steps.
+
 ## Code Example
 
 Following with the code example from [https://github.com/rasbt/LLMs-from-scratch/blob/main/ch02/01_main-chapter-code/ch02.ipynb](https://github.com/rasbt/LLMs-from-scratch/blob/main/ch02/01_main-chapter-code/ch02.ipynb):
@@ -219,4 +242,6 @@ print(input_embeddings.shape) # torch.Size([8, 4, 256])
 - [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch)
 
 
+- [https://arxiv.org/abs/2306.15595](https://arxiv.org/abs/2306.15595)
+- [https://arxiv.org/abs/2309.00071](https://arxiv.org/abs/2309.00071)
 {{#include ../../banners/hacktricks-training.md}}

src/SUMMARY.md

@@ -122,27 +122,33 @@
   - [Cisco - vmanage](linux-hardening/privilege-escalation/cisco-vmanage.md)
   - [Containerd (ctr) Privilege Escalation](linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation.md)
   - [D-Bus Enumeration & Command Injection Privilege Escalation](linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.md)
-  - [Docker Security](linux-hardening/privilege-escalation/docker-security/README.md)
-    - [Abusing Docker Socket for Privilege Escalation](linux-hardening/privilege-escalation/docker-security/abusing-docker-socket-for-privilege-escalation.md)
-    - [AppArmor](linux-hardening/privilege-escalation/docker-security/apparmor.md)
-    - [AuthZ& AuthN - Docker Access Authorization Plugin](linux-hardening/privilege-escalation/docker-security/authz-and-authn-docker-access-authorization-plugin.md)
-    - [CGroups](linux-hardening/privilege-escalation/docker-security/cgroups.md)
-    - [Docker --privileged](linux-hardening/privilege-escalation/docker-security/docker-privileged.md)
-    - [Docker Breakout / Privilege Escalation](linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/README.md)
-      - [release_agent exploit - Relative Paths to PIDs](linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/release_agent-exploit-relative-paths-to-pids.md)
-      - [Docker release_agent cgroups escape](linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/docker-release_agent-cgroups-escape.md)
-      - [Sensitive Mounts](linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/sensitive-mounts.md)
-    - [Namespaces](linux-hardening/privilege-escalation/docker-security/namespaces/README.md)
-      - [CGroup Namespace](linux-hardening/privilege-escalation/docker-security/namespaces/cgroup-namespace.md)
-      - [IPC Namespace](linux-hardening/privilege-escalation/docker-security/namespaces/ipc-namespace.md)
-      - [PID Namespace](linux-hardening/privilege-escalation/docker-security/namespaces/pid-namespace.md)
-      - [Mount Namespace](linux-hardening/privilege-escalation/docker-security/namespaces/mount-namespace.md)
-      - [Network Namespace](linux-hardening/privilege-escalation/docker-security/namespaces/network-namespace.md)
-      - [Time Namespace](linux-hardening/privilege-escalation/docker-security/namespaces/time-namespace.md)
-      - [User Namespace](linux-hardening/privilege-escalation/docker-security/namespaces/user-namespace.md)
-      - [UTS Namespace](linux-hardening/privilege-escalation/docker-security/namespaces/uts-namespace.md)
-    - [Seccomp](linux-hardening/privilege-escalation/docker-security/seccomp.md)
-    - [Weaponizing Distroless](linux-hardening/privilege-escalation/docker-security/weaponizing-distroless.md)
+  - [Container Security](linux-hardening/privilege-escalation/container-security/README.md)
+    - [Runtimes And Engines](linux-hardening/privilege-escalation/container-security/runtimes-and-engines.md)
+    - [Runtime API And Daemon Exposure](linux-hardening/privilege-escalation/container-security/runtime-api-and-daemon-exposure.md)
+    - [Authorization Plugins](linux-hardening/privilege-escalation/container-security/authorization-plugins.md)
+    - [Image Security And Secrets](linux-hardening/privilege-escalation/container-security/image-security-and-secrets.md)
+    - [Assessment And Hardening](linux-hardening/privilege-escalation/container-security/assessment-and-hardening.md)
+    - [Sensitive Host Mounts](linux-hardening/privilege-escalation/container-security/sensitive-host-mounts.md)
+    - [Privileged Containers](linux-hardening/privilege-escalation/container-security/privileged-containers.md)
+    - [Distroless](linux-hardening/privilege-escalation/container-security/distroless.md)
+    - [Protections](linux-hardening/privilege-escalation/container-security/protections/README.md)
+      - [AppArmor](linux-hardening/privilege-escalation/container-security/protections/apparmor.md)
+      - [Capabilities](linux-hardening/privilege-escalation/container-security/protections/capabilities.md)
+      - [CGroups](linux-hardening/privilege-escalation/container-security/protections/cgroups.md)
+      - [Masked Paths](linux-hardening/privilege-escalation/container-security/protections/masked-paths.md)
+      - [No New Privileges](linux-hardening/privilege-escalation/container-security/protections/no-new-privileges.md)
+      - [Read Only Paths](linux-hardening/privilege-escalation/container-security/protections/read-only-paths.md)
+      - [Seccomp](linux-hardening/privilege-escalation/container-security/protections/seccomp.md)
+      - [SELinux](linux-hardening/privilege-escalation/container-security/protections/selinux.md)
+      - [Namespaces](linux-hardening/privilege-escalation/container-security/protections/namespaces/README.md)
+        - [CGroup Namespace](linux-hardening/privilege-escalation/container-security/protections/namespaces/cgroup-namespace.md)
+        - [IPC Namespace](linux-hardening/privilege-escalation/container-security/protections/namespaces/ipc-namespace.md)
+        - [PID Namespace](linux-hardening/privilege-escalation/container-security/protections/namespaces/pid-namespace.md)
+        - [Mount Namespace](linux-hardening/privilege-escalation/container-security/protections/namespaces/mount-namespace.md)
+        - [Network Namespace](linux-hardening/privilege-escalation/container-security/protections/namespaces/network-namespace.md)
+        - [Time Namespace](linux-hardening/privilege-escalation/container-security/protections/namespaces/time-namespace.md)
+        - [User Namespace](linux-hardening/privilege-escalation/container-security/protections/namespaces/user-namespace.md)
+        - [UTS Namespace](linux-hardening/privilege-escalation/container-security/protections/namespaces/uts-namespace.md)
   - [Escaping from Jails](linux-hardening/privilege-escalation/escaping-from-limited-bash.md)
   - [Posix Cpu Timers Toctou Cve 2025 38352](linux-hardening/privilege-escalation/linux-kernel-exploitation/posix-cpu-timers-toctou-cve-2025-38352.md)
   - [euid, ruid, suid](linux-hardening/privilege-escalation/euid-ruid-suid.md)

src/binary-exploitation/libc-heap/house-of-roman.md

@@ -8,7 +8,7 @@ This was a very interesting technique that allowed for RCE without leaks via fak
 
 ### Applicability in 2026
 
-- **glibc window:** Works reliably on **2.23–2.28**. On **2.29** the additional `unsorted_chunks` integrity checks make the unsorted‑bin write unreliable, so success drops sharply. From **2.34** onward `__malloc_hook/__free_hook` were removed, making the original target unavailable. Use it only on old libc’s (or custom builds that keep the hooks) or for CTF challenges that ship an old libc.
+- **glibc window:** Works reliably on **2.23–2.27** (the how2heap PoC tested 2.23–2.25). Starting **2.28**, the "additional checks for unsorted bin integrity" patch makes the unsorted‑bin write unreliable, so success drops sharply. From **2.34** onward `__malloc_hook/__free_hook` were removed, making the original target unavailable. Use it only on old libc's (or custom builds that keep the hooks) or for CTF challenges that ship an old libc.
 - **Tcache era (≥2.26):** Tcache will eat your 0x70 allocations and stop the fastbin/unsorted primitives. Disable it (`setenv("GLIBC_TUNABLES","glibc.malloc.tcache_count=0",1);`) **before** any allocation or fill each 0x70 tcache bin with 7 frees to drain it.
 - **Safe-linking:** It applies to tcache/fastbin in ≥2.32, but House of Roman only needs **partial pointer overwrite of a libc address already present in fd/bk**, so safe-linking does not help the defender here (the attacker never forges a fresh pointer). The real stopper is the hook removal and the unsorted-bin checks.
 
@@ -117,9 +117,9 @@ Finally, once the correct address is overwritten, **call `malloc` and trigger th
 
 ## Modern tips & variants
 
-- **Unsorted-bin check in 2.29+:** If you must run on 2.29–2.33, corrupt both `fd` **and** `bk` to satisfy the integrity check before triggering the write; otherwise `_int_malloc` aborts. Success rate is very low and usually only viable in brute-force CTF settings.
+- **Unsorted-bin hardening (2.28+):** The extra integrity checks on unsorted chunks (size sanity + list linkage) make the classic unsorted‑bin write fragile. To survive `_int_malloc`, you must keep `fd/bk` links consistent and sizes plausible, which usually requires stronger primitives than a simple partial overwrite.
 - **Hook removal (2.34+):** With `__malloc_hook` gone, adapt the primitive to land on any writable GOT/global you can later reuse (e.g., overwrite `exit@GOT` in non-PIE binaries) or pivot to a **House of Pie** style top‑chunk hijack to control `top` instead of a hook.
-- **Any‑address fastbin alloc (2024 gist):** A recent writeup shows reusing the same grooming to fastbin‑allocate over `__free_hook` or other globals by first landing a libc pointer in fastbin and then re‑pointing it before the fixup. This works on 2.24–2.28 but still dies on 2.29 integrity checks.
+- **Any‑address fastbin alloc (romanking98 writeup):** The second part shows repairing the 0x71 freelist and using the unsorted‑bin write to land a fastbin allocation over `__free_hook`, then placing `system("/bin/sh")` and triggering it via `free()` on libc‑2.24 (pre-hook removal).
 
 ## References
 
@@ -128,5 +128,7 @@ Finally, once the correct address is overwritten, **call `malloc` and trigger th
 - [https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house_of_roman/](https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house_of_roman/)
 - [https://halloween.synacktiv.com/publications/heap-tricks-never-get-old-insomnihack-teaser-2022.html](https://halloween.synacktiv.com/publications/heap-tricks-never-get-old-insomnihack-teaser-2022.html)
 - [https://gist.github.com/romanking98/9aab2804832c0fb46615f025e8ffb0bc](https://gist.github.com/romanking98/9aab2804832c0fb46615f025e8ffb0bc)
+- [https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=NEWS;hb=glibc-2.34](https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=NEWS;hb=glibc-2.34)
+- [https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=b90ddd08f6dd688e651df9ee89ca3a69ff88cd0c](https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=b90ddd08f6dd688e651df9ee89ca3a69ff88cd0c)
 
 {{#include ../../banners/hacktricks-training.md}}

src/binary-exploitation/rop-return-oriented-programing/ret2vdso.md

@@ -4,7 +4,13 @@
 
 ## Basic Information
 
-There might be **gadgets in the vDSO region**, which is used to change from user mode to kernel mode. In these type of challenges, usually a kernel image is provided to dump the vDSO region.
+There might be **gadgets in the vDSO region**, which is a small ELF DSO mapped by the kernel to provide fast user-space implementations of some kernel helpers. In these type of challenges, usually a kernel image is provided to dump the vDSO region.
+
+### Locating the vDSO base and exports
+
+The vDSO base address is passed in the auxiliary vector as `AT_SYSINFO_EHDR`, so if you can read `/proc/<pid>/auxv` (or call `getauxval` in a helper process), you can recover the base without relying on a memory leak. See [Auxiliary Vector (auxv) and vDSO](../basic-stack-binary-exploitation-methodology/elf-tricks.md) for practical ways to obtain it.
+
+Once you have the base, treat the vDSO like a normal ELF DSO (`linux-vdso.so.1`): dump the mapping and use `readelf -Ws`/`objdump -d` (or the kernel reference parser `tools/testing/selftests/vDSO/parse_vdso.c`) to resolve exported symbols and look for gadgets. On x86 32-bit the vDSO commonly exports `__kernel_vsyscall`, `__kernel_sigreturn`, and `__kernel_rt_sigreturn`; on x86_64 typical exports include `__vdso_clock_gettime`, `__vdso_gettimeofday`, and `__vdso_time`. Because the vDSO uses symbol versioning, match the expected version when resolving symbols.
 
 Following the example from [https://7rocky.github.io/en/ctf/other/htb-cyber-apocalypse/maze-of-mist/](https://7rocky.github.io/en/ctf/other/htb-cyber-apocalypse/maze-of-mist/) it's possible to see how it was possible to dump the vdso section and move it to the host with:
 
@@ -60,13 +66,16 @@ pop_ebx_pop_esi_pop_ebp_ret = vdso_addr + 0x15cd
 
 ### ARM64
 
-After dumping and checking the vdso section of a binary in kali 2023.2 arm64, I couldn't find in there any interesting gadget (no way to control registers from values in the stack or to control x30 for a ret) **except a way to call a SROP**. Check more info int eh example from the page:
+After dumping and checking the vdso section of a binary in kali 2023.2 arm64, I couldn't find in there any interesting gadget (no way to control registers from values in the stack or to control x30 for a ret) **except a way to call a SROP**. Check more info in the example from the page:
 
 
 {{#ref}}
 srop-sigreturn-oriented-programming/srop-arm64.md
 {{#endref}}
 
-{{#include ../../banners/hacktricks-training.md}}
+## References
 
+- [https://man7.org/linux/man-pages/man7/vdso.7.html](https://man7.org/linux/man-pages/man7/vdso.7.html)
+- [https://www.kernel.org/doc/Documentation/ABI/stable/vdso](https://www.kernel.org/doc/Documentation/ABI/stable/vdso)
 
+{{#include ../../banners/hacktricks-training.md}}