diff --git a/src/AI/AI-llm-architecture/1.-tokenizing.md b/src/AI/AI-llm-architecture/1.-tokenizing.md index 2a6b208e8b7..b8712ad6788 100644 --- a/src/AI/AI-llm-architecture/1.-tokenizing.md +++ b/src/AI/AI-llm-architecture/1.-tokenizing.md @@ -99,4 +99,4 @@ print(token_ids[:50]) - [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch) -{{#include /banners/hacktricks-training.md}} \ No newline at end of file +{{#include /banners/hacktricks-training.md}} diff --git a/src/AI/AI-llm-architecture/2.-data-sampling.md b/src/AI/AI-llm-architecture/2.-data-sampling.md index 58aae23e9e0..dd990c0bae3 100644 --- a/src/AI/AI-llm-architecture/2.-data-sampling.md +++ b/src/AI/AI-llm-architecture/2.-data-sampling.md @@ -241,4 +241,4 @@ tensor([[ 367, 2885, 1464, 1807], - [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch) -{{#include /banners/hacktricks-training.md}} \ No newline at end of file +{{#include /banners/hacktricks-training.md}} diff --git a/src/AI/AI-llm-architecture/3.-token-embeddings.md b/src/AI/AI-llm-architecture/3.-token-embeddings.md index db70b8b28ef..afaccba6f72 100644 --- a/src/AI/AI-llm-architecture/3.-token-embeddings.md +++ b/src/AI/AI-llm-architecture/3.-token-embeddings.md @@ -219,4 +219,4 @@ print(input_embeddings.shape) # torch.Size([8, 4, 256]) - [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch) -{{#include /banners/hacktricks-training.md}} \ No newline at end of file +{{#include /banners/hacktricks-training.md}} diff --git a/src/AI/AI-llm-architecture/5.-llm-architecture.md b/src/AI/AI-llm-architecture/5.-llm-architecture.md index 70c2fc58f70..107f095434b 100644 --- a/src/AI/AI-llm-architecture/5.-llm-architecture.md +++ b/src/AI/AI-llm-architecture/5.-llm-architecture.md @@ -702,4 +702,4 @@ print("Output length:", len(out[0])) - [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch) -{{#include /banners/hacktricks-training.md}} \ No newline at end of file +{{#include /banners/hacktricks-training.md}} diff --git a/src/SUMMARY.md b/src/SUMMARY.md index f83536cbe39..e099c09b39e 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -795,6 +795,7 @@ - [BF Forked & Threaded Stack Canaries](binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/bf-forked-stack-canaries.md) - [Print Stack Canary](binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/print-stack-canary.md) - [Write What Where 2 Exec](binary-exploitation/arbitrary-write-2-exec/README.md) + - [Aw2exec Sips Icc Profile](binary-exploitation/arbitrary-write-2-exec/aw2exec-sips-icc-profile.md) - [WWW2Exec - atexit()](binary-exploitation/arbitrary-write-2-exec/www2exec-atexit.md) - [WWW2Exec - .dtors & .fini_array](binary-exploitation/arbitrary-write-2-exec/www2exec-.dtors-and-.fini_array.md) - [WWW2Exec - GOT/PLT](binary-exploitation/arbitrary-write-2-exec/aw2exec-got-plt.md) diff --git a/src/binary-exploitation/arbitrary-write-2-exec/aw2exec-sips-icc-profile.md b/src/binary-exploitation/arbitrary-write-2-exec/aw2exec-sips-icc-profile.md new file mode 100644 index 00000000000..9e5354d6be7 --- /dev/null +++ b/src/binary-exploitation/arbitrary-write-2-exec/aw2exec-sips-icc-profile.md @@ -0,0 +1,55 @@ +# WWW2Exec - sips ICC Profile Out-of-Bounds Write (CVE-2024-44236) + +{{#include ../../banners/hacktricks-training.md}} + +## Overview + +An out-of-bounds write vulnerability in Apple macOS Scriptable Image Processing System (`sips`) ICC profile parser (macOS 15.0.1, sips-307) due to improper validation of the `offsetToCLUT` field in `lutAToBType` (`mAB `) and `lutBToAType` (`mBA `) tags. A crafted ICC file can trigger zero-writes up to 16 bytes past the heap buffer, corrupting heap metadata or function pointers and enabling arbitrary code execution (CVE-2024-44236). + +## Vulnerable Code + +The vulnerable function reads and zeroes 16 bytes starting from an attacker-controlled offset without ensuring it lies within the allocated buffer: + +```c +// Pseudocode from sub_1000194D0 in sips-307 (macOS 15.0.1) +for (i = offsetToCLUT; i < offsetToCLUT + 16; i++) { + if (i > numberOfInputChannels && buffer[i] != 0) + buffer[i] = 0; +} +``` + +Only a check `offsetToCLUT <= totalDataLength` is performed. By setting `offsetToCLUT == tagDataSize`, the loop indexes up to 16 bytes past the end of `buffer`, corrupting adjacent heap metadata. + +## Exploitation Steps + +1. **Craft malicious `.icc` profile:** + - Build the ICC header (128 bytes) with signature `acsp` and a single `lutAToBType` or `lutBToAType` tag entry. + - In the tag table, set `offsetToCLUT` equal to the tag's `size` (`tagDataSize`). + - Place attacker-controlled data immediately after the tag data block to overwrite heap metadata. +2. **Trigger parsing:** + + ```bash + sips --verifyColor malicious.icc + ``` + +3. **Heap metadata corruption:** The OOB zero-writes overwrite allocator metadata or adjacent pointers, allowing the attacker to hijack control flow and achieve arbitrary code execution in the context of the `sips` process. + +## Impact + +Successful exploitation results in remote arbitrary code execution at user privilege on macOS systems running the vulnerable `sips` utility. + +## Detection + +- Monitor file transfers on common protocols (FTP, HTTP/S, IMAP, SMB, NFS, SMTP). +- Inspect transferred files with signature `acsp`. +- For each `mAB ` or `mBA ` tag, verify if the `Offset to CLUT` field equals the `Tag data size`. +- Flag as suspicious if this condition is met. + +## References + +- ZDI blog: CVE-2024-44236: Remote Code Execution Vulnerability in Apple macOS sips Utility + https://www.thezdi.com/blog/2025/5/7/cve-2024-44236-remote-code-execution-vulnerability-in-apple-macos +- Apple October 2024 Security Update (patch shipping CVE-2024-44236) + https://support.apple.com/en-us/121564 + +{{#include /banners/hacktricks-training.md}} diff --git a/src/binary-exploitation/array-indexing.md b/src/binary-exploitation/array-indexing.md index 7ec067907fd..77a067dbfba 100644 --- a/src/binary-exploitation/array-indexing.md +++ b/src/binary-exploitation/array-indexing.md @@ -19,3 +19,5 @@ However he you can find some nice **examples**: + +{{#include /banners/hacktricks-training.md}} diff --git a/src/binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/bf-forked-stack-canaries.md b/src/binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/bf-forked-stack-canaries.md index c8909154355..ea5a33186ad 100644 --- a/src/binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/bf-forked-stack-canaries.md +++ b/src/binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/bf-forked-stack-canaries.md @@ -122,3 +122,5 @@ Check also the presentation of [https://www.slideshare.net/codeblue_jp/master-ca + +{{#include /banners/hacktricks-training.md}} diff --git a/src/binary-exploitation/ios-exploiting.md b/src/binary-exploitation/ios-exploiting.md index 1692e902653..1b9b61739c6 100644 --- a/src/binary-exploitation/ios-exploiting.md +++ b/src/binary-exploitation/ios-exploiting.md @@ -213,4 +213,4 @@ void iosurface_kwrite64(uint64_t addr, uint64_t value) { With these primitives, the exploit provides controlled **32-bit reads** and **64-bit writes** to kernel memory. Further jailbreak steps could involve more stable read/write primitives, which may require bypassing additional protections (e.g., PPL on newer arm64e devices). -{{#include /banners/hacktricks-training.md}} \ No newline at end of file +{{#include /banners/hacktricks-training.md}} diff --git a/src/binary-exploitation/libc-heap/use-after-free/first-fit.md b/src/binary-exploitation/libc-heap/use-after-free/first-fit.md index 7b3f78f2499..fe4a96cb744 100644 --- a/src/binary-exploitation/libc-heap/use-after-free/first-fit.md +++ b/src/binary-exploitation/libc-heap/use-after-free/first-fit.md @@ -65,3 +65,5 @@ d = malloc(20); // a + +{{#include /banners/hacktricks-training.md}} diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.md index a3fb41ac5d3..f2b3a020238 100644 --- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.md +++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.md @@ -172,3 +172,5 @@ Allow the process to **ask for all the TCC permissions**. + +{{#include /banners/hacktricks-training.md}} diff --git a/src/mobile-pentesting/android-app-pentesting/flutter.md b/src/mobile-pentesting/android-app-pentesting/flutter.md index 9d73aef8112..58171242193 100644 --- a/src/mobile-pentesting/android-app-pentesting/flutter.md +++ b/src/mobile-pentesting/android-app-pentesting/flutter.md @@ -79,3 +79,5 @@ Flutter itself **ignores device proxy settings**. Easiest options: ## References - [https://sensepost.com/blog/2025/intercepting-https-communication-in-flutter-going-full-hardcore-mode-with-frida/](https://sensepost.com/blog/2025/intercepting-https-communication-in-flutter-going-full-hardcore-mode-with-frida/) + +{{#include /banners/hacktricks-training.md}} diff --git a/src/network-services-pentesting/1414-pentesting-ibmmq.md b/src/network-services-pentesting/1414-pentesting-ibmmq.md index ddbd6b2971a..f1536f03884 100644 --- a/src/network-services-pentesting/1414-pentesting-ibmmq.md +++ b/src/network-services-pentesting/1414-pentesting-ibmmq.md @@ -363,3 +363,5 @@ CONTAINER ID IMAGE COMMAND CRE + +{{#include /banners/hacktricks-training.md}} diff --git a/src/network-services-pentesting/pentesting-web/spring-actuators.md b/src/network-services-pentesting/pentesting-web/spring-actuators.md index 19e0ca3ba8f..8bdaabc316d 100644 --- a/src/network-services-pentesting/pentesting-web/spring-actuators.md +++ b/src/network-services-pentesting/pentesting-web/spring-actuators.md @@ -67,3 +67,5 @@ Connection: close + +{{#include /banners/hacktricks-training.md}} diff --git a/src/network-services-pentesting/pentesting-web/vuejs.md b/src/network-services-pentesting/pentesting-web/vuejs.md index 4fad713f440..72ee9430df7 100644 --- a/src/network-services-pentesting/pentesting-web/vuejs.md +++ b/src/network-services-pentesting/pentesting-web/vuejs.md @@ -151,4 +151,4 @@ npm ci --ignore-scripts # safer install - [https://medium.com/@isaacwangethi30/vue-js-security-6e246a7613da](https://medium.com/@isaacwangethi30/vue-js-security-6e246a7613da) - [https://vuejs.org/guide/best-practices/security](https://vuejs.org/guide/best-practices/security) -{{#include ../../banners/hacktricks-training.md}} \ No newline at end of file +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/pentesting-web/file-inclusion/lfi2rce-via-nginx-temp-files.md b/src/pentesting-web/file-inclusion/lfi2rce-via-nginx-temp-files.md index cb59c86de7a..3d3e304b723 100644 --- a/src/pentesting-web/file-inclusion/lfi2rce-via-nginx-temp-files.md +++ b/src/pentesting-web/file-inclusion/lfi2rce-via-nginx-temp-files.md @@ -55,3 +55,5 @@ if **name** == "**main**": print('\[DEBUG] Creating requests session') requests\ + +{{#include /banners/hacktricks-training.md}} diff --git a/src/pentesting-web/json-xml-yaml-hacking.md b/src/pentesting-web/json-xml-yaml-hacking.md index 6c96e1f5e54..7b268093efb 100644 --- a/src/pentesting-web/json-xml-yaml-hacking.md +++ b/src/pentesting-web/json-xml-yaml-hacking.md @@ -140,4 +140,4 @@ Result: | YAML: unknown keys | `yaml.KnownFields(true)` | -{{#include ../banners/hacktricks-training.md}} \ No newline at end of file +{{#include ../banners/hacktricks-training.md}} diff --git a/src/todo/hardware-hacking/fault_injection_attacks.md b/src/todo/hardware-hacking/fault_injection_attacks.md index 02e6cc6316d..16ddab26325 100644 --- a/src/todo/hardware-hacking/fault_injection_attacks.md +++ b/src/todo/hardware-hacking/fault_injection_attacks.md @@ -8,4 +8,4 @@ There are a lot of methods and mediums for injecting fault into an electronic ci -{{#include /banners/hacktricks-training.md}} \ No newline at end of file +{{#include /banners/hacktricks-training.md}} diff --git a/src/windows-hardening/active-directory-methodology/acl-persistence-abuse/BadSuccessor.md b/src/windows-hardening/active-directory-methodology/acl-persistence-abuse/BadSuccessor.md index 87bc156e505..156b87812f0 100644 --- a/src/windows-hardening/active-directory-methodology/acl-persistence-abuse/BadSuccessor.md +++ b/src/windows-hardening/active-directory-methodology/acl-persistence-abuse/BadSuccessor.md @@ -66,4 +66,4 @@ Therefore, mass‑linking thousands of users lets an attacker dump hashes “at - [https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory](https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory) -{{#include ../../../banners/hacktricks-training.md}} \ No newline at end of file +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/windows-hardening/lateral-movement/scmexec.md b/src/windows-hardening/lateral-movement/scmexec.md index 34d8aaf2c29..14f90a032db 100644 --- a/src/windows-hardening/lateral-movement/scmexec.md +++ b/src/windows-hardening/lateral-movement/scmexec.md @@ -12,4 +12,4 @@ SharpMove.exe action=scm computername=remote.host.local command="C:\windows\temp\payload.exe" servicename=WindowsDebug amsi=true -{{#include ../../banners/hacktricks-training.md}} \ No newline at end of file +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/windows-hardening/mythic.md b/src/windows-hardening/mythic.md index 6dff9ee2115..15a64150773 100644 --- a/src/windows-hardening/mythic.md +++ b/src/windows-hardening/mythic.md @@ -177,4 +177,4 @@ When user over linux it has some interesting commands: - `pty`: Open up an interactive PTY, allowing for direct interaction with the shell on the target system. -{{#include ../banners/hacktricks-training.md}} \ No newline at end of file +{{#include ../banners/hacktricks-training.md}}