hacktricks/binary-exploitation/arbitrary-write-2-exec/aw2exec-__malloc_hook.md

# WWW2Exec - \_\_malloc\_hook & \_\_free\_hook

<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Other ways to support HackTricks:

* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>

## **Malloc Hook**

As you can [Official GNU site](https://www.gnu.org/software/libc/manual/html\_node/Hooks-for-Malloc.html), the variable **`__malloc_hook`** is a pointer pointing to the **address of a function that will be called** whenever `malloc()` is called **stored in the data section of the libc library**. Therefore, if this address is overwritten with a **One Gadget** for example and `malloc` is called, the **One Gadget will be called**.

To call malloc it's possible to wait for the program to call it or by **calling `printf("%10000$c")`** which allocates too bytes many making `libc`  calling malloc to allocate them in the heap.

More info about One Gadget in:

{% content-ref url="../rop-return-oriented-programing/ret2lib/one-gadget.md" %}
[one-gadget.md](../rop-return-oriented-programing/ret2lib/one-gadget.md)
{% endcontent-ref %}

{% hint style="warning" %}
Note that hooks are **disabled for GLIBC >= 2.34**. There are other techniques that can be used on modern GLIBC versions. See: [https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md](https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md).
{% endhint %}

## Free Hook

This was abused in one of the example from the page abusing a fast bin attack after having abused an unsorted bin attack:

{% content-ref url="../heap/unsorted-bin-attack.md" %}
[unsorted-bin-attack.md](../heap/unsorted-bin-attack.md)
{% endcontent-ref %}

A nice trick (from [**here**](https://guyinatuxedo.github.io/41-house\_of\_force/bkp16\_cookbook/index.html)) to find the location of the free hook if the binary has symbols is to **do something like**:

```
gef➤  set __free_hook = 0xfacade
gef➤  search-pattern 0xfacade
```

In the same post you can find a step by step guide on how to locate the address of the free hook without symbols. As summary, in the free function:

<pre class="language-armasm"><code class="lang-armasm">gef➤  x/20i free
0xf75dedc0 &#x3C;free>: push   ebx
0xf75dedc1 &#x3C;free+1>: call   0xf768f625
0xf75dedc6 &#x3C;free+6>: add    ebx,0x14323a
0xf75dedcc &#x3C;free+12>:  sub    esp,0x8
0xf75dedcf &#x3C;free+15>:  mov    eax,DWORD PTR [ebx-0x98]
0xf75dedd5 &#x3C;free+21>:  mov    ecx,DWORD PTR [esp+0x10]
0xf75dedd9 &#x3C;free+25>:  mov    eax,DWORD PTR [eax]
<strong>0xf75deddb &#x3C;free+27>:  test   eax,eax ;&#x3C;--- BREAK HERE
</strong>0xf75deddd &#x3C;free+29>:  jne    0xf75dee50 &#x3C;free+144>
</code></pre>

In the mentioned break in the previous code in `$eax` will be located the address of the free hook.

Now a **fast bin attack** is performed:

* First of all it's discovered that it's possible to work with fast **chunks of size 200** in the **`__free_hook`** location:
* <pre class="language-c"><code class="lang-c">gef➤  p &#x26;__free_hook
  $1 = (void (**)(void *, const void *)) 0x7ff1e9e607a8 &#x3C;__free_hook>
  gef➤  x/60gx 0x7ff1e9e607a8 - 0x59
  <strong>0x7ff1e9e6074f: 0x0000000000000000      0x0000000000000200
  </strong>0x7ff1e9e6075f: 0x0000000000000000      0x0000000000000000
  0x7ff1e9e6076f &#x3C;list_all_lock+15>:      0x0000000000000000      0x0000000000000000
  0x7ff1e9e6077f &#x3C;_IO_stdfile_2_lock+15>: 0x0000000000000000      0x0000000000000000
  </code></pre>
  * If we manage to get a fast chunk of size 0x200 in this location, it'll be possible to overwrite a function pointer that will be executed
* For this, a new chunk of size `0xfc` is created and the merged function is called with that pointer twice, this way we obtain a pointer to a freed chunk of size `0xfc*2 = 0x1f8` in the fast bin.
* Then, the edit function is called in this chunk to modify the **`fd`** address of this fast bin to point to the previous **`__free_hook`** function.
* Then, a chunk with size `0x1f8` is created to retrieve from the fast bin the previous useless chunk so another chunk of size `0x1f8` is created to get a fast bin chunk in the **`__free_hook`** which is overwritten with the address of **`system`** function.
* And finally a chunk containing the string `/bin/sh\x00` is freed calling the delete function, triggering the **`__free_hook`** function which points to system with `/bin/sh\x00` as parameter.

## References

* [https://ir0nstone.gitbook.io/notes/types/stack/one-gadgets-and-malloc-hook](https://ir0nstone.gitbook.io/notes/types/stack/one-gadgets-and-malloc-hook)
* [https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md](https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md).

<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Other ways to support HackTricks:

* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
GITBOOK-4354: No subject 2024-06-12 15:23:07 +00:00			`# WWW2Exec - \_\_malloc\_hook & \_\_free\_hook`
GITBOOK-4301: No subject 2024-04-06 16:25:58 +00:00
			`<details>`

			`<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`

			`Other ways to support HackTricks:`

			`* If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`
			`* Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`
			`* Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Share your hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`

			`</details>`

			`## Malloc Hook`

			As you can [Official GNU site](https://www.gnu.org/software/libc/manual/html\_node/Hooks-for-Malloc.html), the variable `__malloc_hook` is a pointer pointing to the address of a function that will be called whenever `malloc()` is called stored in the data section of the libc library. Therefore, if this address is overwritten with a One Gadget for example and `malloc` is called, the One Gadget will be called.

			To call malloc it's possible to wait for the program to call it or by calling `printf("%10000$c")` which allocates too bytes many making `libc` calling malloc to allocate them in the heap.

			`More info about One Gadget in:`

			`{% content-ref url="../rop-return-oriented-programing/ret2lib/one-gadget.md" %}`
			`[one-gadget.md](../rop-return-oriented-programing/ret2lib/one-gadget.md)`
			`{% endcontent-ref %}`

GITBOOK-4302: No subject 2024-04-06 19:44:17 +00:00			`{% hint style="warning" %}`
			`Note that hooks are disabled for GLIBC >= 2.34. There are other techniques that can be used on modern GLIBC versions. See: [https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md](https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md).`
			`{% endhint %}`

GITBOOK-4354: No subject 2024-06-12 15:23:07 +00:00			`## Free Hook`

			`This was abused in one of the example from the page abusing a fast bin attack after having abused an unsorted bin attack:`

			`{% content-ref url="../heap/unsorted-bin-attack.md" %}`
			`[unsorted-bin-attack.md](../heap/unsorted-bin-attack.md)`
			`{% endcontent-ref %}`

GITBOOK-4358: No subject 2024-06-13 21:20:27 +00:00			`A nice trick (from [here](https://guyinatuxedo.github.io/41-house\_of\_force/bkp16\_cookbook/index.html)) to find the location of the free hook if the binary has symbols is to do something like:`

			```
			`gef➤ set __free_hook = 0xfacade`
			`gef➤ search-pattern 0xfacade`
			```

			`In the same post you can find a step by step guide on how to locate the address of the free hook without symbols. As summary, in the free function:`

			`<pre class="language-armasm"><code class="lang-armasm">gef➤ x/20i free`
			`0xf75dedc0 <free>: push ebx`
			`0xf75dedc1 <free+1>: call 0xf768f625`
			`0xf75dedc6 <free+6>: add ebx,0x14323a`
			`0xf75dedcc <free+12>: sub esp,0x8`
			`0xf75dedcf <free+15>: mov eax,DWORD PTR [ebx-0x98]`
			`0xf75dedd5 <free+21>: mov ecx,DWORD PTR [esp+0x10]`
			`0xf75dedd9 <free+25>: mov eax,DWORD PTR [eax]`
			`<strong>0xf75deddb <free+27>: test eax,eax ;<--- BREAK HERE`
			`</strong>0xf75deddd <free+29>: jne 0xf75dee50 <free+144>`
			`</code></pre>`

			In the mentioned break in the previous code in `$eax` will be located the address of the free hook.

GITBOOK-4354: No subject 2024-06-12 15:23:07 +00:00			`Now a fast bin attack is performed:`

			* First of all it's discovered that it's possible to work with fast chunks of size 200 in the `__free_hook` location:
			`* <pre class="language-c"><code class="lang-c">gef➤ p &__free_hook`
			`$1 = (void (*)(void , const void *)) 0x7ff1e9e607a8 <__free_hook>`
			`gef➤ x/60gx 0x7ff1e9e607a8 - 0x59`
			`<strong>0x7ff1e9e6074f: 0x0000000000000000 0x0000000000000200`
			`</strong>0x7ff1e9e6075f: 0x0000000000000000 0x0000000000000000`
			`0x7ff1e9e6076f <list_all_lock+15>: 0x0000000000000000 0x0000000000000000`
			`0x7ff1e9e6077f <_IO_stdfile_2_lock+15>: 0x0000000000000000 0x0000000000000000`
			`</code></pre>`
			`* If we manage to get a fast chunk of size 0x200 in this location, it'll be possible to overwrite a function pointer that will be executed`
			* For this, a new chunk of size `0xfc` is created and the merged function is called with that pointer twice, this way we obtain a pointer to a freed chunk of size `0xfc*2 = 0x1f8` in the fast bin.
			* Then, the edit function is called in this chunk to modify the `fd` address of this fast bin to point to the previous `__free_hook` function.
			* Then, a chunk with size `0x1f8` is created to retrieve from the fast bin the previous useless chunk so another chunk of size `0x1f8` is created to get a fast bin chunk in the `__free_hook` which is overwritten with the address of `system` function.
			* And finally a chunk containing the string `/bin/sh\x00` is freed calling the delete function, triggering the `__free_hook` function which points to system with `/bin/sh\x00` as parameter.

GITBOOK-4301: No subject 2024-04-06 16:25:58 +00:00			`## References`

			`* [https://ir0nstone.gitbook.io/notes/types/stack/one-gadgets-and-malloc-hook](https://ir0nstone.gitbook.io/notes/types/stack/one-gadgets-and-malloc-hook)`
GITBOOK-4302: No subject 2024-04-06 19:44:17 +00:00			`* [https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md](https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md).`
GITBOOK-4301: No subject 2024-04-06 16:25:58 +00:00
			`<details>`

			`<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`

			`Other ways to support HackTricks:`

			`* If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`
			`* Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`
			`* Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Share your hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`

			`</details>`