mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-24 03:53:29 +00:00
100 lines
6.6 KiB
Markdown
100 lines
6.6 KiB
Markdown
|
# WWW2Exec - \_\_malloc\_hook & \_\_free\_hook
|
||
|
|
||
|
{% hint style="success" %}
|
||
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
|
||
|
<details>
|
||
|
|
||
|
<summary>Support HackTricks</summary>
|
||
|
|
||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
|
||
|
</details>
|
||
|
{% endhint %}
|
||
|
|
||
|
## **Malloc Hook**
|
||
|
|
||
|
As you can [Official GNU site](https://www.gnu.org/software/libc/manual/html\_node/Hooks-for-Malloc.html), the variable **`__malloc_hook`** is a pointer pointing to the **address of a function that will be called** whenever `malloc()` is called **stored in the data section of the libc library**. Therefore, if this address is overwritten with a **One Gadget** for example and `malloc` is called, the **One Gadget will be called**.
|
||
|
|
||
|
To call malloc it's possible to wait for the program to call it or by **calling `printf("%10000$c")`** which allocates too bytes many making `libc` calling malloc to allocate them in the heap.
|
||
|
|
||
|
More info about One Gadget in:
|
||
|
|
||
|
{% content-ref url="../rop-return-oriented-programing/ret2lib/one-gadget.md" %}
|
||
|
[one-gadget.md](../rop-return-oriented-programing/ret2lib/one-gadget.md)
|
||
|
{% endcontent-ref %}
|
||
|
|
||
|
{% hint style="warning" %}
|
||
|
Note that hooks are **disabled for GLIBC >= 2.34**. There are other techniques that can be used on modern GLIBC versions. See: [https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md](https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md).
|
||
|
{% endhint %}
|
||
|
|
||
|
## Free Hook
|
||
|
|
||
|
This was abused in one of the example from the page abusing a fast bin attack after having abused an unsorted bin attack:
|
||
|
|
||
|
{% content-ref url="../libc-heap/unsorted-bin-attack.md" %}
|
||
|
[unsorted-bin-attack.md](../libc-heap/unsorted-bin-attack.md)
|
||
|
{% endcontent-ref %}
|
||
|
|
||
|
It's posisble to find the address of `__free_hook` if the binary has symbols with the following command:
|
||
|
|
||
|
```bash
|
||
|
gef➤ p &__free_hook
|
||
|
```
|
||
|
|
||
|
[In the post](https://guyinatuxedo.github.io/41-house\_of\_force/bkp16\_cookbook/index.html) you can find a step by step guide on how to locate the address of the free hook without symbols. As summary, in the free function:
|
||
|
|
||
|
<pre class="language-armasm"><code class="lang-armasm">gef➤ x/20i free
|
||
|
0xf75dedc0 <free>: push ebx
|
||
|
0xf75dedc1 <free+1>: call 0xf768f625
|
||
|
0xf75dedc6 <free+6>: add ebx,0x14323a
|
||
|
0xf75dedcc <free+12>: sub esp,0x8
|
||
|
0xf75dedcf <free+15>: mov eax,DWORD PTR [ebx-0x98]
|
||
|
0xf75dedd5 <free+21>: mov ecx,DWORD PTR [esp+0x10]
|
||
|
<strong>0xf75dedd9 <free+25>: mov eax,DWORD PTR [eax]--- BREAK HERE
|
||
|
</strong>0xf75deddb <free+27>: test eax,eax ;<
|
||
|
0xf75deddd <free+29>: jne 0xf75dee50 <free+144>
|
||
|
</code></pre>
|
||
|
|
||
|
In the mentioned break in the previous code in `$eax` will be located the address of the free hook.
|
||
|
|
||
|
Now a **fast bin attack** is performed:
|
||
|
|
||
|
* First of all it's discovered that it's possible to work with fast **chunks of size 200** in the **`__free_hook`** location:
|
||
|
* <pre class="language-c"><code class="lang-c">gef➤ p &__free_hook
|
||
|
$1 = (void (**)(void *, const void *)) 0x7ff1e9e607a8 <__free_hook>
|
||
|
gef➤ x/60gx 0x7ff1e9e607a8 - 0x59
|
||
|
<strong>0x7ff1e9e6074f: 0x0000000000000000 0x0000000000000200
|
||
|
</strong>0x7ff1e9e6075f: 0x0000000000000000 0x0000000000000000
|
||
|
0x7ff1e9e6076f <list_all_lock+15>: 0x0000000000000000 0x0000000000000000
|
||
|
0x7ff1e9e6077f <_IO_stdfile_2_lock+15>: 0x0000000000000000 0x0000000000000000
|
||
|
</code></pre>
|
||
|
* If we manage to get a fast chunk of size 0x200 in this location, it'll be possible to overwrite a function pointer that will be executed
|
||
|
* For this, a new chunk of size `0xfc` is created and the merged function is called with that pointer twice, this way we obtain a pointer to a freed chunk of size `0xfc*2 = 0x1f8` in the fast bin.
|
||
|
* Then, the edit function is called in this chunk to modify the **`fd`** address of this fast bin to point to the previous **`__free_hook`** function.
|
||
|
* Then, a chunk with size `0x1f8` is created to retrieve from the fast bin the previous useless chunk so another chunk of size `0x1f8` is created to get a fast bin chunk in the **`__free_hook`** which is overwritten with the address of **`system`** function.
|
||
|
* And finally a chunk containing the string `/bin/sh\x00` is freed calling the delete function, triggering the **`__free_hook`** function which points to system with `/bin/sh\x00` as parameter.
|
||
|
|
||
|
## References
|
||
|
|
||
|
* [https://ir0nstone.gitbook.io/notes/types/stack/one-gadgets-and-malloc-hook](https://ir0nstone.gitbook.io/notes/types/stack/one-gadgets-and-malloc-hook)
|
||
|
* [https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md](https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md).
|
||
|
|
||
|
{% hint style="success" %}
|
||
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
|
||
|
<details>
|
||
|
|
||
|
<summary>Support HackTricks</summary>
|
||
|
|
||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
|
||
|
</details>
|
||
|
{% endhint %}
|