hacktricks/binary-exploitation/arbitrary-write-2-exec/aw2exec-__malloc_hook.md

# WWW2Exec - \_\_malloc\_hook & \_\_free\_hook

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

## **Malloc Hook**

As you can [Official GNU site](https://www.gnu.org/software/libc/manual/html\_node/Hooks-for-Malloc.html), the variable **`__malloc_hook`** is a pointer pointing to the **address of a function that will be called** whenever `malloc()` is called **stored in the data section of the libc library**. Therefore, if this address is overwritten with a **One Gadget** for example and `malloc` is called, the **One Gadget will be called**.

To call malloc it's possible to wait for the program to call it or by **calling `printf("%10000$c")`** which allocates too bytes many making `libc`  calling malloc to allocate them in the heap.

More info about One Gadget in:

{% content-ref url="../rop-return-oriented-programing/ret2lib/one-gadget.md" %}
[one-gadget.md](../rop-return-oriented-programing/ret2lib/one-gadget.md)
{% endcontent-ref %}

{% hint style="warning" %}
Note that hooks are **disabled for GLIBC >= 2.34**. There are other techniques that can be used on modern GLIBC versions. See: [https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md](https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md).
{% endhint %}

## Free Hook

This was abused in one of the example from the page abusing a fast bin attack after having abused an unsorted bin attack:

{% content-ref url="../libc-heap/unsorted-bin-attack.md" %}
[unsorted-bin-attack.md](../libc-heap/unsorted-bin-attack.md)
{% endcontent-ref %}

It's posisble to find the address of `__free_hook` if the binary has symbols with the following command:

```bash
gef➤  p &__free_hook
```

[In the post](https://guyinatuxedo.github.io/41-house\_of\_force/bkp16\_cookbook/index.html) you can find a step by step guide on how to locate the address of the free hook without symbols. As summary, in the free function:

<pre class="language-armasm"><code class="lang-armasm">gef➤  x/20i free
0xf75dedc0 &#x3C;free>: push   ebx
0xf75dedc1 &#x3C;free+1>: call   0xf768f625
0xf75dedc6 &#x3C;free+6>: add    ebx,0x14323a
0xf75dedcc &#x3C;free+12>:  sub    esp,0x8
0xf75dedcf &#x3C;free+15>:  mov    eax,DWORD PTR [ebx-0x98]
0xf75dedd5 &#x3C;free+21>:  mov    ecx,DWORD PTR [esp+0x10]
<strong>0xf75dedd9 &#x3C;free+25>:  mov    eax,DWORD PTR [eax]--- BREAK HERE
</strong>0xf75deddb &#x3C;free+27>:  test   eax,eax ;&#x3C;
0xf75deddd &#x3C;free+29>:  jne    0xf75dee50 &#x3C;free+144>
</code></pre>

In the mentioned break in the previous code in `$eax` will be located the address of the free hook.

Now a **fast bin attack** is performed:

* First of all it's discovered that it's possible to work with fast **chunks of size 200** in the **`__free_hook`** location:
* <pre class="language-c"><code class="lang-c">gef➤  p &#x26;__free_hook
  $1 = (void (**)(void *, const void *)) 0x7ff1e9e607a8 &#x3C;__free_hook>
  gef➤  x/60gx 0x7ff1e9e607a8 - 0x59
  <strong>0x7ff1e9e6074f: 0x0000000000000000      0x0000000000000200
  </strong>0x7ff1e9e6075f: 0x0000000000000000      0x0000000000000000
  0x7ff1e9e6076f &#x3C;list_all_lock+15>:      0x0000000000000000      0x0000000000000000
  0x7ff1e9e6077f &#x3C;_IO_stdfile_2_lock+15>: 0x0000000000000000      0x0000000000000000
  </code></pre>
  * If we manage to get a fast chunk of size 0x200 in this location, it'll be possible to overwrite a function pointer that will be executed
* For this, a new chunk of size `0xfc` is created and the merged function is called with that pointer twice, this way we obtain a pointer to a freed chunk of size `0xfc*2 = 0x1f8` in the fast bin.
* Then, the edit function is called in this chunk to modify the **`fd`** address of this fast bin to point to the previous **`__free_hook`** function.
* Then, a chunk with size `0x1f8` is created to retrieve from the fast bin the previous useless chunk so another chunk of size `0x1f8` is created to get a fast bin chunk in the **`__free_hook`** which is overwritten with the address of **`system`** function.
* And finally a chunk containing the string `/bin/sh\x00` is freed calling the delete function, triggering the **`__free_hook`** function which points to system with `/bin/sh\x00` as parameter.

## References

* [https://ir0nstone.gitbook.io/notes/types/stack/one-gadgets-and-malloc-hook](https://ir0nstone.gitbook.io/notes/types/stack/one-gadgets-and-malloc-hook)
* [https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md](https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md).

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}
GITBOOK-4354: No subject 2024-06-12 15:23:07 +00:00			`# WWW2Exec - \_\_malloc\_hook & \_\_free\_hook`
GITBOOK-4301: No subject 2024-04-06 16:25:58 +00:00
a2 2024-07-18 16:04:36 +00:00			`{% hint style="success" %}`
a 2024-07-18 16:14:56 +00:00			`Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
GITBOOK-4301: No subject 2024-04-06 16:25:58 +00:00
a2 2024-07-18 16:04:36 +00:00			`<details>`
GITBOOK-4301: No subject 2024-04-06 16:25:58 +00:00
a2 2024-07-18 16:04:36 +00:00			`<summary>Support HackTricks</summary>`
GITBOOK-4301: No subject 2024-04-06 16:25:58 +00:00
a2 2024-07-18 16:04:36 +00:00			`* Check the [subscription plans](https://github.com/sponsors/carlospolop)!`
GITBOOK-4301: No subject 2024-04-06 16:25:58 +00:00			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
a2 2024-07-18 16:04:36 +00:00			`* Share hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
GITBOOK-4301: No subject 2024-04-06 16:25:58 +00:00
			`</details>`
a2 2024-07-18 16:04:36 +00:00			`{% endhint %}`
GITBOOK-4301: No subject 2024-04-06 16:25:58 +00:00
			`## Malloc Hook`

			As you can [Official GNU site](https://www.gnu.org/software/libc/manual/html\_node/Hooks-for-Malloc.html), the variable `__malloc_hook` is a pointer pointing to the address of a function that will be called whenever `malloc()` is called stored in the data section of the libc library. Therefore, if this address is overwritten with a One Gadget for example and `malloc` is called, the One Gadget will be called.

			To call malloc it's possible to wait for the program to call it or by calling `printf("%10000$c")` which allocates too bytes many making `libc` calling malloc to allocate them in the heap.

			`More info about One Gadget in:`

			`{% content-ref url="../rop-return-oriented-programing/ret2lib/one-gadget.md" %}`
			`[one-gadget.md](../rop-return-oriented-programing/ret2lib/one-gadget.md)`
			`{% endcontent-ref %}`

GITBOOK-4302: No subject 2024-04-06 19:44:17 +00:00			`{% hint style="warning" %}`
			`Note that hooks are disabled for GLIBC >= 2.34. There are other techniques that can be used on modern GLIBC versions. See: [https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md](https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md).`
			`{% endhint %}`

GITBOOK-4354: No subject 2024-06-12 15:23:07 +00:00			`## Free Hook`

			`This was abused in one of the example from the page abusing a fast bin attack after having abused an unsorted bin attack:`

GITBOOK-4363: No subject 2024-06-16 08:49:18 +00:00			`{% content-ref url="../libc-heap/unsorted-bin-attack.md" %}`
			`[unsorted-bin-attack.md](../libc-heap/unsorted-bin-attack.md)`
GITBOOK-4354: No subject 2024-06-12 15:23:07 +00:00			`{% endcontent-ref %}`

exploiting WWW 2024-06-17 09:18:12 +00:00			It's posisble to find the address of `__free_hook` if the binary has symbols with the following command:
GITBOOK-4358: No subject 2024-06-13 21:20:27 +00:00
exploiting WWW 2024-06-17 09:18:12 +00:00			```bash
			`gef➤ p &__free_hook`
GITBOOK-4358: No subject 2024-06-13 21:20:27 +00:00			```

exploiting WWW 2024-06-17 09:18:12 +00:00			`[In the post](https://guyinatuxedo.github.io/41-house\_of\_force/bkp16\_cookbook/index.html) you can find a step by step guide on how to locate the address of the free hook without symbols. As summary, in the free function:`
GITBOOK-4358: No subject 2024-06-13 21:20:27 +00:00
			`<pre class="language-armasm"><code class="lang-armasm">gef➤ x/20i free`
			`0xf75dedc0 <free>: push ebx`
			`0xf75dedc1 <free+1>: call 0xf768f625`
			`0xf75dedc6 <free+6>: add ebx,0x14323a`
			`0xf75dedcc <free+12>: sub esp,0x8`
			`0xf75dedcf <free+15>: mov eax,DWORD PTR [ebx-0x98]`
			`0xf75dedd5 <free+21>: mov ecx,DWORD PTR [esp+0x10]`
exploiting WWW 2024-06-17 09:18:12 +00:00			`<strong>0xf75dedd9 <free+25>: mov eax,DWORD PTR [eax]--- BREAK HERE`
			`</strong>0xf75deddb <free+27>: test eax,eax ;<`
			`0xf75deddd <free+29>: jne 0xf75dee50 <free+144>`
GITBOOK-4358: No subject 2024-06-13 21:20:27 +00:00			`</code></pre>`

			In the mentioned break in the previous code in `$eax` will be located the address of the free hook.

GITBOOK-4354: No subject 2024-06-12 15:23:07 +00:00			`Now a fast bin attack is performed:`

			* First of all it's discovered that it's possible to work with fast chunks of size 200 in the `__free_hook` location:
			`* <pre class="language-c"><code class="lang-c">gef➤ p &__free_hook`
			`$1 = (void (*)(void , const void *)) 0x7ff1e9e607a8 <__free_hook>`
			`gef➤ x/60gx 0x7ff1e9e607a8 - 0x59`
			`<strong>0x7ff1e9e6074f: 0x0000000000000000 0x0000000000000200`
			`</strong>0x7ff1e9e6075f: 0x0000000000000000 0x0000000000000000`
			`0x7ff1e9e6076f <list_all_lock+15>: 0x0000000000000000 0x0000000000000000`
			`0x7ff1e9e6077f <_IO_stdfile_2_lock+15>: 0x0000000000000000 0x0000000000000000`
			`</code></pre>`
			`* If we manage to get a fast chunk of size 0x200 in this location, it'll be possible to overwrite a function pointer that will be executed`
			* For this, a new chunk of size `0xfc` is created and the merged function is called with that pointer twice, this way we obtain a pointer to a freed chunk of size `0xfc*2 = 0x1f8` in the fast bin.
			* Then, the edit function is called in this chunk to modify the `fd` address of this fast bin to point to the previous `__free_hook` function.
			* Then, a chunk with size `0x1f8` is created to retrieve from the fast bin the previous useless chunk so another chunk of size `0x1f8` is created to get a fast bin chunk in the `__free_hook` which is overwritten with the address of `system` function.
			* And finally a chunk containing the string `/bin/sh\x00` is freed calling the delete function, triggering the `__free_hook` function which points to system with `/bin/sh\x00` as parameter.

GITBOOK-4301: No subject 2024-04-06 16:25:58 +00:00			`## References`

			`* [https://ir0nstone.gitbook.io/notes/types/stack/one-gadgets-and-malloc-hook](https://ir0nstone.gitbook.io/notes/types/stack/one-gadgets-and-malloc-hook)`
GITBOOK-4302: No subject 2024-04-06 19:44:17 +00:00			`* [https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md](https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md).`
GITBOOK-4301: No subject 2024-04-06 16:25:58 +00:00
a2 2024-07-18 16:04:36 +00:00			`{% hint style="success" %}`
a 2024-07-18 16:14:56 +00:00			`Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
GITBOOK-4301: No subject 2024-04-06 16:25:58 +00:00
a2 2024-07-18 16:04:36 +00:00			`<details>`
GITBOOK-4301: No subject 2024-04-06 16:25:58 +00:00
a2 2024-07-18 16:04:36 +00:00			`<summary>Support HackTricks</summary>`
GITBOOK-4301: No subject 2024-04-06 16:25:58 +00:00
a2 2024-07-18 16:04:36 +00:00			`* Check the [subscription plans](https://github.com/sponsors/carlospolop)!`
GITBOOK-4301: No subject 2024-04-06 16:25:58 +00:00			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
a2 2024-07-18 16:04:36 +00:00			`* Share hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
GITBOOK-4301: No subject 2024-04-06 16:25:58 +00:00
			`</details>`
a2 2024-07-18 16:04:36 +00:00			`{% endhint %}`