6.7 KiB
WWW2Exec - __malloc_hook & __free_hook
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Malloc Hook
As you can Official GNU site, the variable __malloc_hook
is a pointer pointing to the address of a function that will be called whenever malloc()
is called stored in the data section of the libc library. Therefore, if this address is overwritten with a One Gadget for example and malloc
is called, the One Gadget will be called.
To call malloc it's possible to wait for the program to call it or by calling printf("%10000$c")
which allocates too bytes many making libc
calling malloc to allocate them in the heap.
More info about One Gadget in:
{% content-ref url="../rop-return-oriented-programing/ret2lib/one-gadget.md" %} one-gadget.md {% endcontent-ref %}
{% hint style="warning" %} Note that hooks are disabled for GLIBC >= 2.34. There are other techniques that can be used on modern GLIBC versions. See: https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md. {% endhint %}
Free Hook
This was abused in one of the example from the page abusing a fast bin attack after having abused an unsorted bin attack:
{% content-ref url="../heap/unsorted-bin-attack.md" %} unsorted-bin-attack.md {% endcontent-ref %}
A nice trick (from here) to find the location of the free hook if the binary has symbols is to do something like:
gef➤ set __free_hook = 0xfacade
gef➤ search-pattern 0xfacade
In the same post you can find a step by step guide on how to locate the address of the free hook without symbols. As summary, in the free function:
gef➤ x/20i free
0xf75dedc0 <free>: push ebx
0xf75dedc1 <free+1>: call 0xf768f625
0xf75dedc6 <free+6>: add ebx,0x14323a
0xf75dedcc <free+12>: sub esp,0x8
0xf75dedcf <free+15>: mov eax,DWORD PTR [ebx-0x98]
0xf75dedd5 <free+21>: mov ecx,DWORD PTR [esp+0x10]
0xf75dedd9 <free+25>: mov eax,DWORD PTR [eax]
0xf75deddb <free+27>: test eax,eax ;<--- BREAK HERE
0xf75deddd <free+29>: jne 0xf75dee50 <free+144>
In the mentioned break in the previous code in $eax
will be located the address of the free hook.
Now a fast bin attack is performed:
- First of all it's discovered that it's possible to work with fast chunks of size 200 in the
__free_hook
location: -
gef➤ p &__free_hook $1 = (void (**)(void *, const void *)) 0x7ff1e9e607a8 <__free_hook> gef➤ x/60gx 0x7ff1e9e607a8 - 0x59 0x7ff1e9e6074f: 0x0000000000000000 0x0000000000000200 0x7ff1e9e6075f: 0x0000000000000000 0x0000000000000000 0x7ff1e9e6076f <list_all_lock+15>: 0x0000000000000000 0x0000000000000000 0x7ff1e9e6077f <_IO_stdfile_2_lock+15>: 0x0000000000000000 0x0000000000000000
- If we manage to get a fast chunk of size 0x200 in this location, it'll be possible to overwrite a function pointer that will be executed
- For this, a new chunk of size
0xfc
is created and the merged function is called with that pointer twice, this way we obtain a pointer to a freed chunk of size0xfc*2 = 0x1f8
in the fast bin. - Then, the edit function is called in this chunk to modify the
fd
address of this fast bin to point to the previous__free_hook
function. - Then, a chunk with size
0x1f8
is created to retrieve from the fast bin the previous useless chunk so another chunk of size0x1f8
is created to get a fast bin chunk in the__free_hook
which is overwritten with the address ofsystem
function. - And finally a chunk containing the string
/bin/sh\x00
is freed calling the delete function, triggering the__free_hook
function which points to system with/bin/sh\x00
as parameter.
References
- https://ir0nstone.gitbook.io/notes/types/stack/one-gadgets-and-malloc-hook
- https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md.
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.