WWW2Exec - __malloc_hook & __free_hook
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
As you can Official GNU site, the variable __malloc_hook
is a pointer pointing to the address of a function that will be called whenever malloc()
is called stored in the data section of the libc library. Therefore, if this address is overwritten with a One Gadget for example and malloc
is called, the One Gadget will be called.
To call malloc it's possible to wait for the program to call it or by calling printf("%10000$c")
which allocates too bytes many making libc
calling malloc to allocate them in the heap.
More info about One Gadget in:
One GadgetNote that hooks are disabled for GLIBC >= 2.34. There are other techniques that can be used on modern GLIBC versions. See: https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md.
This was abused in one of the example from the page abusing a fast bin attack after having abused an unsorted bin attack:
Unsorted Bin AttackIt's posisble to find the address of __free_hook
if the binary has symbols with the following command:
In the post you can find a step by step guide on how to locate the address of the free hook without symbols. As summary, in the free function:
In the mentioned break in the previous code in $eax
will be located the address of the free hook.
Now a fast bin attack is performed:
First of all it's discovered that it's possible to work with fast chunks of size 200 in the __free_hook
location:
If we manage to get a fast chunk of size 0x200 in this location, it'll be possible to overwrite a function pointer that will be executed
For this, a new chunk of size 0xfc
is created and the merged function is called with that pointer twice, this way we obtain a pointer to a freed chunk of size 0xfc*2 = 0x1f8
in the fast bin.
Then, the edit function is called in this chunk to modify the fd
address of this fast bin to point to the previous __free_hook
function.
Then, a chunk with size 0x1f8
is created to retrieve from the fast bin the previous useless chunk so another chunk of size 0x1f8
is created to get a fast bin chunk in the __free_hook
which is overwritten with the address of system
function.
And finally a chunk containing the string /bin/sh\x00
is freed calling the delete function, triggering the __free_hook
function which points to system with /bin/sh\x00
as parameter.
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)