WWW2Exec - __malloc_hook & __free_hook

Malloc Hook

As you can Official GNU site, the variable __malloc_hook is a pointer pointing to the address of a function that will be called whenever malloc() is called stored in the data section of the libc library. Therefore, if this address is overwritten with a One Gadget for example and malloc is called, the One Gadget will be called.

To call malloc it's possible to wait for the program to call it or by calling printf("%10000$c") which allocates too bytes many making libc calling malloc to allocate them in the heap.

More info about One Gadget in:

Free Hook

This was abused in one of the example from the page abusing a fast bin attack after having abused an unsorted bin attack:

It's posisble to find the address of __free_hook if the binary has symbols with the following command:

gef➤  p &__free_hook

In the post you can find a step by step guide on how to locate the address of the free hook without symbols. As summary, in the free function:

gef➤  x/20i free
0xf75dedc0 <free>: push   ebx
0xf75dedc1 <free+1>: call   0xf768f625
0xf75dedc6 <free+6>: add    ebx,0x14323a
0xf75dedcc <free+12>:  sub    esp,0x8
0xf75dedcf <free+15>:  mov    eax,DWORD PTR [ebx-0x98]
0xf75dedd5 <free+21>:  mov    ecx,DWORD PTR [esp+0x10]
0xf75dedd9 <free+25>:  mov    eax,DWORD PTR [eax]--- BREAK HERE
0xf75deddb <free+27>:  test   eax,eax ;<
0xf75deddd <free+29>:  jne    0xf75dee50 <free+144>

In the mentioned break in the previous code in $eax will be located the address of the free hook.

Now a fast bin attack is performed:

• First of all it's discovered that it's possible to work with fast chunks of size 200 in the __free_hook location:

• Copy

  gef➤  p &__free_hook
  $1 = (void (**)(void *, const void *)) 0x7ff1e9e607a8 <__free_hook>
  gef➤  x/60gx 0x7ff1e9e607a8 - 0x59
  0x7ff1e9e6074f: 0x0000000000000000      0x0000000000000200
  0x7ff1e9e6075f: 0x0000000000000000      0x0000000000000000
  0x7ff1e9e6076f <list_all_lock+15>:      0x0000000000000000      0x0000000000000000
  0x7ff1e9e6077f <_IO_stdfile_2_lock+15>: 0x0000000000000000      0x0000000000000000

  • If we manage to get a fast chunk of size 0x200 in this location, it'll be possible to overwrite a function pointer that will be executed

• For this, a new chunk of size 0xfc is created and the merged function is called with that pointer twice, this way we obtain a pointer to a freed chunk of size 0xfc*2 = 0x1f8 in the fast bin.

• Then, the edit function is called in this chunk to modify the fd address of this fast bin to point to the previous __free_hook function.

• Then, a chunk with size 0x1f8 is created to retrieve from the fast bin the previous useless chunk so another chunk of size 0x1f8 is created to get a fast bin chunk in the __free_hook which is overwritten with the address of system function.

• And finally a chunk containing the string /bin/sh\x00 is freed calling the delete function, triggering the __free_hook function which points to system with /bin/sh\x00 as parameter.

References

• https://ir0nstone.gitbook.io/notes/types/stack/one-gadgets-and-malloc-hook

• https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md.