> For the complete documentation index, see [llms.txt](https://angelica.gitbook.io/hacktricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://angelica.gitbook.io/hacktricks/binary-exploitation/arbitrary-write-2-exec/aw2exec-__malloc_hook.md).

# WWW2Exec - \_\_malloc\_hook & \_\_free\_hook

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/files/Xcgr3q6BP5MpWT3hTn6d" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/files/Xcgr3q6BP5MpWT3hTn6d" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/files/aQnEyHWQGyok3qCc92qt" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/files/aQnEyHWQGyok3qCc92qt" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

## **Malloc Hook**

As you can [Official GNU site](https://www.gnu.org/software/libc/manual/html_node/Hooks-for-Malloc.html), the variable **`__malloc_hook`** is a pointer pointing to the **address of a function that will be called** whenever `malloc()` is called **stored in the data section of the libc library**. Therefore, if this address is overwritten with a **One Gadget** for example and `malloc` is called, the **One Gadget will be called**.

To call malloc it's possible to wait for the program to call it or by **calling `printf("%10000$c")`** which allocates too bytes many making `libc` calling malloc to allocate them in the heap.

More info about One Gadget in:

{% content-ref url="/pages/HBzwUUXP9R8npRNZUSRG" %}
[One Gadget](/hacktricks/binary-exploitation/rop-return-oriented-programing/ret2lib/one-gadget.md)
{% endcontent-ref %}

{% hint style="warning" %}
Note that hooks are **disabled for GLIBC >= 2.34**. There are other techniques that can be used on modern GLIBC versions. See: <https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md>.
{% endhint %}

## Free Hook

This was abused in one of the example from the page abusing a fast bin attack after having abused an unsorted bin attack:

{% content-ref url="/pages/5G7iMBSe3Hoebu3LJ0Qr" %}
[Unsorted Bin Attack](/hacktricks/binary-exploitation/libc-heap/unsorted-bin-attack.md)
{% endcontent-ref %}

It's posisble to find the address of `__free_hook` if the binary has symbols with the following command:

```bash
gef➤  p &__free_hook
```

[In the post](https://guyinatuxedo.github.io/41-house_of_force/bkp16_cookbook/index.html) you can find a step by step guide on how to locate the address of the free hook without symbols. As summary, in the free function:

<pre class="language-armasm"><code class="lang-armasm">gef➤  x/20i free
0xf75dedc0 &#x3C;free>: push   ebx
0xf75dedc1 &#x3C;free+1>: call   0xf768f625
0xf75dedc6 &#x3C;free+6>: add    ebx,0x14323a
0xf75dedcc &#x3C;free+12>:  sub    esp,0x8
0xf75dedcf &#x3C;free+15>:  mov    eax,DWORD PTR [ebx-0x98]
0xf75dedd5 &#x3C;free+21>:  mov    ecx,DWORD PTR [esp+0x10]
<strong>0xf75dedd9 &#x3C;free+25>:  mov    eax,DWORD PTR [eax]--- BREAK HERE
</strong>0xf75deddb &#x3C;free+27>:  test   eax,eax ;&#x3C;
0xf75deddd &#x3C;free+29>:  jne    0xf75dee50 &#x3C;free+144>
</code></pre>

In the mentioned break in the previous code in `$eax` will be located the address of the free hook.

Now a **fast bin attack** is performed:

* First of all it's discovered that it's possible to work with fast **chunks of size 200** in the **`__free_hook`** location:
* <pre class="language-c"><code class="lang-c">gef➤  p &#x26;__free_hook
  $1 = (void (**)(void *, const void *)) 0x7ff1e9e607a8 &#x3C;__free_hook>
  gef➤  x/60gx 0x7ff1e9e607a8 - 0x59
  <strong>0x7ff1e9e6074f: 0x0000000000000000      0x0000000000000200
  </strong>0x7ff1e9e6075f: 0x0000000000000000      0x0000000000000000
  0x7ff1e9e6076f &#x3C;list_all_lock+15>:      0x0000000000000000      0x0000000000000000
  0x7ff1e9e6077f &#x3C;_IO_stdfile_2_lock+15>: 0x0000000000000000      0x0000000000000000
  </code></pre>
  * If we manage to get a fast chunk of size 0x200 in this location, it'll be possible to overwrite a function pointer that will be executed
* For this, a new chunk of size `0xfc` is created and the merged function is called with that pointer twice, this way we obtain a pointer to a freed chunk of size `0xfc*2 = 0x1f8` in the fast bin.
* Then, the edit function is called in this chunk to modify the **`fd`** address of this fast bin to point to the previous **`__free_hook`** function.
* Then, a chunk with size `0x1f8` is created to retrieve from the fast bin the previous useless chunk so another chunk of size `0x1f8` is created to get a fast bin chunk in the **`__free_hook`** which is overwritten with the address of **`system`** function.
* And finally a chunk containing the string `/bin/sh\x00` is freed calling the delete function, triggering the **`__free_hook`** function which points to system with `/bin/sh\x00` as parameter.

## References

* <https://ir0nstone.gitbook.io/notes/types/stack/one-gadgets-and-malloc-hook>
* <https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md>.

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/files/Xcgr3q6BP5MpWT3hTn6d" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/files/Xcgr3q6BP5MpWT3hTn6d" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/files/aQnEyHWQGyok3qCc92qt" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/files/aQnEyHWQGyok3qCc92qt" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}
