malloc_hook, free_hook

A complete PWN from UAF

OK here we go, what are the 3 parts of a PWN?

• Conquer Address Randomization: generate leaks with UAF-view
• Write-What-Where: tcache-poisoning, UAF-edit the linked list
• Control the Instruction Pointer: target the free_hook

OK this is going to be our new baseline heap exploit.

We're going to go after the one at nc 207.154.239.148 1344 just NOT using the win function.

glibc 2.31 version on the playground

OK stages:

• Generate a glibc leak by freeing a large chunk
• malloc two smaller chunks of the same size
• malloc a chunk and write /bin/sh to it
• free(a), free(b) and edit(b, free_hook address)
• malloc (get b), malloc get free_hook, write system address
• free(c) which is actually system("/bin/sh")

OK I'm going to do this from scratch live.

tmux debugging!

OK this will be cool, here's my starter script:

2.32 version...

Now we ALSO need a heap leak before we can write the target.

We write (free_hook ^ heap >> 12)

Next wrinkles

OK suppose you can't control the size of your mallocs

Say they are all small...

Then we want to fake a larger chunk where our chunks are

What if we're in glibc 2.34+, then there is no free_hook:

We have to learn something very fancy: FSOP (not quick to learn)

OR we could maybe target the stack and a return address...