| description |
|---|
10/16/2023 |
A use-after-free (UAF) is a class of vulnerabilities that occurs when a program tries to dereference a pointer that points to a freed chunk in the heap.
The explicit attempt to access that chunk that has been previously freed is called a (UAF) bug.
- Program crash
- Printing unexpected values or data
- Code execution
free()datamalloc()data- Add data
- Cause a dangling pointer to call your code // execute your shellcode
 (1) (1) (1) (1) (1) (1).png)
p still points to chunk A which now contains the address for function f2
In the depiction above, p still points to chunk A and when it is accessed again, f2 will be executed.
This ultimately leverages a particular behavior in ptmalloc()'s allocator where malloc() will return the address of the first chunk that matches a memory requirement.
We can see this behavior below in the following snippet:
{% embed url="https://github.com/shellphish/how2heap" %} Reference {% endembed %}
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main()
{
fprintf(stderr, "This file doesn't demonstrate an attack, but shows the nature of glibc's allocator.\n");
fprintf(stderr, "glibc uses a first-fit algorithm to select a free chunk.\n");
fprintf(stderr, "If a chunk is free and large enough, malloc will select this chunk.\n");
fprintf(stderr, "This can be exploited in a use-after-free situation.\n");
fprintf(stderr, "Allocating 2 buffers. They can be large, don't have to be fastbin.\n");
char* a = malloc(0x512);
char* b = malloc(0x256);
char* c;
fprintf(stderr, "1st malloc(0x512): %p\n", a);
fprintf(stderr, "2nd malloc(0x256): %p\n", b);
fprintf(stderr, "we could continue mallocing here...\n");
fprintf(stderr, "now let's put a string at a that we can read later \"this is A!\"\n");
strcpy(a, "this is A!");
fprintf(stderr, "first allocation %p points to %s\n", a, a);
fprintf(stderr, "Freeing the first one...\n");
free(a);
fprintf(stderr, "We don't need to free anything again. As long as we allocate smaller than 0x512, it will end up at %p\n", a);
fprintf(stderr, "So, let's allocate 0x500 bytes\n");
c = malloc(0x500);
fprintf(stderr, "3rd malloc(0x500): %p\n", c);
fprintf(stderr, "And put a different string here, \"this is C!\"\n");
strcpy(c, "this is C!");
fprintf(stderr, "3rd allocation %p points to %s\n", c, c);
fprintf(stderr, "first allocation %p points to %s\n", a, a);
fprintf(stderr, "If we reuse the first allocation, it now holds the data from the third allocation.\n");
}#include <stdio.h>
#include <stdlib.h>
struct unicorn_counter { int num; };
int main() {
struct unicorn_counter* p_unicorn_counter;
int* run_calc = malloc(sizeof(int));
*run_calc = 0;
free(run_calc);
p_unicorn_counter = malloc(sizeof(struct unicorn_counter));
p_unicorn_counter->num = 42;
if (*run_calc) execl("/bin/sh", 0);
}This appears as if it should never work, right?
Well, when *run_calc is set to 0, p_unicorn_counter will point to the same chunk as run_calc because they both have similar memory requirements.
Therefore, once run_calc is accessed again, it will contain a different value and allow for the call to execl() and execute "/bin/sh".
{% embed url="https://infosecwriteups.com/use-after-free-13544be5a921" %}