Hello, today I’ll get back to my [bin] series and talk a little bit more about use-after-free, the vulnerability I’m focusing on because it could be a great way to merge two subjects I like (binary exploitation and web), once I’ll master the exploitation process of these vulnerabilities. I probably won’t be able to exploit a UAF after this session but I might grasp the concept a little bit more.
What’s a use-after-free (UAF)?
A use-after-free is an exploitation technique or a bug that occurs when still using part of a memory that has been previously freed. This type of vulnerability has been very popular in browser exploitation, even if I’d like to do that in a language interpreter (PHP). With that, you could corrupt part of a memory and potentially get code execution or read/write to some part of the memory by overwriting pointers.
General exploitation idea
Imagine a struct like that:
struct wufar
{
char data[32];
int admin;
}
If you have a program that allow you to malloc and free structures like that and that checks, for example in another part of the program, if you are admin or not, if the free doesn’t change the pointer that contains the (now free) allocated structure, you could use that pointer and be in a use-after-free situation.
To corrupt part of the admin heap, you’ll have to be able to allocate another object, imagine for example using strdup, which will automatically call malloc, or use another structure with a different size. If you are able to create an object from the same bin but overlap data, you could theorically set “admin” to an arbitrary value and get your structure as admin.
How to get code execution with that?
Alright, that part is purely theory but from what I understand, if you control for example a pointer in a structure, you could read arbitrary part of the memory or potentially write to that, which generally means code execution (leak information using the read, then write arbitrary data to recover the control flow of the program).
Right now I don’t know a lot of methods to gain the control flow of the program but I’ve done one (overwriting the .got), people told me about a few others (overwriting the vdso (?)) but I’ll have to experiment a little bit more.