cool head picture

UNLE⛧SH THE BEAST ト何ゼ

Use After Free Simply Explained

Jan. 27, 2021 // echel0n

  1. // gcc heap_uaf.c -o heap_uaf

  2. int main(){

  3. 

  4. 	int DEBUG = 1;

  5. 	

  6. 	char *user_input = malloc(0x30);

  7. 	if(DEBUG) printf("user_input: %p\n", user_input); 

  8. 	char *flag_content = malloc(0x30);

  9. 	if(DEBUG) printf("flag_content: %p\n", flag_content); 

  10. 	printf("Name? ");

  11. 	scanf("%7s", user_input);

  12. 	printf("Hello %s!\n", user_input);

  13. 	/*

  14. 	 *

  15. 	 *	If you uncomment free(), the output will be like this.

  16. 	 *

  17. 	 * 	Name? 1

  18. 	 *	Hello 1!

  19. 	 *	Auth: 0

  20. 	 *	Password? 2

  21. 	 *	Auth: 50 

  22. 	 *	< flag output here

  23. 	 *	(fact: decimal 50 is representation of '2' string.)

  24. 	 *	Why it works?

  25. 	 *	Because when you free user_input

  26. 	 *	authenticated variable address will be the same address of user_input.

  27. 	 *	Which means, authenticated variable value will be changed and authentication will be broken as fuck.

  28. 	 * */

  29. 

  30. 	// comment this, it works as intented.

  31. 	free(user_input);

  32. 

  33. 	long *authenticated = malloc(0x30);

  34. 	if(DEBUG) printf("authenticated: %p\n", authenticated); 

  35. 	*authenticated = 0;

  36. 	if(DEBUG) printf("Authenticated value: %x\n", *authenticated); 

  37. 	printf("Password? ");

  38. 	scanf("%7s", user_input);

  39. 	if (getuid() == 0 || strcmp(user_input, "hunter2") == 0){

  40. 		*authenticated = 1;

  41. 	}

  42. 

  43. 	if(DEBUG) printf("Authenticated value: %x\n", *authenticated); 

  44. 	

  45. 	if (*authenticated){

  46. 		open("/flag",0);

  47. 		read(3, flag_content, 0x30);

  48. 		write(1, flag_content, 0x30);

  49. 	}

  50. 	return 0;

  51. }
Disclosure
  1. #include <assert.h>

  2. int main(int argc, char *argv[])

  3. {

  4. 	char *password = malloc(0x10);

  5. 	char *name = malloc(0x10);

  6. 

  7. 	printf("Password? ");

  8. 	scanf("%7s", password);

  9. 	assert(strcmp(password, "hunter2") == 0);

  10. 	free(password);

  11. 

  12. 	printf("Name? ");

  13. 	scanf("%7s", name);

  14. 	printf("Hello %s!\n", name);

  15. 	

  16. 

  17. 	// here comes the danger!

  18. 	free(name);

  19. 

  20. 	printf("Goodbye, %s!\n", name);

  21. 	

  22. 	/*

  23. 	 * You will likely see something garbage after "Goodbye!, " string.

  24. 	 * 

  25. 	 * This garbage will be a heap address

  26. 	 *

  27. 	 *	00000000: 5061 7373 776f 7264 3f20 4e61 6d65 3f20  Password? Name?

  28. 	 *	00000010: 4865 6c6c 6f20 4141 4141 4141 4121 0a47  Hello AAAAAAA!.G

  29. 	 *	00000020: 6f6f 6462 7965 2c20 c579 7330 2956 210a  oodbye, .ys0)V!.

  30. 	 *

  31. 	 * '0a' ignore this, this is \n

  32. 	 * the part we interested in this: c579 7330 2956

  33. 	 * This is a heap address in little endian

  34. 	 * */

  35. 

  36. 	return 0;

  37. }