[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-6307":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":16,"subscribersCount":16,"size":16,"stars1d":17,"stars7d":18,"stars30d":19,"stars90d":16,"forks30d":16,"starsTrendScore":20,"compositeScore":21,"rankGlobal":10,"rankLanguage":10,"license":22,"archived":23,"fork":23,"defaultBranch":24,"hasWiki":25,"hasPages":23,"topics":26,"createdAt":10,"pushedAt":10,"updatedAt":27,"readmeContent":28,"aiSummary":29,"trendingCount":16,"starSnapshotCount":16,"syncStatus":15,"lastSyncTime":30,"discoverSource":31},6307,"how2heap","shellphish\u002Fhow2heap","shellphish","A repository for learning various heap exploitation techniques.","",null,"C",8704,1270,259,2,0,4,14,76,13,40.31,"MIT License",false,"master",true,[],"2026-06-12 02:01:18","# Educational Heap Exploitation\n\nThis repo is for learning various heap exploitation techniques.\nWe use Ubuntu's Libc releases as the gold-standard. Each technique is verified to work on corresponding Ubuntu releases.\nYou can run `apt source libc6` to download the source code of the Libc you are using on a Debian-based operating system. You can also click :arrow_forward: to debug the technique in your browser using gdb.\n\nWe came up with the idea during a hack meeting, and have implemented the following techniques:\n\n| File | :arrow_forward: | Technique | Glibc-Version | Patch | Applicable CTF Challenges |\n|------|-----|-----------|---------------|-------|---------------------------|\n| [first_fit.c](first_fit.c) | |  Demonstrating glibc malloc's first-fit behavior. | | | |\n| [calc_tcache_idx.c](calc_tcache_idx.c)| |  Demonstrating glibc's tcache index calculation.| | | |\n| [fastbin_dup.c](glibc_2.35\u002Ffastbin_dup.c) | \u003Ca href=\"https:\u002F\u002Fwargames.ret2.systems\u002Flevel\u002Fhow2heap_fastbin_dup_2.34\" title=\"Debug Technique In Browser\">:arrow_forward:\u003C\u002Fa> | Tricking malloc into returning an already-allocated heap pointer by abusing the fastbin freelist. | \u003C 2.43 | [patch](https:\u002F\u002Fsourceware.org\u002Fgit\u002F?p=glibc.git;a=blobdiff;f=malloc\u002Fmalloc.c;h=fa854fc4b8f75b09902ea7ed1180487beb6e4683;hp=7811152d9d9eba3e0f0a3416d9944cc142caaafe;hb=bf1015fb2d7e4057925481960626533f8571a2fb;hpb=e3062b06c5767f672baf9574c4d7cbebf7d0ee6e) | |\n| [fastbin_dup_into_stack.c](glibc_2.35\u002Ffastbin_dup_into_stack.c) | \u003Ca href=\"https:\u002F\u002Fwargames.ret2.systems\u002Flevel\u002Fhow2heap_fastbin_dup_into_stack_2.23\" title=\"Debug Technique In Browser\">:arrow_forward:\u003C\u002Fa> | Tricking malloc into returning a nearly-arbitrary pointer by abusing the fastbin freelist. | \u003C 2.43 | [patch](https:\u002F\u002Fsourceware.org\u002Fgit\u002F?p=glibc.git;a=blobdiff;f=malloc\u002Fmalloc.c;h=fa854fc4b8f75b09902ea7ed1180487beb6e4683;hp=7811152d9d9eba3e0f0a3416d9944cc142caaafe;hb=bf1015fb2d7e4057925481960626533f8571a2fb;hpb=e3062b06c5767f672baf9574c4d7cbebf7d0ee6e) | [9447-search-engine](https:\u002F\u002Fgithub.com\u002Fctfs\u002Fwrite-ups-2015\u002Ftree\u002Fmaster\u002F9447-ctf-2015\u002Fexploitation\u002Fsearch-engine), [0ctf 2017-babyheap](https:\u002F\u002Fweb.archive.org\u002Fweb\u002F20181104155842\u002Fhttp:\u002F\u002Fuaf.io\u002Fexploitation\u002F2017\u002F03\u002F19\u002F0ctf-Quals-2017-BabyHeap2017.html) |\n| [fastbin_dup_consolidate.c](glibc_2.35\u002Ffastbin_dup_consolidate.c) | \u003Ca href=\"https:\u002F\u002Fwargames.ret2.systems\u002Flevel\u002Fhow2heap_fastbin_dup_consolidate_2.23\" title=\"Debug Technique In Browser\">:arrow_forward:\u003C\u002Fa> | Tricking malloc into returning an already-allocated heap pointer by putting a pointer on both fastbin freelist and the top chunk. | \u003C 2.43 | [patch](https:\u002F\u002Fsourceware.org\u002Fgit\u002F?p=glibc.git;a=blobdiff;f=malloc\u002Fmalloc.c;h=fa854fc4b8f75b09902ea7ed1180487beb6e4683;hp=7811152d9d9eba3e0f0a3416d9944cc142caaafe;hb=bf1015fb2d7e4057925481960626533f8571a2fb;hpb=e3062b06c5767f672baf9574c4d7cbebf7d0ee6e) | [Hitcon 2016 SleepyHolder](https:\u002F\u002Fgithub.com\u002FmehQQ\u002Fpublic_writeup\u002Ftree\u002Fmaster\u002Fhitcon2016\u002FSleepyHolder) |\n| [unsafe_unlink.c](glibc_2.35\u002Funsafe_unlink.c) | \u003Ca href=\"https:\u002F\u002Fwargames.ret2.systems\u002Flevel\u002Fhow2heap_unsafe_unlink_2.34\" title=\"Debug Technique In Browser\">:arrow_forward:\u003C\u002Fa> | Exploiting free on a corrupted chunk to get arbitrary write. | latest | | [HITCON CTF 2014-stkof](http:\u002F\u002Facez.re\u002Fctf-writeup-hitcon-ctf-2014-stkof-or-modern-heap-overflow\u002F), [Insomni'hack 2017-Wheel of Robots](https:\u002F\u002Fgist.github.com\u002Fniklasb\u002F074428333b817d2ecb63f7926074427a) |\n| [house_of_spirit.c](glibc_2.35\u002Fhouse_of_spirit.c) | \u003Ca href=\"https:\u002F\u002Fwargames.ret2.systems\u002Flevel\u002Fhow2heap_house_of_spirit_2.23\" title=\"Debug Technique In Browser\">:arrow_forward:\u003C\u002Fa> | Frees a fake fastbin chunk to get malloc to return a nearly-arbitrary pointer. | latest | | [hack.lu CTF 2014-OREO](https:\u002F\u002Fgithub.com\u002Fctfs\u002Fwrite-ups-2014\u002Ftree\u002Fmaster\u002Fhack-lu-ctf-2014\u002Foreo) |\n| [poison_null_byte.c](glibc_2.35\u002Fpoison_null_byte.c) | \u003Ca href=\"https:\u002F\u002Fwargames.ret2.systems\u002Flevel\u002Fhow2heap_poison_null_byte_2.34\" title=\"Debug Technique In Browser\">:arrow_forward:\u003C\u002Fa> | Exploiting a single null byte overflow. | latest | | [PlaidCTF 2015-plaiddb](https:\u002F\u002Fgithub.com\u002Fctfs\u002Fwrite-ups-2015\u002Ftree\u002Fmaster\u002Fplaidctf-2015\u002Fpwnable\u002Fplaiddb), [BalsnCTF 2019-PlainNote](https:\u002F\u002Fgist.github.com\u002Fst424204\u002F6b5c007cfa2b62ed3fd2ef30f6533e94?fbclid=IwAR3n0h1WeL21MY6cQ_C51wbXimdts53G3FklVIHw2iQSgtgGo0kR3Lt-1Ek)|\n| [house_of_lore.c](glibc_2.35\u002Fhouse_of_lore.c) | \u003Ca href=\"https:\u002F\u002Fwargames.ret2.systems\u002Flevel\u002Fhow2heap_house_of_lore_2.34\" title=\"Debug Technique In Browser\">:arrow_forward:\u003C\u002Fa> | Tricking malloc into returning a nearly-arbitrary pointer by abusing the smallbin freelist. | latest | | |\n| [overlapping_chunks.c](glibc_2.27\u002Foverlapping_chunks.c) | \u003Ca href=\"https:\u002F\u002Fwargames.ret2.systems\u002Flevel\u002Fhow2heap_overlapping_chunks_2.34\" title=\"Debug Technique In Browser\">:arrow_forward:\u003C\u002Fa> | Exploit the overwrite of a freed chunk size in the unsorted bin in order to make a new allocation overlap with an existing chunk | \u003C 2.29 | [patch](https:\u002F\u002Fsourceware.org\u002Fgit\u002F?p=glibc.git;a=commitdiff;h=b90ddd08f6dd688e651df9ee89ca3a69ff88cd0c) | [hack.lu CTF 2015-bookstore](https:\u002F\u002Fgithub.com\u002Fctfs\u002Fwrite-ups-2015\u002Ftree\u002Fmaster\u002Fhack-lu-ctf-2015\u002Fexploiting\u002Fbookstore), [Nuit du Hack 2016-night-deamonic-heap](https:\u002F\u002Fgithub.com\u002Fctfs\u002Fwrite-ups-2016\u002Ftree\u002Fmaster\u002Fnuitduhack-quals-2016\u002Fexploit-me\u002Fnight-deamonic-heap-400) |\n| [overlapping_chunks_2.c](glibc_2.23\u002Foverlapping_chunks_2.c) | \u003Ca href=\"https:\u002F\u002Fwargames.ret2.systems\u002Flevel\u002Fhow2heap_overlapping_chunks_2_2.23\" title=\"Debug Technique In Browser\">:arrow_forward:\u003C\u002Fa> | Exploit the overwrite of an in use chunk size in order to make a new allocation overlap with an existing chunk  | \u003C 2.29|[patch](https:\u002F\u002Fsourceware.org\u002Fgit\u002F?p=glibc.git;a=commitdiff;h=b90ddd08f6dd688e651df9ee89ca3a69ff88cd0c) | |\n| [mmap_overlapping_chunks.c](glibc_2.35\u002Fmmap_overlapping_chunks.c) | |  Exploit an in use mmap chunk in order to make a new allocation overlap with a current mmap chunk | latest | | |\n| [house_of_force.c](glibc_2.27\u002Fhouse_of_force.c) | \u003Ca href=\"https:\u002F\u002Fwargames.ret2.systems\u002Flevel\u002Fhow2heap_house_of_force_2.27\" title=\"Debug Technique In Browser\">:arrow_forward:\u003C\u002Fa> | Exploiting the Top Chunk (Wilderness) header in order to get malloc to return a nearly-arbitrary pointer | \u003C 2.29 | [patch](https:\u002F\u002Fsourceware.org\u002Fgit\u002F?p=glibc.git;a=commitdiff;h=30a17d8c95fbfb15c52d1115803b63aaa73a285c) | [Boston Key Party 2016-cookbook](https:\u002F\u002Fgithub.com\u002Fctfs\u002Fwrite-ups-2016\u002Ftree\u002Fmaster\u002Fboston-key-party-2016\u002Fpwn\u002Fcookbook-6), [BCTF 2016-bcloud](https:\u002F\u002Fgithub.com\u002Fctfs\u002Fwrite-ups-2016\u002Ftree\u002Fmaster\u002Fbctf-2016\u002Fexploit\u002Fbcloud-200) |\n| [unsorted_bin_into_stack.c](glibc_2.27\u002Funsorted_bin_into_stack.c) | \u003Ca href=\"https:\u002F\u002Fwargames.ret2.systems\u002Flevel\u002Fhow2heap_unsorted_bin_into_stack_2.23\" title=\"Debug Technique In Browser\">:arrow_forward:\u003C\u002Fa> | Exploiting the overwrite of a freed chunk on unsorted bin freelist to return a nearly-arbitrary pointer.  | \u003C 2.29 | [patch](https:\u002F\u002Fsourceware.org\u002Fgit\u002F?p=glibc.git;a=commitdiff;h=b90ddd08f6dd688e651df9ee89ca3a69ff88cd0c)| |\n| [unsorted_bin_attack.c](glibc_2.27\u002Funsorted_bin_attack.c) | \u003Ca href=\"https:\u002F\u002Fwargames.ret2.systems\u002Flevel\u002Fhow2heap_unsorted_bin_attack_2.27\" title=\"Debug Technique In Browser\">:arrow_forward:\u003C\u002Fa> | Exploiting the overwrite of a freed chunk on unsorted bin freelist to write a large value into arbitrary address  | \u003C 2.29 | [patch](https:\u002F\u002Fsourceware.org\u002Fgit\u002F?p=glibc.git;a=commitdiff;h=b90ddd08f6dd688e651df9ee89ca3a69ff88cd0c) | [0ctf 2016-zerostorage](https:\u002F\u002Fgithub.com\u002Fctfs\u002Fwrite-ups-2016\u002Ftree\u002Fmaster\u002F0ctf-2016\u002Fexploit\u002Fzerostorage-6) |\n| [large_bin_attack.c](glibc_2.35\u002Flarge_bin_attack.c) | \u003Ca href=\"https:\u002F\u002Fwargames.ret2.systems\u002Flevel\u002Fhow2heap_large_bin_attack_2.34\" title=\"Debug Technique In Browser\">:arrow_forward:\u003C\u002Fa> | Exploiting the overwrite of a freed chunk on large bin freelist to write a large value into arbitrary address  | \u003C 2.42 | [patch](https:\u002F\u002Fpatchwork.sourceware.org\u002Fproject\u002Fglibc\u002Fpatch\u002F20250214053454.2346370-1-benjamin.p.kallus.gr@dartmouth.edu\u002F) | [0ctf 2018-heapstorm2](https:\u002F\u002Fdangokyo.me\u002F2018\u002F04\u002F07\u002F0ctf-2018-pwn-heapstorm2-write-up\u002F) |\n| [house_of_einherjar.c](glibc_2.35\u002Fhouse_of_einherjar.c) | \u003Ca href=\"https:\u002F\u002Fwargames.ret2.systems\u002Flevel\u002Fhow2heap_house_of_einherjar_2.34\" title=\"Debug Technique In Browser\">:arrow_forward:\u003C\u002Fa> | Exploiting a single null byte overflow to trick malloc into returning a controlled pointer  | latest | | [Seccon 2016-tinypad](https:\u002F\u002Fgist.github.com\u002Fhhc0null\u002F4424a2a19a60c7f44e543e32190aaabf) |\n| [house_of_water.c](glibc_2.36\u002Fhouse_of_water.c) | | Exploit a UAF or double free to gain leakless control of the t-cache metadata and a leakless way to link libc in t-cache | latest | | [37c3 Potluck - Tamagoyaki](https:\u002F\u002Fgithub.com\u002FUDPctf\u002FCTF-challenges\u002Ftree\u002Fmain\u002FPotluck-CTF-2023\u002FTamagoyaki)|\n| [sysmalloc_int_free.c](glibc_2.39\u002Fsysmalloc_int_free.c) | | Demonstrating freeing the nearly arbitrary sized Top Chunk (Wilderness) using malloc (sysmalloc  `_int_free()` ) | latest | | |\n| [house_of_orange.c](glibc_2.23\u002Fhouse_of_orange.c) | \u003Ca href=\"https:\u002F\u002Fwargames.ret2.systems\u002Flevel\u002Fhow2heap_house_of_orange_2.23\" title=\"Debug Technique In Browser\">:arrow_forward:\u003C\u002Fa> | Exploiting the Top Chunk (Wilderness) in order to gain arbitrary code execution  | \u003C 2.26 | [patch](https:\u002F\u002Fsourceware.org\u002Fgit\u002F?p=glibc.git;a=blobdiff;f=stdlib\u002Fabort.c;h=117a507ff88d862445551f2c07abb6e45a716b75;hp=19882f3e3dc1ab830431506329c94dcf1d7cc252;hb=91e7cf982d0104f0e71770f5ae8e3faf352dea9f;hpb=0c25125780083cbba22ed627756548efe282d1a0) | [Hitcon 2016 houseoforange](https:\u002F\u002Fgithub.com\u002Fctfs\u002Fwrite-ups-2016\u002Ftree\u002Fmaster\u002Fhitcon-ctf-2016\u002Fpwn\u002Fhouse-of-orange-500) |\n| [house_of_tangerine.c](glibc_2.39\u002Fhouse_of_tangerine.c) |  | Exploiting the Top Chunk (Wilderness) in order to trick malloc into returning a completely arbitrary pointer by abusing the tcache freelist | >= 2.26 |  | [PicoCTF 2024- high frequency troubles](https:\u002F\u002Fplay.picoctf.org\u002Fpractice\u002Fchallenge\u002F441?category=6&page=1&search=high%20frequency%20troubles) |\n| [house_of_roman.c](glibc_2.23\u002Fhouse_of_roman.c) | \u003Ca href=\"https:\u002F\u002Fwargames.ret2.systems\u002Flevel\u002Fhow2heap_house_of_roman_2.23\" title=\"Debug Technique In Browser\">:arrow_forward:\u003C\u002Fa> | Leakless technique in order to gain remote code execution via fake fastbins, the unsorted\\_bin attack and relative overwrites. |\u003C 2.29 |[patch](https:\u002F\u002Fsourceware.org\u002Fgit\u002F?p=glibc.git;a=commitdiff;h=b90ddd08f6dd688e651df9ee89ca3a69ff88cd0c) ||\n| [tcache_poisoning.c](glibc_2.35\u002Ftcache_poisoning.c) | \u003Ca href=\"https:\u002F\u002Fwargames.ret2.systems\u002Flevel\u002Fhow2heap_tcache_poisoning_2.34\" title=\"Debug Technique In Browser\">:arrow_forward:\u003C\u002Fa> | Tricking malloc into returning a completely arbitrary pointer by abusing the tcache freelist. (requires heap leak on and after 2.32) | > 2.25  | [patch](https:\u002F\u002Fsourceware.org\u002Fgit\u002F?p=glibc.git;a=commitdiff;h=a1a486d70ebcc47a686ff5846875eacad0940e41) | |\n| [tcache_house_of_spirit.c](glibc_2.35\u002Ftcache_house_of_spirit.c) | \u003Ca href=\"https:\u002F\u002Fwargames.ret2.systems\u002Flevel\u002Fhow2heap_tcache_house_of_spirit_2.34\" title=\"Debug Technique In Browser\">:arrow_forward:\u003C\u002Fa> | Frees a fake chunk to get malloc to return a nearly-arbitrary pointer. | > 2.25 | | |\n| [house_of_botcake.c](glibc_2.35\u002Fhouse_of_botcake.c) | \u003Ca href=\"https:\u002F\u002Fwargames.ret2.systems\u002Flevel\u002Fhow2heap_house_of_botcake_2.34\" title=\"Debug Technique In Browser\">:arrow_forward:\u003C\u002Fa> | Bypass double free restriction on tcache. Make `tcache_dup` great again. | > 2.25 | | |\n| [tcache_stashing_unlink_attack.c](glibc_2.35\u002Ftcache_stashing_unlink_attack.c) | \u003Ca href=\"https:\u002F\u002Fwargames.ret2.systems\u002Flevel\u002Fhow2heap_tcache_stashing_unlink_attack_2.34\" title=\"Debug Technique In Browser\">:arrow_forward:\u003C\u002Fa> | Exploiting the overwrite of a freed chunk on small bin freelist to trick malloc into returning an arbitrary pointer and write a large value into arbitraty address with the help of calloc. | > 2.25 | | [Hitcon 2019 one punch man](https:\u002F\u002Fgithub.com\u002Fxmzyshypnc\u002Fxz_files\u002Ftree\u002Fmaster\u002Fhitcon2019_one_punch_man) |\n| [fastbin_reverse_into_tcache.c](glibc_2.35\u002Ffastbin_reverse_into_tcache.c) | \u003Ca href=\"https:\u002F\u002Fwargames.ret2.systems\u002Flevel\u002Fhow2heap_fastbin_reverse_into_tcache_2.34\" title=\"Debug Technique In Browser\">:arrow_forward:\u003C\u002Fa> | Exploiting the overwrite of a freed chunk in the fastbin to write a large value into an arbitrary address. | 2.26 - 2.42 | [patch](https:\u002F\u002Fsourceware.org\u002Fgit\u002F?p=glibc.git;a=blobdiff;f=malloc\u002Fmalloc.c;h=fa854fc4b8f75b09902ea7ed1180487beb6e4683;hp=7811152d9d9eba3e0f0a3416d9944cc142caaafe;hb=bf1015fb2d7e4057925481960626533f8571a2fb;hpb=e3062b06c5767f672baf9574c4d7cbebf7d0ee6e) | |\n| [house_of_mind_fastbin.c](glibc_2.35\u002Fhouse_of_mind_fastbin.c) | \u003Ca href=\"https:\u002F\u002Fwargames.ret2.systems\u002Flevel\u002Fhow2heap_house_of_mind_fastbin_2.34\" title=\"Debug Technique In Browser\">:arrow_forward:\u003C\u002Fa> | Exploiting a single byte overwrite with arena handling to write a large value (heap pointer) to an arbitrary address | \u003C 2.43 | [patch](https:\u002F\u002Fsourceware.org\u002Fgit\u002F?p=glibc.git;a=blobdiff;f=malloc\u002Fmalloc.c;h=fa854fc4b8f75b09902ea7ed1180487beb6e4683;hp=7811152d9d9eba3e0f0a3416d9944cc142caaafe;hb=bf1015fb2d7e4057925481960626533f8571a2fb;hpb=e3062b06c5767f672baf9574c4d7cbebf7d0ee6e) | |\n| [house_of_storm.c](glibc_2.27\u002Fhouse_of_storm.c) | \u003Ca href=\"https:\u002F\u002Fwargames.ret2.systems\u002Flevel\u002Fhow2heap_house_of_storm_2.27\" title=\"Debug Technique In Browser\">:arrow_forward:\u003C\u002Fa> | Exploiting a use after free on both a large and unsorted bin chunk to return an arbitrary chunk from malloc| \u003C 2.29 | | |\n| [house_of_gods.c](glibc_2.24\u002Fhouse_of_gods.c) | \u003Ca href=\"https:\u002F\u002Fwargames.ret2.systems\u002Flevel\u002Fhow2heap_house_of_gods_2.24\" title=\"Debug Technique In Browser\">:arrow_forward:\u003C\u002Fa> | A technique to hijack a thread's arena within 8 allocations | \u003C 2.27 | | |\n| [decrypt_safe_linking.c](glibc_2.35\u002Fdecrypt_safe_linking.c) | \u003Ca href=\"https:\u002F\u002Fwargames.ret2.systems\u002Flevel\u002Fhow2heap_decrypt_safe_linking_2.34\" title=\"Debug Technique In Browser\">:arrow_forward:\u003C\u002Fa> | Decrypt the poisoned value in linked list to recover the actual pointer | >= 2.32 | | |\n| [safe_link_double_protect.c](glibc_2.36\u002Fsafe_link_double_protect.c) | | Leakless bypass for PROTECT_PTR by protecting a pointer twice, allowing for arbitrary pointer linking in t-cache | >= 2.32 | | [37c3 Potluck - Tamagoyaki](https:\u002F\u002Fgithub.com\u002FUDPctf\u002FCTF-challenges\u002Ftree\u002Fmain\u002FPotluck-CTF-2023\u002FTamagoyaki)|\n| [tcache_dup.c](obsolete\u002Fglibc_2.27\u002Ftcache_dup.c)(obsolete) | |  Tricking malloc into returning an already-allocated heap pointer by abusing the tcache freelist. | 2.26 - 2.28 | [patch](https:\u002F\u002Fsourceware.org\u002Fgit\u002F?p=glibc.git;a=commit;h=bcdaad21d4635931d1bd3b54a7894276925d081d) | |\n| [tcache_metadata_poisoning.c](glibc_2.27\u002Ftcache_metadata_poisoning.c) | | Trick the tcache into providing arbitrary pointers by manipulating the tcache metadata struct | >= 2.26 | | |\n| [house_of_io.c](glibc_2.31\u002Fhouse_of_io.c) | | Tricking malloc into return a pointer to arbitrary memory by manipulating the tcache management struct by UAF in a free'd tcache chunk. | 2.31 - 2.33 | | |\n| [tcache_relative_write.c](glibc_2.41\u002Ftcache_relative_write.c) | | Arbitrary decimal value and chunk pointer writing in heap by out-of-bounds tcache metadata writing | 2.30-2.41 | [patch](https:\u002F\u002Fsourceware.org\u002Fgit\u002F?p=glibc.git;a=commit;h=cbfd7988107b27b9ff1d0b57fa2c8f13a932e508) | |\n| [tcache_metadata_hijacking](glibc_2.42\u002Ftcache_metadata_hijacking.c) | | Arbitrary allocation by overflow into tcache metadata | >= 2.42 | | |\n\nThe GnuLibc is under constant development and several of the techniques above have let to consistency checks introduced in the malloc\u002Ffree logic.\nConsequently, these checks regularly break some of the techniques and require adjustments to bypass them (if possible).\nWe address this issue by keeping multiple versions of the same technique for each Glibc-release that required an adjustment.\nThe structure is `glibc_\u003Cversion>\u002Ftechnique.c`.\n\nHave a good example?\nAdd it here!\nTry to inline the whole technique in a single `.c` -- it's a lot easier to learn that way.\n\n# Get Started\n\n## Quick Setup\n\n- make sure you have the following packages\u002Ftools installed: `patchelf zstd wget` (of course also `build-essential` or similar for compilers, `make`, ...)\n- also, `\u002Fusr\u002Fbin\u002Fpython` must be\u002Fpoint to your `python` binary (e. g. `\u002Fusr\u002Fbin\u002Fpython3`)\n\n```shell\ngit clone https:\u002F\u002Fgithub.com\u002Fshellphish\u002Fhow2heap\ncd how2heap\nmake clean base\n.\u002Fmalloc_playground\n```\nNotice that this will link the binaries with your system libc. If you want to play with other libc versions. Please refer to `Complete Setup`.\n\n## Complete Setup\n\nYou will encounter symbol versioning issues (see [this](https:\u002F\u002Fgithub.com\u002Fshellphish\u002Fhow2heap\u002Fissues\u002F169)) if you try to `LD_PRELOAD` libcs to a binary that's compiled on your host machine.\nWe have two ways to bypass it.\n\n### Method 1: link against older libc\nThis one tells linker to link the target binary with the target libc.\n```shell\ngit clone https:\u002F\u002Fgithub.com\u002Fshellphish\u002Fhow2heap\ncd how2heap\nH2H_USE_SYSTEM_LIBC=N make v2.23\n```\nThis will link all the binaries against corresponding libcs. What's better is that it comes with debug symbols. Now you can play with any libc versions on your host machine.\nIn this example, it will compile all glibc-2.23 binaries and link them with libc-2.23. You can change the number to play with other libc versions.\n\n### Method 2: use docker\nThis uses Docker-based approach to complie binaries inside an old ubuntu container so it is runnable with the target libc version.\n\n```shell\ngit clone https:\u002F\u002Fgithub.com\u002Fshellphish\u002Fhow2heap\ncd how2heap\n\n# the next command will prepare the target binary so it runs with\n# the expected libc version\nmake base\n.\u002Fglibc_run.sh 2.30 .\u002Fmalloc_playground -d -p\n\n# now you can play with the binary with glibc-2.30\n# and even debug it with the correct symbols\nreadelf -d -W malloc_playground | grep RUNPATH # or use checksec\nreadelf -l -W malloc_playground | grep interpreter\ngdb -q -ex \"start\" .\u002Fmalloc_playground\n```\n\n# Heap Exploitation Tools\n\nThere are some heap exploitation tools floating around.\n\n## Malloc Playground\n\nThe `malloc_playground.c` file given is the source for a program that prompts the user for commands to allocate and free memory interactively.\n\n## Pwngdb\n\nExamine the glibc heap in gdb: https:\u002F\u002Fgithub.com\u002Fscwuaptx\u002FPwngdb\n\n## pwndbg\n\nAn exploitation-centric gdb plugin that provides the ability to view\u002Ftamper with the glibc heap: https:\u002F\u002Fgithub.com\u002Fpwndbg\u002Fpwndbg\n\n## gef\n\nAnother excellent gdb plugin that provides the ability to examine the glibc heap: https:\u002F\u002Fgithub.com\u002Fhugsy\u002Fgef\n\n## heap-viewer\n\nExamine the glibc heap in IDA Pro: https:\u002F\u002Fgithub.com\u002Fdanigargu\u002Fheap-viewer\n\n## heaptrace\n\nHelps you visualize heap operations by replacing addresses with symbols: https:\u002F\u002Fgithub.com\u002FArinerron\u002Fheaptrace\n\n# Other resources\n\nSome good heap exploitation resources, roughly in reverse order of their publication, are:\n\n## Useful heap exploitation tutorials\n- Overview of GLIBC heap exploitation techniques (https:\u002F\u002F0x434b.dev\u002Foverview-of-glibc-heap-exploitation-techniques\u002F) \u003C!-- 2022 -->\n- glibc in-depth tutorial (https:\u002F\u002Fheap-exploitation.dhavalkapil.com\u002F) - book and exploit samples \u003C!-- 2022 -->\n- Heap exploitation techniques that work on glibc-2.31 (https:\u002F\u002Fgithub.com\u002FStarCross-Tech\u002Fheap_exploit_2.31) \u003C!-- 2020 -->\n- Painless intro to the Linux userland heap (https:\u002F\u002Fsensepost.com\u002Fblog\u002F2017\u002Fpainless-intro-to-the-linux-userland-heap\u002F) \u003C!-- 2017 -->\n- ptmalloc fanzine, a set of resources and examples related to meta-data attacks on ptmalloc (http:\u002F\u002Ftukan.farm\u002F2016\u002F07\u002F26\u002Fptmalloc-fanzine\u002F) \u003C!-- 2016 -->\n- Glibc Adventures: The Forgotten Chunk (https:\u002F\u002Fgithub.com\u002Fbash-c\u002Fslides\u002Fblob\u002Fmaster\u002Fpwn_heap\u002FGlibc%20Adventures:%20The%20forgotten%20chunks.pdf) - advanced heap exploitation \u003C!-- 2015 -->\n\n## Historical heap exploitation (The History)\n- Pseudomonarchia jemallocum (http:\u002F\u002Fwww.phrack.org\u002Fissues\u002F68\u002F10.html) \u003C!-- 2012 -->\n- The House Of Lore: Reloaded (http:\u002F\u002Fphrack.org\u002Fissues\u002F67\u002F8.html) \u003C!-- 2010 -->\n- Malloc Des-Maleficarum (http:\u002F\u002Fphrack.org\u002Fissues\u002F66\u002F10.html) - some malloc exploitation techniques \u003C!-- 2009 -->\n- Yet another free() exploitation technique (http:\u002F\u002Fphrack.org\u002Fissues\u002F66\u002F6.html) \u003C!-- 2009 -->\n- The use of set_head to defeat the wilderness (http:\u002F\u002Fphrack.org\u002Fissues\u002F64\u002F9.html) \u003C!-- 2007 -->\n- Understanding the heap by breaking it (https:\u002F\u002Fwww.blackhat.com\u002Fpresentations\u002Fbh-usa-07\u002FFerguson\u002FWhitepaper\u002Fbh-usa-07-ferguson-WP.pdf) - explains heap implementation and a couple exploits \u003C!-- 2007 -->\n- OS X heap exploitation techniques (http:\u002F\u002Fphrack.org\u002Fissues\u002F63\u002F5.html) \u003C!-- 2005 -->\n- The Malloc Maleficarum (http:\u002F\u002Fseclists.org\u002Fbugtraq\u002F2005\u002FOct\u002F118) \u003C!-- 2005 -->\n- Exploiting The Wilderness (http:\u002F\u002Fseclists.org\u002Fvuln-dev\u002F2004\u002FFeb\u002F25) \u003C!-- 2004 -->\n- Advanced Doug lea's malloc exploits (http:\u002F\u002Fphrack.org\u002Fissues\u002F61\u002F6.html) \u003C!-- 2003 -->\n\n# Hardening\nThere are a couple of \"hardening\" measures embedded in glibc, like `export MALLOC_CHECK_=1` (enables some checks), `export MALLOC_PERTURB_=1` (data is overwritten), `export MALLOC_MMAP_THRESHOLD_=1` (always use mmap()), ...\n\nMore info: [mcheck()](http:\u002F\u002Fwww.gnu.org\u002Fsoftware\u002Flibc\u002Fmanual\u002Fhtml_node\u002FHeap-Consistency-Checking.html), [mallopt()](http:\u002F\u002Fwww.gnu.org\u002Fsoftware\u002Flibc\u002Fmanual\u002Fhtml_node\u002FMalloc-Tunable-Parameters.html).\n\nThere's also some tracing support as [mtrace()](http:\u002F\u002Fmanpages.ubuntu.com\u002Fmtrace), [malloc_stats()](http:\u002F\u002Fmanpages.ubuntu.com\u002Fmalloc_stats), [malloc_info()](http:\u002F\u002Fmanpages.ubuntu.com\u002Fmalloc_info), [memusage](http:\u002F\u002Fmanpages.ubuntu.com\u002Fmemusage), and in other functions in this family.\n\n","该项目旨在学习各种堆利用技术。它基于Ubuntu的Libc版本，验证了每种技术在相应Ubuntu版本上的有效性，并提供了如glibc malloc的首次适配行为、tcache索引计算以及通过滥用fastbin freelist使malloc返回已分配堆指针等具体示例。项目采用C语言编写，支持在线调试功能，方便用户直接在浏览器中使用gdb进行调试。适合安全研究人员、CTF选手及对内存管理漏洞感兴趣的技术爱好者用于学习和实践堆溢出攻击方法。","2026-06-11 03:06:22","top_language"]