how2heap

A repository for learning various heap exploitation techniques.

7,118

1,128

7,118

View on GitHub

Top Related Projects

ctf-tools

8,370

Some setup scripts for security research tools.

pwntools

11,880

CTF framework and exploit development library

MBE

5,421

Course materials for Modern Binary Exploitation by RPISEC

Quick Overview

The shellphish/how2heap repository is a collection of examples that demonstrate various heap exploitation techniques in different programming languages. It serves as a valuable resource for security researchers, bug hunters, and developers interested in understanding and learning about heap-based vulnerabilities and exploitation methods.

Pros

Comprehensive collection of heap exploitation techniques
Covers a wide range of programming languages, including C, C++, and Rust
Provides clear and well-documented examples for each technique
Actively maintained and regularly updated by the community

Cons

Primarily focused on heap exploitation, which may not be relevant for all security researchers or developers
Some examples may require specific system configurations or dependencies
The repository may not provide in-depth explanations or detailed analysis for each technique

Code Examples

Example 1: Exploiting the Unlink Technique in C

#include <stdio.h>
#include <stdlib.h>

int main() {
    printf("Unlink technique\n");

    void *p1 = malloc(0x100);
    void *p2 = malloc(0x100);
    void *p3 = malloc(0x100);

    printf("p1 = %p\n", p1);
    printf("p2 = %p\n", p2);
    printf("p3 = %p\n", p3);

    free(p2);

    printf("Now we free p2\n");

    int offset = offsetof(struct chunk, fd) / sizeof(void *);
    *(void **)(p2 + offset) = (void *)(p2 - offset);
    *(void **)(p2 + offset + 1) = (void *)(p2 - offset);

    printf("Overwriting fd and bk pointers in freed chunk\n");

    void *p4 = malloc(0x100);
    printf("Allocated p4 at %p\n", p4);

    return 0;
}

This example demonstrates the "unlink" technique, which exploits a vulnerability in the heap management system to overwrite arbitrary memory locations.

Example 2: Exploiting the House of Force Technique in C

#include <stdio.h>
#include <stdlib.h>

int main() {
    printf("House of Force technique\n");

    void *p1 = malloc(0x100);
    void *p2 = malloc(0x100);

    printf("p1 = %p\n", p1);
    printf("p2 = %p\n", p2);

    free(p1);
    free(p2);

    printf("Now we free both p1 and p2\n");

    *(size_t *)(p1 - 8) = 0x500;

    printf("Overwriting the size field of the freed chunk\n");

    void *p3 = malloc(0x400);
    printf("Allocated p3 at %p\n", p3);

    return 0;
}

This example demonstrates the "House of Force" technique, which exploits the heap management system by overwriting the size field of a freed chunk to allocate a larger chunk of memory.

Example 3: Exploiting the House of Lore Technique in Rust

use std::alloc::{alloc, dealloc, Layout};

fn main() {
    println!("House of Lore technique");

    let p1 = unsafe { alloc(Layout::from_size_align(0x100, 8).unwrap()) };
    let p2 = unsafe { alloc(Layout::from_size_align(0x100, 8).unwrap()) };

    println!("p1 = {:?}", p1);
    println!("p2 = {:?}", p2);

    unsafe {
        dealloc(p1, Layout::from_size_align(0x100, 8).unwrap());
        dealloc(p2, Layout::from_size_align(0x100, 8).unwrap());
    }

    println!("Now we free both p1 and p2");

    let fake_chunk = [0x41; 0

Competitor Comparisons

ctf-wiki

8,038

Come and join us, we need you!

Pros of ctf-wiki

Broader scope covering various CTF topics beyond just heap exploitation
Collaborative community-driven project with contributions from multiple authors
Available in multiple languages (English and Chinese)

Cons of ctf-wiki

Less focused on specific heap exploitation techniques
May not provide as in-depth coverage of heap-related vulnerabilities
Potentially overwhelming for beginners due to the wide range of topics covered

Code Comparison

While a direct code comparison is not particularly relevant for these repositories, we can compare their approach to presenting information:

ctf-wiki example (simplified):

## Heap Overflow

Heap overflow occurs when...

### Exploitation Technique

1. Allocate memory
2. Overflow buffer
3. Manipulate heap metadata

how2heap example (simplified):

int main() {
    char* chunk = malloc(0x20);
    char* chunk2 = malloc(0x20);
    strcpy(chunk, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");
    // Overflow into chunk2's metadata
}

ctf-wiki provides more general explanations, while how2heap offers specific code examples demonstrating vulnerabilities and exploitation techniques.

ctf-tools

8,370

Some setup scripts for security research tools.

Pros of ctf-tools

Broader scope: Provides a comprehensive collection of tools for various CTF categories
Easy installation: Offers automated setup scripts for many tools
Regular updates: Actively maintained with frequent additions of new tools

Cons of ctf-tools

Less focused: Not specialized in heap exploitation techniques
Steeper learning curve: Requires familiarity with multiple tools and concepts
Larger footprint: Installs numerous tools, potentially consuming more system resources

Code comparison

how2heap:

int main(void) {
    void *chunk1 = malloc(0x30);
    void *chunk2 = malloc(0x30);
    free(chunk1);
    // ... (exploitation technique demonstration)
}

ctf-tools:

#!/bin/bash
apt-get update
apt-get install -y python-dev wget
pip install pwntools
# ... (tool installation commands)

Summary

how2heap focuses specifically on heap exploitation techniques with educational examples, while ctf-tools provides a broader set of tools for various CTF challenges. how2heap is more suitable for those looking to deepen their understanding of heap-related vulnerabilities, whereas ctf-tools offers a comprehensive toolkit for general CTF participation.

pwntools

11,880

CTF framework and exploit development library

Pros of pwntools

Comprehensive library with a wide range of exploitation tools and utilities
Extensive documentation and active community support
Supports multiple architectures and platforms

Cons of pwntools

Steeper learning curve for beginners
Larger codebase and dependencies
May be overkill for simple exploit development tasks

Code Comparison

pwntools:

from pwn import *

# Create a process and send payload
p = process('./vulnerable_binary')
payload = b'A' * 64 + p64(0xdeadbeef)
p.sendline(payload)
p.interactive()

how2heap:

#include <stdlib.h>
#include <string.h>

int main() {
    char *ptr = malloc(0x80);
    free(ptr);
    // Use-after-free vulnerability
    strcpy(ptr, "Exploited!");
}

While pwntools provides a high-level Python interface for exploit development, how2heap focuses on demonstrating heap exploitation techniques through C code examples. pwntools is more suitable for end-to-end exploit creation, while how2heap serves as an educational resource for understanding specific heap-related vulnerabilities and exploitation methods.

MBE

5,421

Course materials for Modern Binary Exploitation by RPISEC

Pros of MBE

Comprehensive course structure with lectures and labs
Covers a wide range of binary exploitation topics
Includes virtual machine setup for a controlled learning environment

Cons of MBE

Less frequently updated compared to how2heap
Focuses more on traditional exploitation techniques
May require more time investment due to course-like structure

Code Comparison

MBE example (buffer overflow):

void vulnerable_function(char *input) {
    char buffer[64];
    strcpy(buffer, input);
}

how2heap example (use after free):

struct chunk {
    int is_free;
    int data[10];
};

chunk *a = malloc(sizeof(chunk));
free(a);
chunk *b = malloc(sizeof(chunk));
a->is_free = 0; // Use after free

MBE provides a structured approach to learning binary exploitation, offering a comprehensive course with lectures and labs. It covers a wide range of topics but may require more time investment. how2heap, on the other hand, focuses on specific heap exploitation techniques with more frequent updates. The code examples demonstrate the different focus areas, with MBE covering traditional buffer overflows and how2heap emphasizing modern heap exploitation techniques.

Convert designs to code with AI

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Educational Heap Exploitation

This repo is for learning various heap exploitation techniques. We use Ubuntu's Libc releases as the gold-standard. Each technique is verified to work on corresponding Ubuntu releases. You can run apt source libc6 to download the source code of the Libc your are using on Debian-based operating system. You can also click :arrow_forward: to debug the technique in your browser using gdb.

We came up with the idea during a hack meeting, and have implemented the following techniques:

File	:arrow_forward:	Technique	Glibc-Version	Patch	Applicable CTF Challenges
first_fit.c		Demonstrating glibc malloc's first-fit behavior.
calc_tcache_idx.c		Demonstrating glibc's tcache index calculation.
fastbin_dup.c	:arrow_forward:	Tricking malloc into returning an already-allocated heap pointer by abusing the fastbin freelist.	latest
fastbin_dup_into_stack.c	:arrow_forward:	Tricking malloc into returning a nearly-arbitrary pointer by abusing the fastbin freelist.	latest		9447-search-engine, 0ctf 2017-babyheap
fastbin_dup_consolidate.c	:arrow_forward:	Tricking malloc into returning an already-allocated heap pointer by putting a pointer on both fastbin freelist and the top chunk.	latest		Hitcon 2016 SleepyHolder
unsafe_unlink.c	:arrow_forward:	Exploiting free on a corrupted chunk to get arbitrary write.	latest		HITCON CTF 2014-stkof, Insomni'hack 2017-Wheel of Robots
house_of_spirit.c	:arrow_forward:	Frees a fake fastbin chunk to get malloc to return a nearly-arbitrary pointer.	latest		hack.lu CTF 2014-OREO
poison_null_byte.c	:arrow_forward:	Exploiting a single null byte overflow.	latest		PlaidCTF 2015-plaiddb, BalsnCTF 2019-PlainNote
house_of_lore.c	:arrow_forward:	Tricking malloc into returning a nearly-arbitrary pointer by abusing the smallbin freelist.	latest
overlapping_chunks.c	:arrow_forward:	Exploit the overwrite of a freed chunk size in the unsorted bin in order to make a new allocation overlap with an existing chunk	< 2.29	patch	hack.lu CTF 2015-bookstore, Nuit du Hack 2016-night-deamonic-heap
overlapping_chunks_2.c	:arrow_forward:	Exploit the overwrite of an in use chunk size in order to make a new allocation overlap with an existing chunk	< 2.29	patch
mmap_overlapping_chunks.c		Exploit an in use mmap chunk in order to make a new allocation overlap with a current mmap chunk	latest
house_of_force.c	:arrow_forward:	Exploiting the Top Chunk (Wilderness) header in order to get malloc to return a nearly-arbitrary pointer	< 2.29	patch	Boston Key Party 2016-cookbook, BCTF 2016-bcloud
unsorted_bin_into_stack.c	:arrow_forward:	Exploiting the overwrite of a freed chunk on unsorted bin freelist to return a nearly-arbitrary pointer.	< 2.29	patch
unsorted_bin_attack.c	:arrow_forward:	Exploiting the overwrite of a freed chunk on unsorted bin freelist to write a large value into arbitrary address	< 2.29	patch	0ctf 2016-zerostorage
large_bin_attack.c	:arrow_forward:	Exploiting the overwrite of a freed chunk on large bin freelist to write a large value into arbitrary address	latest		0ctf 2018-heapstorm2
house_of_einherjar.c	:arrow_forward:	Exploiting a single null byte overflow to trick malloc into returning a controlled pointer	latest		Seccon 2016-tinypad
house_of_water.c		Exploit a UAF or double free to gain leakless control of the t-cache metadata and a leakless way to link libc in t-cache	latest		37c3 Potluck - Tamagoyaki
sysmalloc_int_free.c		Demonstrating freeing the nearly arbitrary sized Top Chunk (Wilderness) using malloc (sysmalloc `_int_free()` )	latest
house_of_orange.c	:arrow_forward:	Exploiting the Top Chunk (Wilderness) in order to gain arbitrary code execution	< 2.26	patch	Hitcon 2016 houseoforange
house_of_tangerine.c		Exploiting the Top Chunk (Wilderness) in order to trick malloc into returning a completely arbitrary pointer by abusing the tcache freelist	>= 2.26		PicoCTF 2024- high frequency troubles
house_of_roman.c	:arrow_forward:	Leakless technique in order to gain remote code execution via fake fastbins, the unsorted_bin attack and relative overwrites.	< 2.29	patch
tcache_poisoning.c	:arrow_forward:	Tricking malloc into returning a completely arbitrary pointer by abusing the tcache freelist. (requires heap leak on and after 2.32)	> 2.25	patch
tcache_house_of_spirit.c	:arrow_forward:	Frees a fake chunk to get malloc to return a nearly-arbitrary pointer.	> 2.25
house_of_botcake.c	:arrow_forward:	Bypass double free restriction on tcache. Make `tcache_dup` great again.	> 2.25
tcache_stashing_unlink_attack.c	:arrow_forward:	Exploiting the overwrite of a freed chunk on small bin freelist to trick malloc into returning an arbitrary pointer and write a large value into arbitraty address with the help of calloc.	> 2.25		Hitcon 2019 one punch man
fastbin_reverse_into_tcache.c	:arrow_forward:	Exploiting the overwrite of a freed chunk in the fastbin to write a large value into an arbitrary address.	> 2.25
house_of_mind_fastbin.c	:arrow_forward:	Exploiting a single byte overwrite with arena handling to write a large value (heap pointer) to an arbitrary address	latest
house_of_storm.c	:arrow_forward:	Exploiting a use after free on both a large and unsorted bin chunk to return an arbitrary chunk from malloc	< 2.29
house_of_gods.c	:arrow_forward:	A technique to hijack a thread's arena within 8 allocations	< 2.27
decrypt_safe_linking.c	:arrow_forward:	Decrypt the poisoned value in linked list to recover the actual pointer	>= 2.32
safe_link_double_protect.c		Leakless bypass for PROTECT_PTR by protecting a pointer twice, allowing for arbitrary pointer linking in t-cache	>= 2.32		37c3 Potluck - Tamagoyaki
tcache_dup.c(obsolete)		Tricking malloc into returning an already-allocated heap pointer by abusing the tcache freelist.	2.26 - 2.28	patch

The GnuLibc is under constant development and several of the techniques above have let to consistency checks introduced in the malloc/free logic. Consequently, these checks regularly break some of the techniques and require adjustments to bypass them (if possible). We address this issue by keeping multiple versions of the same technique for each Glibc-release that required an adjustment. The structure is glibc_<version>/technique.c.

Have a good example? Add it here! Try to inline the whole technique in a single .c -- it's a lot easier to learn that way.

Get Started

Quick Setup

make sure you have the following packages/tools installed: patchelf zstd wget (of course also build-essential or similar for compilers, make, ...)
also, /usr/bin/python must be/point to your python binary (e. g. /usr/bin/python3)

git clone https://github.com/shellphish/how2heap
cd how2heap
make clean base
./malloc_playground

Notice that this will link the binaries with your system libc. If you want to play with other libc versions. Please refer to Complete Setup.

Complete Setup

You will encounter symbol versioning issues (see this) if you try to LD_PRELOAD libcs to a binary that's compiled on your host machine. We have two ways to bypass it.

Method 1: link against older libc

This one tells linker to link the target binary with the target libc.

git clone https://github.com/shellphish/how2heap
cd how2heap
H2H_USE_SYSTEM_LIBC=N make v2.23

This will link all the binaries against corresponding libcs. What's better is that it comes with debug symbols. Now you can play with any libc versions on your host machine. In this example, it will compile all glibc-2.23 binaries and link them with libc-2.23. You can change the number to play with other libc versions.

Method 2: use docker

This uses Docker-based approach to complie binaries inside an old ubuntu container so it is runnable with the target libc version.

git clone https://github.com/shellphish/how2heap
cd how2heap

# the next command will prepare the target binary so it runs with
# the expected libc version
make base
./glibc_run.sh 2.30 ./malloc_playground -d -p

# now you can play with the binary with glibc-2.30
# and even debug it with the correct symbols
readelf -d -W malloc_playground | grep RUNPATH # or use checksec
readelf -l -W malloc_playground | grep interpreter
gdb -q -ex "start" ./malloc_playground

Heap Exploitation Tools

There are some heap exploitation tools floating around.

Malloc Playground

The malloc_playground.c file given is the source for a program that prompts the user for commands to allocate and free memory interactively.

Pwngdb

Examine the glibc heap in gdb: https://github.com/scwuaptx/Pwngdb

pwndbg

An exploitation-centric gdb plugin that provides the ability to view/tamper with the glibc heap: https://github.com/pwndbg/pwndbg

gef

Another excellent gdb plugin that provides the ability to examine the glibc heap: https://github.com/hugsy/gef

heap-viewer

Examine the glibc heap in IDA Pro: https://github.com/danigargu/heap-viewer

Forkever

Debugger that lets you set "checkpoints" as well as view and edit the heap using a hexeditor: https://github.com/haxkor/forkever

heaptrace

Helps you visualize heap operations by replacing addresses with symbols: https://github.com/Arinerron/heaptrace

Other resources

Some good heap exploitation resources, roughly in order of their publication, are:

glibc in-depth tutorial (https://heap-exploitation.dhavalkapil.com/) - book and exploit samples
ptmalloc fanzine, a set of resources and examples related to meta-data attacks on ptmalloc (http://tukan.farm/2016/07/26/ptmalloc-fanzine/)
A malloc diagram, from libheap (https://raw.githubusercontent.com/cloudburst/libheap/master/heap.png)
Glibc Adventures: The Forgotten Chunk (https://go.contextis.com/rs/140-OCV-459/images/Glibc_Adventures-The_Forgotten_Chunks.pdf) - advanced heap exploitation
Pseudomonarchia jemallocum (http://www.phrack.org/issues/68/10.html)
The House Of Lore: Reloaded (http://phrack.org/issues/67/8.html)
Malloc Des-Maleficarum (http://phrack.org/issues/66/10.html) - some malloc exploitation techniques
Yet another free() exploitation technique (http://phrack.org/issues/66/6.html)
Understanding the heap by breaking it (https://www.blackhat.com/presentations/bh-usa-07/Ferguson/Whitepaper/bh-usa-07-ferguson-WP.pdf) - explains heap implementation and a couple exploits
The use of set_head to defeat the wilderness (http://phrack.org/issues/64/9.html)
The Malloc Maleficarum (http://seclists.org/bugtraq/2005/Oct/118)
OS X heap exploitation techniques (http://phrack.org/issues/63/5.html)
Exploiting The Wilderness (http://seclists.org/vuln-dev/2004/Feb/25)
Advanced Doug lea's malloc exploits (http://phrack.org/issues/61/6.html)
GDB Enhanced Features (GEF) Heap Exploration Tools (https://hugsy.github.io/gef/commands/heap/)
pwndbg Heap Commands (https://browserpwndbg.readthedocs.io/en/docs/commands/heap/heap/)
Painless intro to the Linux userland heap (https://sensepost.com/blog/2017/painless-intro-to-the-linux-userland-heap/)
Heap exploitation techniques that work on glibc-2.31 (https://github.com/StarCross-Tech/heap_exploit_2.31)
Overview of GLIBC heap exploitation techniques (https://0x434b.dev/overview-of-glibc-heap-exploitation-techniques/)

Hardening

There are a couple of "hardening" measures embedded in glibc, like export MALLOC_CHECK_=1 (enables some checks), export MALLOC_PERTURB_=1 (data is overwritten), export MALLOC_MMAP_THRESHOLD_=1 (always use mmap()), ...

More info: mcheck(), mallopt().

There's also some tracing support as mtrace(), malloc_stats(), malloc_info(), memusage, and in other functions in this family.

Top Related Projects

Convert designs to code with AI

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot