Home

Awesome

Educational Heap Exploitation

This repo is for learning various heap exploitation techniques. We use Ubuntu's Libc releases as the gold-standard. Each technique is verified to work on corresponding Ubuntu releases. You can run apt source libc6 to download the source code of the Libc your are using on Debian-based operating system. You can also click :arrow_forward: to debug the technique in your browser using gdb.

We came up with the idea during a hack meeting, and have implemented the following techniques:

File:arrow_forward:TechniqueGlibc-VersionPatchApplicable CTF Challenges
first_fit.cDemonstrating glibc malloc's first-fit behavior.
calc_tcache_idx.cDemonstrating glibc's tcache index calculation.
fastbin_dup.c<a href="https://wargames.ret2.systems/level/how2heap_fastbin_dup_2.34" title="Debug Technique In Browser">:arrow_forward:</a>Tricking malloc into returning an already-allocated heap pointer by abusing the fastbin freelist.latest
fastbin_dup_into_stack.c<a href="https://wargames.ret2.systems/level/how2heap_fastbin_dup_into_stack_2.23" title="Debug Technique In Browser">:arrow_forward:</a>Tricking malloc into returning a nearly-arbitrary pointer by abusing the fastbin freelist.latest9447-search-engine, 0ctf 2017-babyheap
fastbin_dup_consolidate.c<a href="https://wargames.ret2.systems/level/how2heap_fastbin_dup_consolidate_2.23" title="Debug Technique In Browser">:arrow_forward:</a>Tricking malloc into returning an already-allocated heap pointer by putting a pointer on both fastbin freelist and the top chunk.latestHitcon 2016 SleepyHolder
unsafe_unlink.c<a href="https://wargames.ret2.systems/level/how2heap_unsafe_unlink_2.34" title="Debug Technique In Browser">:arrow_forward:</a>Exploiting free on a corrupted chunk to get arbitrary write.latestHITCON CTF 2014-stkof, Insomni'hack 2017-Wheel of Robots
house_of_spirit.c<a href="https://wargames.ret2.systems/level/how2heap_house_of_spirit_2.23" title="Debug Technique In Browser">:arrow_forward:</a>Frees a fake fastbin chunk to get malloc to return a nearly-arbitrary pointer.latesthack.lu CTF 2014-OREO
poison_null_byte.c<a href="https://wargames.ret2.systems/level/how2heap_poison_null_byte_2.34" title="Debug Technique In Browser">:arrow_forward:</a>Exploiting a single null byte overflow.latestPlaidCTF 2015-plaiddb, BalsnCTF 2019-PlainNote
house_of_lore.c<a href="https://wargames.ret2.systems/level/how2heap_house_of_lore_2.34" title="Debug Technique In Browser">:arrow_forward:</a>Tricking malloc into returning a nearly-arbitrary pointer by abusing the smallbin freelist.latest
overlapping_chunks.c<a href="https://wargames.ret2.systems/level/how2heap_overlapping_chunks_2.34" title="Debug Technique In Browser">:arrow_forward:</a>Exploit the overwrite of a freed chunk size in the unsorted bin in order to make a new allocation overlap with an existing chunk< 2.29patchhack.lu CTF 2015-bookstore, Nuit du Hack 2016-night-deamonic-heap
overlapping_chunks_2.c<a href="https://wargames.ret2.systems/level/how2heap_overlapping_chunks_2_2.23" title="Debug Technique In Browser">:arrow_forward:</a>Exploit the overwrite of an in use chunk size in order to make a new allocation overlap with an existing chunk< 2.29patch
mmap_overlapping_chunks.cExploit an in use mmap chunk in order to make a new allocation overlap with a current mmap chunklatest
house_of_force.c<a href="https://wargames.ret2.systems/level/how2heap_house_of_force_2.27" title="Debug Technique In Browser">:arrow_forward:</a>Exploiting the Top Chunk (Wilderness) header in order to get malloc to return a nearly-arbitrary pointer< 2.29patchBoston Key Party 2016-cookbook, BCTF 2016-bcloud
unsorted_bin_into_stack.c<a href="https://wargames.ret2.systems/level/how2heap_unsorted_bin_into_stack_2.23" title="Debug Technique In Browser">:arrow_forward:</a>Exploiting the overwrite of a freed chunk on unsorted bin freelist to return a nearly-arbitrary pointer.< 2.29patch
unsorted_bin_attack.c<a href="https://wargames.ret2.systems/level/how2heap_unsorted_bin_attack_2.27" title="Debug Technique In Browser">:arrow_forward:</a>Exploiting the overwrite of a freed chunk on unsorted bin freelist to write a large value into arbitrary address< 2.29patch0ctf 2016-zerostorage
large_bin_attack.c<a href="https://wargames.ret2.systems/level/how2heap_large_bin_attack_2.34" title="Debug Technique In Browser">:arrow_forward:</a>Exploiting the overwrite of a freed chunk on large bin freelist to write a large value into arbitrary addresslatest0ctf 2018-heapstorm2
house_of_einherjar.c<a href="https://wargames.ret2.systems/level/how2heap_house_of_einherjar_2.34" title="Debug Technique In Browser">:arrow_forward:</a>Exploiting a single null byte overflow to trick malloc into returning a controlled pointerlatestSeccon 2016-tinypad
house_of_water.cExploit a UAF or double free to gain leakless control of the t-cache metadata and a leakless way to link libc in t-cachelatest37c3 Potluck - Tamagoyaki
sysmalloc_int_free.cDemonstrating freeing the nearly arbitrary sized Top Chunk (Wilderness) using malloc (sysmalloc _int_free() )latest
house_of_orange.c<a href="https://wargames.ret2.systems/level/how2heap_house_of_orange_2.23" title="Debug Technique In Browser">:arrow_forward:</a>Exploiting the Top Chunk (Wilderness) in order to gain arbitrary code execution< 2.26patchHitcon 2016 houseoforange
house_of_tangerine.cExploiting the Top Chunk (Wilderness) in order to trick malloc into returning a completely arbitrary pointer by abusing the tcache freelist>= 2.26PicoCTF 2024- high frequency troubles
house_of_roman.c<a href="https://wargames.ret2.systems/level/how2heap_house_of_roman_2.23" title="Debug Technique In Browser">:arrow_forward:</a>Leakless technique in order to gain remote code execution via fake fastbins, the unsorted_bin attack and relative overwrites.< 2.29patch
tcache_poisoning.c<a href="https://wargames.ret2.systems/level/how2heap_tcache_poisoning_2.34" title="Debug Technique In Browser">:arrow_forward:</a>Tricking malloc into returning a completely arbitrary pointer by abusing the tcache freelist. (requires heap leak on and after 2.32)> 2.25patch
tcache_house_of_spirit.c<a href="https://wargames.ret2.systems/level/how2heap_tcache_house_of_spirit_2.34" title="Debug Technique In Browser">:arrow_forward:</a>Frees a fake chunk to get malloc to return a nearly-arbitrary pointer.> 2.25
house_of_botcake.c<a href="https://wargames.ret2.systems/level/how2heap_house_of_botcake_2.34" title="Debug Technique In Browser">:arrow_forward:</a>Bypass double free restriction on tcache. Make tcache_dup great again.> 2.25
tcache_stashing_unlink_attack.c<a href="https://wargames.ret2.systems/level/how2heap_tcache_stashing_unlink_attack_2.34" title="Debug Technique In Browser">:arrow_forward:</a>Exploiting the overwrite of a freed chunk on small bin freelist to trick malloc into returning an arbitrary pointer and write a large value into arbitraty address with the help of calloc.> 2.25Hitcon 2019 one punch man
fastbin_reverse_into_tcache.c<a href="https://wargames.ret2.systems/level/how2heap_fastbin_reverse_into_tcache_2.34" title="Debug Technique In Browser">:arrow_forward:</a>Exploiting the overwrite of a freed chunk in the fastbin to write a large value into an arbitrary address.> 2.25
house_of_mind_fastbin.c<a href="https://wargames.ret2.systems/level/how2heap_house_of_mind_fastbin_2.34" title="Debug Technique In Browser">:arrow_forward:</a>Exploiting a single byte overwrite with arena handling to write a large value (heap pointer) to an arbitrary addresslatest
house_of_storm.c<a href="https://wargames.ret2.systems/level/how2heap_house_of_storm_2.27" title="Debug Technique In Browser">:arrow_forward:</a>Exploiting a use after free on both a large and unsorted bin chunk to return an arbitrary chunk from malloc< 2.29
house_of_gods.c<a href="https://wargames.ret2.systems/level/how2heap_house_of_gods_2.24" title="Debug Technique In Browser">:arrow_forward:</a>A technique to hijack a thread's arena within 8 allocations< 2.27
decrypt_safe_linking.c<a href="https://wargames.ret2.systems/level/how2heap_decrypt_safe_linking_2.34" title="Debug Technique In Browser">:arrow_forward:</a>Decrypt the poisoned value in linked list to recover the actual pointer>= 2.32
safe_link_double_protect.cLeakless bypass for PROTECT_PTR by protecting a pointer twice, allowing for arbitrary pointer linking in t-cache>= 2.3237c3 Potluck - Tamagoyaki
tcache_dup.c(obsolete)Tricking malloc into returning an already-allocated heap pointer by abusing the tcache freelist.2.26 - 2.28patch

The GnuLibc is under constant development and several of the techniques above have let to consistency checks introduced in the malloc/free logic. Consequently, these checks regularly break some of the techniques and require adjustments to bypass them (if possible). We address this issue by keeping multiple versions of the same technique for each Glibc-release that required an adjustment. The structure is glibc_<version>/technique.c.

Have a good example? Add it here! Try to inline the whole technique in a single .c -- it's a lot easier to learn that way.

Get Started

Quick Setup

git clone https://github.com/shellphish/how2heap
cd how2heap
make clean base
./malloc_playground

Notice that this will link the binaries with your system libc. If you want to play with other libc versions. Please refer to Complete Setup.

Complete Setup

You will encounter symbol versioning issues (see this) if you try to LD_PRELOAD libcs to a binary that's compiled on your host machine. We have two ways to bypass it.

Method 1: link against older libc

This one tells linker to link the target binary with the target libc.

git clone https://github.com/shellphish/how2heap
cd how2heap
H2H_USE_SYSTEM_LIBC=N make v2.23

This will link all the binaries against corresponding libcs. What's better is that it comes with debug symbols. Now you can play with any libc versions on your host machine. In this example, it will compile all glibc-2.23 binaries and link them with libc-2.23. You can change the number to play with other libc versions.

Method 2: use docker

This uses Docker-based approach to complie binaries inside an old ubuntu container so it is runnable with the target libc version.

git clone https://github.com/shellphish/how2heap
cd how2heap

# the next command will prepare the target binary so it runs with
# the expected libc version
make base
./glibc_run.sh 2.30 ./malloc_playground -d -p

# now you can play with the binary with glibc-2.30
# and even debug it with the correct symbols
readelf -d -W malloc_playground | grep RUNPATH # or use checksec
readelf -l -W malloc_playground | grep interpreter
gdb -q -ex "start" ./malloc_playground

Heap Exploitation Tools

There are some heap exploitation tools floating around.

Malloc Playground

The malloc_playground.c file given is the source for a program that prompts the user for commands to allocate and free memory interactively.

Pwngdb

Examine the glibc heap in gdb: https://github.com/scwuaptx/Pwngdb

pwndbg

An exploitation-centric gdb plugin that provides the ability to view/tamper with the glibc heap: https://github.com/pwndbg/pwndbg

gef

Another excellent gdb plugin that provides the ability to examine the glibc heap: https://github.com/hugsy/gef

heap-viewer

Examine the glibc heap in IDA Pro: https://github.com/danigargu/heap-viewer

Forkever

Debugger that lets you set "checkpoints" as well as view and edit the heap using a hexeditor: https://github.com/haxkor/forkever

heaptrace

Helps you visualize heap operations by replacing addresses with symbols: https://github.com/Arinerron/heaptrace

Other resources

Some good heap exploitation resources, roughly in order of their publication, are:

Hardening

There are a couple of "hardening" measures embedded in glibc, like export MALLOC_CHECK_=1 (enables some checks), export MALLOC_PERTURB_=1 (data is overwritten), export MALLOC_MMAP_THRESHOLD_=1 (always use mmap()), ...

More info: mcheck(), mallopt().

There's also some tracing support as mtrace(), malloc_stats(), malloc_info(), memusage, and in other functions in this family.