- SKILL: Heap Exploitation — Expert Attack Playbook
- AI LOAD INSTRUCTION
- Expert glibc heap exploitation techniques. Covers ptmalloc2 internals, bin structures, tcache mechanics, libc/heap leak methods, and attack selection by glibc version. Distilled from ctf-wiki heap sections, how2heap, and real-world exploitation. Base models often confuse glibc version constraints and miss safe-linking (PROTECT_PTR) introduced in 2.32. 0. RELATED ROUTING stack-overflow-and-rop — when the overflow is on the stack rather than the heap format-string-exploitation — leak heap/libc addresses via format string arbitrary-write-to-rce — convert heap arbitrary write into code execution binary-protection-bypass — bypass ASLR/RELRO to use heap write effectively Advanced References HOUSE_OF_TECHNIQUES.md — House of Force/Spirit/Orange/Einherjar/Roman/Pig/Banana/Cat/Apple and tcache attacks IO_FILE_EXPLOITATION.md — IO_FILE vtable hijack, FSOP, stdout/stdin abuse, exit flow exploitation 1. PTMALLOC2 STRUCTURE QUICK REFERENCE malloc_chunk Layout (64-bit) chunk pointer (returned by malloc - 0x10) ┌──────────────────────────┐ 0x00 │ prev_size (if prev free)│ 0x08 │ size | A | M | P │ ← P=PREV_INUSE, M=IS_MMAPPED, A=NON_MAIN_ARENA ├──────────────────────────┤ ← user data starts here (returned pointer) 0x10 │ fd (if free) │ ← forward pointer to next free chunk 0x18 │ bk (if free) │ ← backward pointer to prev free chunk 0x20 │ fd_nextsize (large only)│ 0x28 │ bk_nextsize (large only)│ └──────────────────────────┘ Bin Types Bin Size Range (64-bit) Structure LIFO/FIFO tcache (per-thread) ≤ 0x410 (7 entries per size) Singly linked (next pointer) LIFO fastbin ≤ 0x80 (default) Singly linked (fd) LIFO unsortedbin Any freed size Doubly linked circular FIFO smallbin < 0x400 Doubly linked circular FIFO largebin ≥ 0x400 Doubly linked + size-sorted Sorted Key Global Structures Structure Location Purpose main_arena libc .data segment Contains bin heads, top chunk, system_mem mp libc .data malloc parameters (tcache settings, mmap threshold) tcache_perthread_struct Heap (first allocation) Per-thread tcache bins and counts 2. LEAK METHODS Libc Base Leak Method Precondition Technique Unsortedbin fd/bk Free a chunk > tcache range (or fill tcache) fd/bk → main_arena + 0x60 (or +0x70 depending on version) → libc base Smallbin fd/bk Chunk moved from unsortedbin to smallbin Same as unsortedbin leak stdout FILE leak Write to IO_2_1_stdout Corrupt _IO_write_base to leak libc data (see IO_FILE) Heap Base Leak Method Precondition Technique Tcache fd pointer Free two tcache chunks, read first's fd fd → heap address (XOR'd in ≥ 2.32) Fastbin fd Free two fastbin chunks fd → heap address UAF read Use-after-free on freed chunk Read fd/bk directly Safe-Linking Decode (glibc ≥ 2.32)
PROTECT_PTR: fd_stored = (chunk_addr >> 12) ^ real_fd
To decode: real_fd = fd_stored ^ (chunk_addr >> 12)
To encode: fd_stored = (chunk_addr >> 12) ^ target_addr
- def
- deobfuscate
- (
- stored_fd
- ,
- chunk_addr
- )
- :
- return
- stored_fd
- ^
- (
- chunk_addr
- >>
- 12
- )
- def
- obfuscate
- (
- target
- ,
- chunk_addr
- )
- :
- return
- (
- chunk_addr
- >>
- 12
- )
- ^
- target
- 3. ATTACK CATEGORIES BY GLIBC VERSION
- glibc < 2.26 (No tcache)
- Attack
- Primitive Needed
- Result
- Fastbin dup
- Double free
- Arbitrary allocation
- Unsortedbin attack
- Corrupt unsortedbin bk
- Write
- main_arena
- addr to target (used for __malloc_hook nearby overwrite)
- Unlink attack
- Heap overflow into prev_size + fd/bk
- Arbitrary write (with known heap pointer)
- House of Force
- Top chunk size overwrite
- Arbitrary allocation
- House of Spirit
- Write fake chunk header
- Fastbin allocation at fake chunk
- Off-by-one null
- Null byte overflow into next chunk size
- Overlapping chunks
- glibc 2.26–2.28 (tcache, no key)
- Attack
- Notes
- Tcache poisoning
- Overwrite tcache fd → arbitrary allocation, no size check
- Tcache dup
- Double free into tcache (no double-free detection yet)
- All previous attacks
- Still work, but chunks go to tcache first
- glibc 2.29–2.31 (tcache key introduced)
- Attack
- Bypass for tcache key
- Tcache dup
- Corrupt
- key
- field (at chunk+0x18) before second free
- House of Botcake
- Double free: one in unsortedbin, one in tcache → overlapping
- Tcache stashing unlink
- Abuse smallbin→tcache refill to get arbitrary chunk
- glibc 2.32–2.33 (safe-linking / PROTECT_PTR)
- Attack
- Adaptation
- Tcache poisoning
- Encode target with
- (chunk_addr >> 12) ^ target
- Heap leak required
- Need heap addr to decode/encode safe-linked pointers
- Fastbin dup
- Same encoding required
- glibc ≥ 2.34 (hooks removed)
- Change
- Impact
- __malloc_hook
- removed
- Cannot overwrite hook for one_gadget
- __free_hook
- removed
- Cannot overwrite hook
- __realloc_hook
- removed
- Cannot use realloc trick for one_gadget constraints
- Post-2.34 targets
- see arbitrary-write-to-rce for _IO_FILE , exit_funcs , TLS_dtor_list , _dl_fini . 4. COMMON VULNERABILITY PATTERNS Vulnerability Description Exploitation Path UAF (Use-After-Free) Access chunk after free Read: leak fd/bk; Write: corrupt fd for tcache poisoning Double Free free() same chunk twice Tcache dup (bypass key) or fastbin dup Heap Overflow Write past chunk boundary Corrupt next chunk's metadata (size, fd, bk) Off-by-one One byte overflow Null byte → shrink next chunk size → overlapping chunks Off-by-null Specifically \x00 overflow Clear PREV_INUSE → trigger backward consolidation Uninitialized read Read heap memory without clearing Leak fd/bk from recycled chunk 5. TOOLS
pwndbg heap inspection
pwndbg
heap
display all chunks
pwndbg
bins
show all bin contents
pwndbg
tcachebins
tcache status
pwndbg
fastbins
fastbin status
pwndbg
unsortedbin
unsortedbin content
pwndbg
vis_heap_chunks
visual heap layout
pwndbg
find_fake_fast & __malloc_hook
find nearby fake fastbin chunks
how2heap — reference implementations
git clone https://github.com/shellphish/how2heap
heapinspect
pip install heapinspect heapinspect < pid
pwntools helpers
from pwn import * libc = ELF ( './libc.so.6' ) print ( hex ( libc.symbols [ '__malloc_hook' ] )) print ( hex ( libc.symbols [ '__free_hook' ] )) 6. DECISION TREE Heap vulnerability identified ├── What is the primitive? │ ├── UAF (read + write) │ │ ├── Can read freed chunk? → Leak libc (unsortedbin) or heap (tcache fd) │ │ └── Can write freed chunk? → Tcache poisoning / fastbin dup │ ├── Double free │ │ ├── glibc < 2.29 → direct tcache dup │ │ ├── glibc 2.29-2.31 → corrupt tcache key first, or House of Botcake │ │ └── glibc ≥ 2.32 → need heap leak for safe-linking encode │ ├── Heap overflow (controlled size) │ │ ├── Overwrite next chunk size → overlapping chunks → UAF │ │ └── Overwrite fd directly → arbitrary allocation │ ├── Off-by-one / off-by-null │ │ ├── Null byte into size → House of Einherjar (backward consolidation) │ │ └── One byte into size → shrink chunk, create overlap │ └── Arbitrary write (from overlap or poisoned allocation) │ ├── glibc < 2.34 → __malloc_hook / __free_hook → one_gadget │ ├── glibc ≥ 2.34 → _IO_FILE vtable, exit_funcs, TLS_dtor_list │ └── Partial RELRO → GOT overwrite │ ├── Need libc leak? │ ├── Free chunk into unsortedbin (size > 0x410 or fill 7 tcache) │ ├── Read fd/bk → main_arena offset → libc base │ └── Alternative: stdout FILE partial overwrite for leak │ └── Need heap leak? (glibc ≥ 2.32) ├── Read tcache fd from freed chunk └── Decode: real_addr = stored_fd ^ (chunk_addr >> 12)