Educational Heap Exploitation

This repo is for learning various heap exploitation techniques. We use Ubuntu's Libc releases as the gold-standard. Each technique is verified to work on corresponding Ubuntu releases. You can run apt source libc6 to download the source code of the Libc you are using on a Debian-based operating system. You can also click :arrow_forward: to debug the technique in your browser using gdb.

We came up with the idea during a hack meeting, and have implemented the following techniques:

| File | :arrow_forward: | Technique | Glibc-Version | Patch | Applicable CTF Challenges | |------|-----|-----------|---------------|-------|---------------------------| | first_fit.c | | Demonstrating glibc malloc's first-fit behavior. | | | | | calc_tcache_idx.c| | Demonstrating glibc's tcache index calculation.| | | | | fastbin_dup.c | <a href="https://wargames.ret2.systems/level/how2heap_fastbin_dup_2.34" title="Debug Technique In Browser">:arrow_forward:</a> | Tricking malloc into returning an already-allocated heap pointer by abusing the fastbin freelist. | < 2.43 | patch | | | fastbin_dup_into_stack.c | <a href="https://wargames.ret2.systems/level/how2heap_fastbin_dup_into_stack_2.23" title="Debug Technique In Browser">:arrow_forward:</a> | Tricking malloc into returning a nearly-arbitrary pointer by abusing the fastbin freelist. | < 2.43 | patch | 9447-search-engine, 0ctf 2017-babyheap | | fastbin_dup_consolidate.c | <a href="https://wargames.ret2.systems/level/how2heap_fastbin_dup_consolidate_2.23" title="Debug Technique In Browser">:arrow_forward:</a> | Tricking malloc into returning an already-allocated heap pointer by putting a pointer on both fastbin freelist and the top chunk. | < 2.43 | patch | Hitcon 2016 SleepyHolder | | unsafe_unlink.c | <a href="https://wargames.ret2.systems/level/how2heap_unsafe_unlink_2.34" title="Debug Technique In Browser">:arrow_forward:</a> | Exploiting free on a corrupted chunk to get arbitrary write. | latest | | HITCON CTF 2014-stkof, Insomni'hack 2017-Wheel of Robots | | house_of_spirit.c | <a href="https://wargames.ret2.systems/level/how2heap_house_of_spirit_2.23" title="Debug Technique In Browser">:arrow_forward:</a> | Frees a fake fastbin chunk to get malloc to return a nearly-arbitrary pointer. | latest | | hack.lu CTF 2014-OREO | | poison_null_byte.c | <a href="https://wargames.ret2.systems/level/how2heap_poison_null_byte_2.34" title="Debug Technique In Browser">:arrow_forward:</a> | Exploiting a single null byte overflow. | latest | | PlaidCTF 2015-plaiddb, BalsnCTF 2019-PlainNote| | house_of_lore.c | <a href="https://wargames.ret2.systems/level/how2heap_house_of_lore_2.34" title="Debug Technique In Browser">:arrow_forward:</a> | Tricking malloc into returning a nearly-arbitrary pointer by abusing the smallbin freelist. | latest | | | | overlapping_chunks.c | <a href="https://wargames.ret2.systems/level/how2heap_overlapping_chunks_2.34" title="Debug Technique In Browser">:arrow_forward:</a> | Exploit the overwrite of a freed chunk size in the unsorted bin in order to make a new allocation overlap with an existing chunk | < 2.29 | patch | hack.lu CTF 2015-bookstore, Nuit du Hack 2016-night-deamonic-heap | | overlapping_chunks_2.c | <a href="https://wargames.ret2.systems/level/how2heap_overlapping_chunks_2_2.23" title="Debug Technique In Browser">:arrow_forward:</a> | Exploit the overwrite of an in use chunk size in order to make a new allocation overlap with an existing chunk | < 2.29|patch | | | mmap_overlapping_chunks.c | | Exploit an in use mmap chunk in order to make a new allocation overlap with a current mmap chunk | latest | | | | house_of_force.c | <a href="https://wargames.ret2.systems/level/how2heap_house_of_force_2.27" title="Debug Technique In Browser">:arrow_forward:</a> | Exploiting the Top Chunk (Wilderness) header in order to get malloc to return a nearly-arbitrary pointer | < 2.29 | patch | Boston Key Party 2016-cookbook, BCTF 2016-bcloud | | unsorted_bin_into_stack.c | <a href="https://wargames.ret2.systems/level/how2heap_unsorted_bin_into_stack_2.23" title="Debug Technique In Browser">:arrow_forward:</a> | Exploiting the overwrite of a freed chunk on unsorted bin freelist to return a nearly-arbitrary pointer. | < 2.29 | patch| | | unsorted_bin_attack.c | <a href="https://wargames.ret2.systems/level/how2heap_unsorted_bin_attack_2.27" title="Debug Technique In Browser">:arrow_forward:</a> | Exploiting the overwrite of a freed chunk on unsorted bin freelist to write a large value into arbitrary address | < 2.29 | patch | 0ctf 2016-zerostorage | | large_bin_attack.c | <a href="https://wargames.ret2.systems/level/how2heap_large_bin_attack_2.34" title="Debug Technique In Browser">:arrow_forward:</a> | Exploiting the overwrite of a freed chunk on large bin freelist to write a large value into arbitrary address | < 2.42 | patch | 0ctf 2018-heapstorm2 | | house_of_einherjar.c | <a href="https://wargames.ret2.systems/level/how2heap_house_of_einherjar_2.34" title="Debug Technique In Browser">:arrow_forward:</a> | Exploiting a single null byte overflow to trick malloc into returning a controlled pointer | latest | | Seccon 2016-tinypad | | house_of_water.c | | Exploit a UAF or double free to gain leakless control of the t-cache metadata and a leakless way to link libc in t-cache | latest | | 37c3 Potluck - Tamagoyaki| | sysmalloc_int_free.c | | Demonstrating freeing the nearly arbitrary sized Top Chunk (Wilderness) using malloc (sysmalloc _int_free() ) | latest | | | | house_of_orange.c | <a href="https://wargames.ret2.systems/level/how2heap_house_of_orange_2.23" title="Debug Technique In Browser">:arrow_forward:</a> | Exploiting the Top Chunk (Wilderness) in order to gain arbitrary code execution | < 2.26 | patch | Hitcon 2016 houseoforange | | house_of_tangerine.c | | Exploiting the Top Chunk (Wilderness) in order to trick malloc into returning a completely arbitrary pointer by abusing the tcache freelist | >= 2.26 | | PicoCTF 2024- high frequency troubles | | [house_of_roman.c](glibc_2.23/house