Skip to main content

Educational Heap Exploitation

A comprehensive repository for learning heap exploitation techniques with working C examples, verified to work on Ubuntu’s glibc releases from version 2.23 through 2.41.

What is how2heap?

how2heap is an educational repository designed to teach various heap exploitation techniques through practical, working examples. Each technique is implemented in C and verified to work on corresponding Ubuntu releases, making it an invaluable resource for security researchers, CTF players, and anyone interested in understanding heap exploitation. The project was created during a hack meeting and has grown to include over 40 different techniques, with version-specific implementations spanning glibc versions 2.23 through 2.41.

Key Features

40+ Techniques

Comprehensive collection of heap exploitation techniques with working C implementations

Multi-Version Support

Version-specific implementations for glibc 2.23 through 2.41

Interactive Playground

malloc_playground for hands-on experimentation with heap operations

CTF References

Real-world CTF challenge references and links to writeups

Debug Integration

Browser-based debugging support via Ret2 Wargames for many techniques

Docker Support

Both Docker and native compilation methods supported

Technique Categories

how2heap organizes techniques into several categories:

Fastbin Techniques

Exploits targeting the fastbin freelist mechanism, including double-free attacks and arbitrary pointer techniques.

Tcache Techniques

Modern exploitation techniques targeting the thread-local cache introduced in glibc 2.26.

House Techniques

A collection of classic and modern “House of X” exploitation techniques, each providing different primitives for gaining control.

Bin & Chunk Manipulation

Techniques that manipulate bin freelists and chunk metadata to achieve overlapping allocations or arbitrary writes.

Advanced Techniques

Sophisticated exploitation methods including safe-linking bypasses and relative write primitives.

Who Is This For?

  • Security Researchers learning modern heap exploitation techniques
  • CTF Players preparing for binary exploitation challenges
  • Students studying memory corruption and exploitation
  • Developers understanding heap security and mitigation techniques

Quick Example

Here’s a simple example of the first-fit behavior demonstration:
first_fit.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main()
{
    fprintf(stderr, "This file doesn't demonstrate an attack, but shows the nature of glibc's allocator.\n");
    fprintf(stderr, "glibc uses a first-fit algorithm to select a free chunk.\n");
    fprintf(stderr, "If a chunk is free and large enough, malloc will select it.\n");
    fprintf(stderr, "The speed of malloc is primarily determined by the length of the bin lists.\n");

    char* a = malloc(0x512);
    char* b = malloc(0x256);
    char* c = malloc(0x256);
    
    // First-fit: a is reused for the 0x500 allocation
    fprintf(stderr, "Allocating 3 chunks of various sizes\n");
    
    free(a);
    free(b);
    free(c);
    
    fprintf(stderr, "Now, let's allocate a chunk of size 0x500\n");
    char *d = malloc(0x500);
    fprintf(stderr, "This chunk has address %p, which is the same as 'a': %p\n", d, a);
}
This demonstrates glibc’s first-fit allocation strategy, where the allocator will reuse the first free chunk that fits the requested size.

Get Started

Ready to learn heap exploitation? Here’s how to get started:
1

Clone the repository

Clone how2heap from GitHub:
git clone https://github.com/shellphish/how2heap
cd how2heap
2

Install dependencies

Ensure you have required packages:
sudo apt-get install build-essential patchelf zstd wget
3

Build and run

Build the examples and run the playground:
make clean base
./malloc_playground
The quick setup uses your system libc. For version-specific testing, see the Setup Guide for Docker and multi-version compilation instructions.

Community and Resources

Next Steps

Quickstart Guide

Get up and running in minutes with practical examples

Heap Basics

Learn the fundamentals of heap memory management

Browse Techniques

Explore all available exploitation techniques

Setup Guide

Configure your environment for multi-version testing

Build docs developers (and LLMs) love

Get started for freeTalk to us