Skip to main content
Learn heap exploitation techniques by running real examples. This guide will get you started quickly with the basics.

Quick Setup

The fastest way to get started is with the Quick Setup method, which uses your system’s glibc.
1

Install Required Tools

Make sure you have the following packages installed:
sudo apt install build-essential patchelf zstd wget git
Also ensure /usr/bin/python points to your Python binary:
sudo ln -s /usr/bin/python3 /usr/bin/python
2

Clone and Build

Clone the repository and build the base binaries:
git clone https://github.com/shellphish/how2heap
cd how2heap
make clean base
This builds the base binaries: malloc_playground, first_fit, and calc_tcache_idx.
3

Run Malloc Playground

The malloc playground is an interactive tool to experiment with heap operations:
./malloc_playground
You’ll see a prompt where you can enter commands:
pid: 12345
>

Using Malloc Playground

The malloc playground allows you to allocate, free, and manipulate memory interactively.

Basic Commands

> malloc 100
==> OK, 0x5555557592a0

Available Commands

CommandDescriptionExample
malloc nAllocate n bytesmalloc 256
free [p]Free memory (default: last allocated)free or free 0
write str [p]Write string to pointerwrite test 0
listpList active pointerslistp
listpallList all pointer slotslistpall
clearlistFree all allocationsclearlist
statsShow malloc statisticsstats
infoShow detailed malloc infoinfo
The malloc playground tracks up to 20 pointers at once. Use clearlist to reset and free all allocations.

Your First Technique: First Fit

Now let’s run your first heap exploitation technique demo.
1

Compile first_fit

The first_fit example demonstrates glibc’s first-fit allocation behavior:
make first_fit
2

Run the Example

Execute the compiled binary:
./first_fit
You’ll see output demonstrating how glibc reuses freed chunks:
This file doesn't demonstrate an attack, but shows the nature of glibc's allocator.
glibc uses a first-fit algorithm to select a free chunk.
If a chunk is free and large enough, malloc will select this chunk.
This can be exploited in a use-after-free situation.

Allocating 2 buffers. They can be large, don't have to be fastbin.
1st malloc(0x512): 0x5555557592a0
2nd malloc(0x256): 0x5555557597c0
...
3

Understand the Technique

The example shows:
  • Allocate chunk A (0x512 bytes)
  • Allocate chunk B (0x256 bytes)
  • Free chunk A
  • Allocate chunk C (0x500 bytes) - gets the same address as A!
This demonstrates the use-after-free condition where pointer A still points to data from allocation C.

Exploring Techniques

The repository includes dozens of techniques organized by glibc version: 
# List available techniques for glibc 2.39
ls glibc_2.39/

# Compile all techniques for a specific version
make v2.39

# Run a specific technique
./glibc_2.39/fastbin_dup

Fastbin Techniques

  • fastbin_dup - Double free attack
  • fastbin_dup_into_stack - Arbitrary pointer
  • fastbin_dup_consolidate - Bypass checks

Tcache Techniques

  • tcache_poisoning - Poison tcache entries
  • tcache_dup - Double free in tcache
  • house_of_botcake - Advanced tcache exploit

House Techniques

  • house_of_spirit - Fake fastbin chunks
  • house_of_lore - Smallbin exploitation
  • house_of_einherjar - Null byte overflow

Advanced

  • unsafe_unlink - Arbitrary write
  • poison_null_byte - Single byte overflow
  • large_bin_attack - Large bin exploitation
The Quick Setup method links binaries against your system libc. For working with specific glibc versions, see the Setup Guide for complete configuration options.

Next Steps

Complete Setup

Configure specific glibc versions using Docker or linker methods

Debugging

Use GDB with heap visualization tools like pwndbg or gef

Running with GDB

To debug techniques with GDB: 
# Quick method (system libc)
gdb ./first_fit

# With specific glibc version
./glibc_run.sh 2.39 ./malloc_playground -gdb
Recommended GDB plugins for heap exploitation:
  • pwndbg - Exploitation-focused GDB plugin
  • gef - GDB Enhanced Features
  • Pwngdb - Heap examination tools

Build docs developers (and LLMs) love

Get started for freeTalk to us