Skip to main content

All Techniques Reference

This page provides a comprehensive reference of all heap exploitation techniques in how2heap, organized by category. Each technique includes its description, glibc version compatibility, patch information, and references to real-world CTF challenges.
Techniques marked with ⏩ have interactive browser-based debugging support via Ret2 Wargames.

Foundational Techniques

These techniques demonstrate basic heap allocator behavior and are essential for understanding more advanced exploits.
Description: Demonstrates glibc malloc’s first-fit algorithm for selecting free chunks.Glibc Version: All versionsType: Educational demonstrationKey Concept: The allocator will reuse the first free chunk that fits the requested size, which can be exploited in use-after-free situations.Source: first_fit.c
Description: Demonstrates glibc’s tcache index calculation and provides a calculator for determining which tcache bin a given size will use.Glibc Version: All versionsType: Educational demonstrationFormula: IDX = (CHUNKSIZE - MINSIZE + MALLOC_ALIGNMENT - 1) / MALLOC_ALIGNMENTSource: calc_tcache_idx.c

Fastbin Techniques

Exploits targeting the fastbin freelist mechanism, primarily for small allocations (< 128 bytes on 64-bit systems).

fastbin_dup.c

Tricking malloc into returning an already-allocated heap pointer by abusing the fastbin freelist.

fastbin_dup_into_stack.c

Tricking malloc into returning a nearly-arbitrary pointer by abusing the fastbin freelist.

fastbin_dup_consolidate.c

Tricking malloc into returning an already-allocated heap pointer by putting a pointer on both fastbin freelist and the top chunk.

fastbin_reverse_into_tcache.c

Exploiting the overwrite of a freed chunk in the fastbin to write a large value into an arbitrary address.

Tcache Techniques

Modern exploitation techniques targeting the thread-local cache introduced in glibc 2.26.

tcache_poisoning.c

Tricking malloc into returning a completely arbitrary pointer by abusing the tcache freelist.

tcache_dup.c (obsolete)

Tricking malloc into returning an already-allocated heap pointer by abusing the tcache freelist.
  • Version: 2.26 - 2.28 (obsolete)
  • Status: Patched in glibc 2.29
  • Patch: Double-free check
  • Note: This technique is obsolete. See house_of_botcake for a modern alternative.

tcache_house_of_spirit.c

Frees a fake chunk to get malloc to return a nearly-arbitrary pointer (tcache variant).

house_of_botcake.c

Bypass double free restriction on tcache. Make tcache_dup great again.

tcache_stashing_unlink_attack.c

Exploiting the overwrite of a freed chunk on small bin freelist to trick malloc into returning an arbitrary pointer.

tcache_metadata_poisoning.c

Trick the tcache into providing arbitrary pointers by manipulating the tcache metadata struct.
  • Version: >= 2.26

tcache_relative_write.c

Arbitrary decimal value and chunk pointer writing in heap by out-of-bounds tcache metadata writing.
  • Version: >= 2.30

House Techniques

Classic and modern “House of X” exploitation techniques, each providing different primitives.

house_of_spirit.c

Frees a fake fastbin chunk to get malloc to return a nearly-arbitrary pointer.

house_of_lore.c

Tricking malloc into returning a nearly-arbitrary pointer by abusing the smallbin freelist.

house_of_force.c

Exploiting the Top Chunk (Wilderness) header to get malloc to return a nearly-arbitrary pointer.

house_of_einherjar.c

Exploiting a single null byte overflow to trick malloc into returning a controlled pointer.

house_of_orange.c

Exploiting the Top Chunk (Wilderness) to gain arbitrary code execution.

Bin & Chunk Manipulation

Techniques that manipulate bin freelists and chunk metadata to achieve overlapping allocations or arbitrary writes.

unsafe_unlink.c

Exploiting free on a corrupted chunk to get arbitrary write.

poison_null_byte.c

Exploiting a single null byte overflow.

overlapping_chunks.c

Exploit the overwrite of a freed chunk size in the unsorted bin to make a new allocation overlap with an existing chunk.

overlapping_chunks_2.c

Exploit the overwrite of an in use chunk size to make a new allocation overlap with an existing chunk.
  • Version: < 2.29
  • Patch: Size validation
  • Debug: ⏩ Browser Debug
  • Note: Variant of overlapping_chunks targeting in-use chunks. See main overlapping_chunks page for details.

mmap_overlapping_chunks.c

Exploit an in use mmap chunk to make a new allocation overlap with a current mmap chunk.
  • Version: Latest

unsorted_bin_into_stack.c

Exploiting the overwrite of a freed chunk on unsorted bin freelist to return a nearly-arbitrary pointer.

unsorted_bin_attack.c

Exploiting the overwrite of a freed chunk on unsorted bin freelist to write a large value into arbitrary address.

large_bin_attack.c

Exploiting the overwrite of a freed chunk on large bin freelist to write a large value into arbitrary address.

Advanced Techniques

Sophisticated exploitation methods including safe-linking bypasses and advanced primitives.

decrypt_safe_linking.c

Decrypt the poisoned value in linked list to recover the actual pointer.
  • Version: >= 2.32
  • Debug: ⏩ Browser Debug
  • Requirement: Safe-linking introduced in glibc 2.32

safe_link_double_protect.c

Leakless bypass for PROTECT_PTR by protecting a pointer twice, allowing for arbitrary pointer linking in t-cache.

sysmalloc_int_free.c

Demonstrating freeing the nearly arbitrary sized Top Chunk (Wilderness) using malloc (sysmalloc _int_free()).
  • Version: Latest

Complete Technique Index

Here’s the complete table from the original repository with all techniques:
This table is kept up-to-date with the main repository and includes version-specific information for each technique.
TechniqueVersionPatchCTF ChallengesDebug
first_fit.cAll---
calc_tcache_idx.cAll---
fastbin_dup.cLatest--
fastbin_dup_into_stack.cLatest-9447-search-engine, 0ctf 2017-babyheap
fastbin_dup_consolidate.cLatest-Hitcon 2016 SleepyHolder
unsafe_unlink.cLatest-HITCON CTF 2014-stkof, Insomni’hack 2017-Wheel of Robots
house_of_spirit.cLatest-hack.lu CTF 2014-OREO
poison_null_byte.cLatest-PlaidCTF 2015-plaiddb, BalsnCTF 2019-PlainNote
house_of_lore.cLatest--
overlapping_chunks.c< 2.29Linkhack.lu CTF 2015-bookstore, Nuit du Hack 2016
overlapping_chunks_2.c< 2.29Link-
mmap_overlapping_chunks.cLatest---
house_of_force.c< 2.29LinkBoston Key Party 2016-cookbook, BCTF 2016-bcloud
unsorted_bin_into_stack.c< 2.29Link-
unsorted_bin_attack.c< 2.29Link0ctf 2016-zerostorage
large_bin_attack.cLatest-0ctf 2018-heapstorm2
house_of_einherjar.cLatest-Seccon 2016-tinypad
house_of_water.cLatest-37c3 Potluck - Tamagoyaki-
sysmalloc_int_free.cLatest---
house_of_orange.c< 2.26LinkHitcon 2016 houseoforange
house_of_tangerine.c>= 2.26-PicoCTF 2024 - high frequency troubles-
house_of_roman.c< 2.29Link-
tcache_poisoning.c>= 2.26Link-
tcache_house_of_spirit.c>= 2.26--
house_of_botcake.c>= 2.26--
tcache_stashing_unlink_attack.c>= 2.26-Hitcon 2019 one punch man
fastbin_reverse_into_tcache.c>= 2.26--
house_of_mind_fastbin.cLatest--
house_of_storm.c< 2.29--
house_of_gods.c< 2.27--
decrypt_safe_linking.c>= 2.32--
safe_link_double_protect.c>= 2.32-37c3 Potluck - Tamagoyaki-
tcache_dup.c (obsolete)2.26 - 2.28Link--
tcache_metadata_poisoning.c>= 2.26---
house_of_io.c2.31 - 2.33---
tcache_relative_write.c>= 2.30---

Version Evolution

Many techniques have multiple implementations for different glibc versions. The repository maintains these in version-specific directories: 
glibc_2.23/
glibc_2.24/
glibc_2.27/
glibc_2.31/
glibc_2.35/
glibc_2.36/
glibc_2.39/
glibc_2.40/
glibc_2.41/
obsolete/glibc_2.27/
When a technique is marked with a version like ”< 2.29”, it means the original technique was patched and you’ll need to use a version-specific implementation or adaptation.

Next Steps

By glibc Version

View techniques organized by glibc version

Glossary

Learn key heap exploitation terminology

Heap Basics

Understand heap internals before diving into techniques

Setup Guide

Set up your environment for testing techniques

Build docs developers (and LLMs) love

Get started for freeTalk to us