Skip to main content

Heap Exploitation Tutorials

This page curates external tutorials and learning resources for heap exploitation. Resources are organized chronologically to show the evolution of techniques, from foundational concepts to modern exploitation methods.
Heap exploitation has evolved significantly over time. Understanding both historical and modern techniques provides context for why certain mitigations exist and how to work around them.

Modern Techniques (2020-Present)

These resources cover techniques that work on recent glibc versions and reflect current exploitation landscapes.

Overview of GLIBC Heap Exploitation

Comprehensive overview of heap exploitation techniques (2022)

glibc In-Depth Tutorial

Complete book with detailed explanations and exploit samples (2022)

Overview of GLIBC Heap Exploitation Techniques

Author: 0x434b
Published: 2022
URL: https://0x434b.dev/overview-of-glibc-heap-exploitation-techniques/

What It Covers

  • Modern heap exploitation landscape
  • Tcache exploitation techniques
  • Safe-linking bypass methods
  • House of techniques for modern glibc
  • Real-world exploitation scenarios

Why It’s Useful

This tutorial bridges the gap between classic heap exploitation literature and modern glibc implementations. It covers:
  • Tcache exploitation - Detailed coverage of tcache poisoning and related techniques
  • Modern mitigations - How to work with safe-linking and other protections
  • Practical examples - Code samples that work on recent Ubuntu versions
  • CTF applications - Techniques commonly seen in recent competitions
Highly recommended as a starting point for anyone learning heap exploitation in 2024 and beyond.

glibc In-Depth Tutorial

Author: Dhaval Kapil
Published: 2022
URL: https://heap-exploitation.dhavalkapil.com/

What It Covers

This comprehensive resource includes:
  1. Fundamentals
    • malloc implementation details
    • Chunk structure and metadata
    • Arena management
    • Freelist mechanics (fastbins, tcache, bins)
  2. Exploitation Techniques
    • Use-after-free
    • Double free
    • Heap overflow
    • Tcache exploitation
    • Fastbin attacks
  3. Practical Examples
    • Complete exploit samples
    • Step-by-step walkthroughs
    • GDB debugging sessions

Format

  • Book-style presentation - Organized chapters for progressive learning
  • Interactive code samples - Copy-paste ready examples
  • Visual diagrams - Heap layout illustrations

Why It’s Valuable

This is one of the most complete modern resources for heap exploitation. It:
  • Explains why techniques work, not just how
  • Covers glibc internals in appropriate depth
  • Provides working code for modern systems
  • Suitable for both beginners and advanced learners

Heap Exploitation on glibc-2.31

Repository: https://github.com/StarCross-Tech/heap_exploit_2.31
Published: 2020

What It Covers

  • Techniques specifically adapted for glibc-2.31
  • Safe-linking bypass strategies
  • Updated versions of classic techniques
  • Tcache hardening workarounds

Contents

  • Code samples - Working exploits for glibc-2.31
  • Documentation - Explanation of technique adaptations
  • Comparison - How techniques differ from older glibc versions

Why It Matters

glibc-2.31 introduced significant security improvements:
  • Safe-linking in tcache and fastbins
  • Additional consistency checks
  • Hardened chunk metadata validation
This resource shows how to adapt classic techniques to work despite these mitigations.
Even if you’re working with newer glibc versions, understanding 2.31-specific techniques provides insight into mitigation bypass strategies.

Intermediate Era (2015-2019)

Resources from this period bridge classic techniques and modern mitigations.

Painless Intro to Linux Heap

Gentle introduction to heap internals (2017)

ptmalloc Fanzine

Meta-data attacks on ptmalloc (2016)

Painless Intro to the Linux Userland Heap

Publisher: Sensepost
Published: 2017
URL: https://sensepost.com/blog/2017/painless-intro-to-the-linux-userland-heap/

What It Covers

  • Heap memory management fundamentals
  • malloc/free implementation
  • Basic heap vulnerabilities
  • Exploitation primitives

Target Audience

  • Beginners - No prior heap exploitation knowledge required
  • Security researchers - Transitioning to heap exploitation
  • CTF players - Building foundational knowledge

Key Strengths

  • Accessible writing style - Complex concepts explained simply
  • Visual aids - Diagrams illustrating heap structures
  • Practical focus - Emphasis on exploitation rather than theory
  • Good foundation - Prepares readers for advanced techniques
  1. How malloc allocates memory
  2. Chunk structure and metadata
  3. Freelist organization
  4. Basic overflow scenarios
  5. Use-after-free vulnerabilities
  6. Double free exploitation

ptmalloc Fanzine

Author: tukan
Published: 2016
URL: http://tukan.farm/2016/07/26/ptmalloc-fanzine/

What It Covers

  • Deep dive into ptmalloc (glibc’s malloc implementation)
  • Meta-data manipulation techniques
  • Advanced exploitation primitives
  • Chunk consolidation attacks

Format

  • Collection of articles and examples
  • Focus on meta-data corruption
  • Real-world vulnerability analysis

Why It’s Important

This resource focuses on attacking malloc’s internal data structures rather than application data. Techniques include:
  • Arena manipulation - Exploiting multi-threaded heap behavior
  • Chunk consolidation - Triggering unintended coalescing
  • Meta-data corruption - Modifying chunk headers for exploitation
Advanced material - recommended after understanding basic heap exploitation concepts.

Glibc Adventures: The Forgotten Chunks

Author: bash-c
Published: 2015
URL: https://github.com/bash-c/slides/blob/master/pwn_heap/Glibc%20Adventures:%20The%20forgotten%20chunks.pdf

What It Covers

  • Advanced heap exploitation techniques
  • Unusual heap states and edge cases
  • “Forgotten chunks” - chunks in unexpected states
  • Novel exploitation primitives

Format

  • Presentation slides (PDF)
  • Technical deep-dive
  • Focus on advanced scenarios

Key Concepts

  1. Forgotten chunks - Chunks that exist in multiple freelists
  2. State confusion - Exploiting malloc’s assumptions about chunk states
  3. Advanced unlinking - Sophisticated unlink attack variations
  4. Arena exploitation - Multi-threaded heap corruption

Target Audience

  • Advanced heap exploiters
  • CTF players working on hard challenges
  • Security researchers developing novel techniques
This is advanced material that assumes solid understanding of heap internals and basic exploitation techniques.

Historical Resources (Pre-2015)

Classic heap exploitation literature that established foundational techniques. While some techniques no longer work on modern systems, they provide essential context.

Phrack Articles

Seminal heap exploitation papers

Understanding the Heap

BlackHat 2007 paper (Ferguson)

Phrack Articles (The Canon)

Phrack magazine published several influential heap exploitation articles:

Pseudomonarchia jemallocum (2012)

Issue: Phrack 68
Article: 10
URL: http://www.phrack.org/issues/68/10.html
  • Focuses on jemalloc (alternative to glibc malloc)
  • Exploitation techniques for non-glibc heaps
  • Relevant for Firefox, FreeBSD exploitation

The House Of Lore: Reloaded (2010)

Issue: Phrack 67
Article: 8
URL: http://phrack.org/issues/67/8.html
  • Updated House of Lore technique
  • Smallbin freelist exploitation
  • Bypassing then-current mitigations

Malloc Des-Maleficarum (2009)

Issue: Phrack 66
Article: 10
URL: http://phrack.org/issues/66/10.html
  • Collection of malloc exploitation techniques
  • “House of” techniques anthology
  • Historical significance for technique naming conventions
Covers:
  • House of Prime
  • House of Mind
  • House of Force
  • House of Spirit
  • And more…
  • House of Prime - Exploiting fastbin allocation
  • House of Mind - Arena corruption
  • House of Force - Top chunk manipulation
  • House of Lore - Smallbin attack
  • House of Spirit - Fake chunk creation
  • House of Orange - File stream exploitation (later)
  • House of Einherjar - Off-by-one to consolidation
  • House of Roman - Leakless exploitation

Yet Another free() Exploitation Technique (2009)

Issue: Phrack 66
Article: 6
URL: http://phrack.org/issues/66/6.html
  • Novel free() exploitation method
  • Chunk consolidation abuse
  • Historical technique (mitigated in modern glibc)

The Use of set_head to Defeat the Wilderness (2007)

Issue: Phrack 64
Article: 9
URL: http://phrack.org/issues/64/9.html
  • Top chunk (wilderness) exploitation
  • Precursor to House of Force
  • Historical context for modern techniques

Advanced Doug lea’s malloc exploits (2003)

Issue: Phrack 61
Article: 6
URL: http://phrack.org/issues/61/6.html
  • One of the earliest heap exploitation papers
  • Foundational techniques
  • Unlink exploitation
  • Historical importance
These Phrack articles established the terminology and conceptual framework still used today. Reading them provides historical context and insight into the evolution of heap exploitation.

Understanding the Heap by Breaking It

Author: Chris Valasek (Ferguson)
Presented: BlackHat USA 2007
URL: https://www.blackhat.com/presentations/bh-usa-07/Ferguson/Whitepaper/bh-usa-07-ferguson-WP.pdf

What It Covers

  • Heap implementation details
  • Exploitation techniques circa 2007
  • Practical exploitation examples
  • Debugging heap exploits

Why It’s Still Valuable

  • Pedagogical clarity - Explains concepts very clearly
  • Implementation details - Deep dive into malloc internals
  • Historical context - Shows pre-mitigation exploitation
  • Foundational knowledge - Core concepts still relevant

Contents

  1. Heap allocation mechanisms
  2. Chunk management
  3. Freelist structures
  4. Unlink exploitation
  5. Frontlink exploitation
  6. Double free attacks
Many specific techniques from this paper are mitigated in modern glibc, but the conceptual understanding remains valuable.

Additional Historical Resources

OS X Heap Exploitation Techniques (2005)

Issue: Phrack 63
Article: 5
URL: http://phrack.org/issues/63/5.html
  • Platform-specific heap exploitation
  • Demonstrates heap exploitation isn’t Linux-specific
  • Historical reference

The Malloc Maleficarum (2005)

Author: Phantasmal Phantasmagoria
URL: http://seclists.org/bugtraq/2005/Oct/118
  • Early comprehensive heap exploitation guide
  • Predecessor to Des-Maleficarum
  • Historical significance

Exploiting The Wilderness (2004)

URL: http://seclists.org/vuln-dev/2004/Feb/25
  • Early top chunk exploitation
  • Foundational concept for House of Force
  • Historical reference

Learning Path Recommendations

For Complete Beginners

  1. Start here: Painless Intro to the Linux Userland Heap
  2. Then: glibc In-Depth Tutorial - Chapters 1-4
  3. Practice: Work through how2heap basic examples
  4. Continue: glibc In-Depth Tutorial - Chapters 5+
  5. Modern techniques: Overview of GLIBC Heap Exploitation

For Intermediate Learners

  1. Review: glibc In-Depth Tutorial
  2. Modern focus: Heap Exploitation on glibc-2.31
  3. Comprehensive overview: Overview of GLIBC Heap Exploitation
  4. Advanced concepts: ptmalloc Fanzine
  5. Practice: Work through all how2heap examples

For Advanced Practitioners

  1. Modern techniques: Overview of GLIBC Heap Exploitation
  2. Advanced topics: Glibc Adventures: The Forgotten Chunks
  3. Historical context: Phrack articles (understand evolution)
  4. Cutting edge: how2heap latest techniques (house_of_water, house_of_tangerine)
  5. CTF challenges: Apply knowledge to real challenges

For Historical Understanding

  1. Foundation: Advanced Doug lea’s malloc exploits (2003)
  2. Expansion: Understanding the Heap by Breaking It (2007)
  3. Techniques: Malloc Des-Maleficarum (2009)
  4. Modern view: Overview of GLIBC Heap Exploitation (2022)
  5. See evolution: Compare techniques across eras
Understanding the historical evolution helps you predict future mitigation directions and develop novel bypass techniques.

Additional Learning Resources

Books

  • “The Shellcoder’s Handbook” - Includes heap exploitation chapters
  • “Hacking: The Art of Exploitation” - Basic heap exploitation introduction
  • “A Guide to Kernel Exploitation” - Advanced memory corruption (kernel focus)

Online Courses

  • PWN College - Free course with heap exploitation modules
  • Nightmare - CTF-focused exploitation course
  • ROP Emporium - While ROP-focused, useful for exploitation fundamentals

Practice Platforms

  • pwnable.kr - Various heap challenges
  • pwnable.tw - Advanced heap exploitation challenges
  • HackTheBox - Retired boxes with heap exploitation

Next Steps

CTF Challenges

Apply tutorial knowledge to real CTF challenges

Techniques

Explore specific techniques in the how2heap collection

Build docs developers (and LLMs) love

Get started for freeTalk to us