HeapLAB - GLIBC Heap Exploitation

4 Day u_long 32 CPE Hour Training: August 2020 * AUG 8,9,11,13

Max Kamper


For nearly 20 years, exploiting memory allocators has been something of an art form. Become a part of that legacy with HeapLAB.

The GNU C Library (GLIBC) is a fundamental part of most Linux desktop and many embedded distributions; its memory allocator is used in everything from starting threads to dealing with I/O. Learn how to leverage this vast attack surface with more than 10 different heap exploitation techniques, from the original "Unsafe Unlink" to the beautiful overflow-to-shell "House of Orange" and eventually to the cutting-edge "House of Corrosion". In this hands-on course, students will alternate between learning new techniques and developing their own exploits based on what they've learned.


Key Learning Objectives

  • Introduction to the GLIBC memory allocator: "malloc"
  • The history of GLIBC heap exploitation
  • Understanding and bypassing different heap exploit mitigations
  • Hijacking the flow of execution with heap exploits
  • Leaking information with heap corruption
  • Learning the "Houses" of heap exploitation
  • Scripting heap exploits with pwntools
  • Debugging heap implementations with GDB

Who Should Attend

  • CTF team members who want to take on Linux heap challenges
  • Linux exploit developers who want to add another string to their bow
  • Anyone interested in "weird machines"


Session 1:

  • An introduction to GLIBC and its memory allocator
  • GLIBC heap exploitation history
  • Tools of the trade
    • GDB and pwndbg
    • The pwntools library
  • The "House of Force" technique
    • The malloc() function
    • The "top" chunk
  • Hijacking the flow of execution
    • Malloc's hooks
    • "One-gadgets"
  • The "Fastbin Dup" technique
    • The free() function
    • Malloc's fastbins
    • Arenas
    • Defeating the fastbins double-free mitigation
    • Dealing with the fastbins size field check
  • CHALLENGE: "fastbin dup 2"

Session 2:

  • The "Unsafe Unlink" technique
    • Malloc's unsortedbin
    • Chunk coalescing
    • Defeating the "safe unlinking" checks
  • The "House of Orange" technique
    • File stream exploitation
    • The "Unsortedbin Attack"
    • Top chunk extension
    • Sorting
  • Info leaks via the heap
    • Leaking heap addresses
    • Leaking libc addresses
  • CHALLENGE: one-byte
    • Leverage a one-byte overflow against a modern pwnable

Session 3:

  • The "House of Spirit" technique
    • Passing corrupted values to free()
    • Designing fake chunks
  • The "House of Lore" technique
    • Poisoning the unsortedbin
    • Poisoning the smallbins
    • Poisoning the largebins
  • The "House of Einherjar" technique
  • The "House of Rabbit" technique
    • The malloc_consolidate() function
    • Moving fake chunks between bins
  • Project Zero's "Poison Null Byte" technique
  • CHALLENGE: poison null byte
    • Leverage a single null byte overflow against a modern pwnable

Session 4:

  • The "House of Corrosion" technique
    • Reviving the "House of Prime"
    • Defeating libio vtable integrity checks
    • Leveraging partial malloc metadata overwrites
    • Triggering file stream exploits via failed asserts
  • The Tcache
    • The "Tcache Dup" technique
    • Defeating the tcache double-free mitigation
  • CHALLENGE: "tcache troll"
    • Leverage a double-free against a modern pwnable
  • BONUS CHALLENGE: "optimize"


  • Confidence using command line tools
  • Some basic Python scripting skills
  • Familiarity with a debugging environment e.g. GDB

Hardware Requirements

  • Laptop - powerful enough to run VMs
  • 8GB RAM minimum
  • 35GB free HDD space minimum
  • USB-A slot or dongle to copy VM

Software Requirements

  • Windows / Linux / macOS
  • One of the following virtualization suites:
  • VMWare Player
  • VMWare Workstation
  • VMWare Fusion
  • VirtualBox