explaingit

shellphish/how2heap

8,641CAudience · researcherComplexity · 5/5Setup · hard

TLDR

A collection of C programs demonstrating real heap memory exploitation techniques used in security research and CTF competitions, each with step-by-step comments explaining how the attack works.

Mindmap

mindmap
  root((how2heap))
    What it does
      Heap exploit demos
      Step by step comments
      CTF challenge refs
    Techniques
      Fastbin dup
      Tcache poisoning
      House of Spirit
    Tech
      C source files
      Linux glibc
    Audience
      Security students
      CTF competitors
      Researchers
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Study a specific heap exploitation technique by reading and running its self-contained C file on a matching Ubuntu and glibc version.

USE CASE 2

Prepare for CTF competitions by working through real challenge examples that required each allocator trick.

USE CASE 3

Learn which glibc versions are vulnerable to which heap techniques and what patches addressed them.

Tech stack

CLinuxglibc

Getting it running

Difficulty · hard Time to first run · 1h+

Each exploit targets a specific glibc version, you must run on a matching Ubuntu release or the technique will not behave as documented.

No license terms are stated in the README.

In plain English

how2heap is a collection of C programs, each demonstrating a different technique for exploiting the way Linux manages heap memory. The heap is a region of a program's memory used to store data dynamically at runtime, and it is managed by a system library called glibc. When that library has bugs or when a program misuses memory allocation, attackers can sometimes manipulate the heap's internal bookkeeping structures to cause the allocator to return pointers to unexpected memory locations, which can lead to control of the program. Each file in the repository demonstrates one such technique in isolation, with readable code and comments explaining what is happening step by step. Techniques include things like tricking the allocator into returning a chunk of memory that is already in use, writing arbitrary values to addresses outside the intended allocation, and causing overlapping memory regions. The README is a large table mapping each file to the specific glibc versions it applies to, links to the patches that fixed the issue in later versions, and references to real competition challenges where the technique appeared. This project comes from the CTF competition community. CTFs, or Capture the Flag events, are security competitions where participants solve challenges involving exploiting software vulnerabilities. Many of the techniques here are demonstrated alongside past CTF challenges that required them. The repository also integrates with a browser-based debugging environment, so some techniques can be stepped through interactively without setting up a local environment. The target audience is security students, researchers, and CTF competitors who want to understand low-level memory exploitation. Each example is meant to be compiled and run on a Linux system running the corresponding Ubuntu and glibc version listed in the table. There is no graphical interface, no installer, and no turnkey tool. This is a learning resource made of documented C source files, aimed at people who are already comfortable with C programming and want to study how heap exploits work.

Copy-paste prompts

Prompt 1
Using the how2heap tcache_poisoning example as a reference, walk me through each malloc call and explain what internal allocator state changes at each step.
Prompt 2
Based on the how2heap fastbin_dup technique, write me a minimal C program that uses a double-free bug to make malloc return a pointer to a memory address I choose.
Prompt 3
I'm preparing for a CTF heap challenge on Ubuntu 20.04 with glibc 2.31. Which how2heap techniques still work on that version and which have been patched?
Prompt 4
Explain the glibc safe-linking mitigation and show me how it changes the tcache exploitation techniques demonstrated in how2heap.
Prompt 5
I want to step through the how2heap house_of_spirit example in a debugger. Give me the GDB commands to set breakpoints, inspect the heap chunks, and confirm the fake chunk is returned by malloc.
Open on GitHub → Explain another repo

← shellphish on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.