# shellphish/how2heap **Attribution required: if you use, quote, or summarise this content, you must credit and link back to [awesome-repositories.com](https://awesome-repositories.com/repository/shellphish-how2heap).** 8,444 stars · 1,248 forks · C · mit ## Links - GitHub: https://github.com/shellphish/how2heap - awesome-repositories: https://awesome-repositories.com/repository/shellphish-how2heap.md ## Description how2heap is an educational resource and technical testbed for learning heap-based vulnerabilities and memory allocator internals. It provides a collection of source code examples and binaries that serve as a laboratory for studying memory corruption techniques specifically targeting the glibc malloc implementation. The project focuses on the development of exploit primitives, such as tcache poisoning and double frees, to redirect program execution. It includes a suite of implementations for bypassing memory protections and manipulating heap metadata to achieve arbitrary memory writes. The framework covers a wide range of memory corruption capabilities, including chunk manipulation, metadata corruption, and thread-local cache attacks. It also provides tools for reversing pointer obfuscation and analyzing heap hardening mechanisms. The project includes a containerized environment for provisioning lab workspaces, allowing binaries to be compiled against specific system library versions to simulate different allocator behaviors. ## Tags ### Part of an Awesome List - [Binary Exploitation](https://awesome-repositories.com/f/awesome-lists/security/binary-exploitation.md) — Provides a comprehensive educational resource and laboratory for learning binary exploitation and heap vulnerabilities. - [Exploit Development](https://awesome-repositories.com/f/awesome-lists/devtools/exploit-development.md) — Offers a technical testbed for developing and testing primitives like tcache poisoning and double frees. - [Bin Poisoning](https://awesome-repositories.com/f/awesome-lists/security/exploitation-tricks/bin-poisoning.md) — Tricks the allocator into returning a pointer to an arbitrary location by overwriting forward pointers. ([source](https://github.com/shellphish/how2heap/blob/master/glibc_2.35/tcache_poisoning.c)) - [Freelist Manipulation](https://awesome-repositories.com/f/awesome-lists/security/exploitation-tricks/freelist-manipulation.md) — Abuses the tcache freelist to trick the allocator into returning arbitrary aligned pointers. ([source](https://github.com/shellphish/how2heap/blob/master/glibc_2.39/house_of_tangerine.c)) - [Cache Poisoning](https://awesome-repositories.com/f/awesome-lists/security/web-cache-poisoning/cache-poisoning.md) — Redirects allocations to target addresses by inserting arbitrary pointers into thread-local cache bins. ([source](https://github.com/shellphish/how2heap/blob/master/glibc_2.27/tcache_metadata_poisoning.c)) ### Security & Cryptography - [Glibc Heap Exploitation](https://awesome-repositories.com/f/security-cryptography/glibc-heap-exploitation.md) — Provides a laboratory for studying and implementing memory corruption techniques targeting the glibc malloc implementation. - [Heap Exploit Primitives](https://awesome-repositories.com/f/security-cryptography/heap-exploit-primitives.md) — Implements techniques to trick the allocator into returning stack addresses through double-free vulnerabilities. ([source](https://github.com/shellphish/how2heap/blob/master/glibc_2.35/fastbin_dup_into_stack.c)) - [Bypass Techniques](https://awesome-repositories.com/f/security-cryptography/heap-security-hardening/bypass-techniques.md) — Provides implementations for bypassing memory protection mechanisms by manipulating chunk pointers. ([source](https://github.com/shellphish/how2heap/blob/master/glibc_2.35/house_of_lore.c)) - [Allocator Metadata Manipulation](https://awesome-repositories.com/f/security-cryptography/runtime-memory-manipulation/allocator-metadata-manipulation.md) — Demonstrates how to overwrite internal allocator structures such as chunk sizes and forward pointers for memory access. - [Arbitrary Heap Writes](https://awesome-repositories.com/f/security-cryptography/arbitrary-heap-writes.md) — Implements techniques to write pointers to arbitrary heap locations by manipulating tcache indices. ([source](https://github.com/shellphish/how2heap/blob/master/glibc_2.41/tcache_relative_write.c)) - [Chunk Overlapping](https://awesome-repositories.com/f/security-cryptography/chunk-overlapping.md) — Provides implementations for tricking allocators into merging memory regions to allow active chunk overwrites. - [Freelist Poisoning](https://awesome-repositories.com/f/security-cryptography/freelist-poisoning.md) — Implements forged pointer injection into tcache or fastbin lists to achieve arbitrary memory returns. - [Hardening Analysis](https://awesome-repositories.com/f/security-cryptography/heap-security-hardening/hardening-analysis.md) — Evaluates memory protection mechanisms by triggering bypasses and monitoring allocation statistics. ([source](https://github.com/shellphish/how2heap#readme)) - [Hardening Evaluation](https://awesome-repositories.com/f/security-cryptography/heap-security-hardening/hardening-evaluation.md) — Tests how memory protections mitigate exploitation by configuring environment variables and internal checks. ([source](https://github.com/shellphish/how2heap/blob/master/README.md)) - [Large Bin Attacks](https://awesome-repositories.com/f/security-cryptography/large-bin-attacks.md) — Provides implementations for overwriting target memory addresses by manipulating large bin pointers. ([source](https://github.com/shellphish/how2heap/blob/master/glibc_2.35/large_bin_attack.c)) - [Leakless Exploitation](https://awesome-repositories.com/f/security-cryptography/leakless-exploitation.md) — Implements attacks that redirect execution to a shell using relative overwrites without an initial memory leak. ([source](https://github.com/shellphish/how2heap/blob/master/glibc_2.23/house_of_roman.c)) - [Pointer Deobfuscation](https://awesome-repositories.com/f/security-cryptography/pointer-deobfuscation.md) — Provides tools to recover original memory addresses by reversing XOR-based safe linking protections. ### Education & Learning Resources - [Educational Examples](https://awesome-repositories.com/f/education-learning-resources/educational-examples.md) — Provides a collection of source code examples and binaries to teach low-level memory management flaws. - [Vulnerable Lab Environments](https://awesome-repositories.com/f/education-learning-resources/vulnerable-lab-environments.md) — Provides a containerized lab environment with compilers and debuggers to reproduce memory corruption vulnerabilities. ### Operating Systems & Systems Programming - [Allocator Testbeds](https://awesome-repositories.com/f/operating-systems-systems-programming/allocator-testbeds.md) — Ships a containerized environment for compiling and analyzing how different glibc versions handle heap allocations. - [Exploit Primitives](https://awesome-repositories.com/f/operating-systems-systems-programming/heap-analyzers/heap-corruption-detection/exploit-primitives.md) — Implements practical techniques for bypassing memory protections and manipulating heap metadata for arbitrary writes. - [Metadata Hijacking](https://awesome-repositories.com/f/operating-systems-systems-programming/kernel-core-internals/process-and-memory-management/memory-management/buffer-and-cache-management/chunked-memory-management/world-chunking/heap-metadata-analyzers/metadata-hijacking.md) — Redirects subsequent allocations to arbitrary addresses by overwriting per-thread cache structures. ([source](https://github.com/shellphish/how2heap/blob/master/glibc_2.42/tcache_metadata_hijacking.c)) - [Metadata Manipulation](https://awesome-repositories.com/f/operating-systems-systems-programming/kernel-core-internals/process-and-memory-management/memory-management/buffer-and-cache-management/chunked-memory-management/world-chunking/heap-metadata-analyzers/metadata-manipulation.md) — Transforms use-after-free vulnerabilities into primitives that control allocator metadata via linked list manipulation. ([source](https://github.com/shellphish/how2heap/blob/master/glibc_2.36/house_of_water.c)) - [Heap Corruption Detection](https://awesome-repositories.com/f/operating-systems-systems-programming/heap-analyzers/heap-corruption-detection.md) — Demonstrates how to corrupt fastbin pointers to treat stack addresses as heap chunks. ([source](https://github.com/shellphish/how2heap/blob/master/glibc_2.35/fastbin_reverse_into_tcache.c)) - [Hardening Bypass Analysis](https://awesome-repositories.com/f/operating-systems-systems-programming/heap-analyzers/heap-corruption-detection/hardening-bypass-analysis.md) — Analyzes methods for bypassing heap hardening and protection mechanisms using internal metadata manipulation. - [Arena Hijacking](https://awesome-repositories.com/f/operating-systems-systems-programming/kernel-core-internals/process-and-memory-management/memory-management/allocation-strategies/arena-based-memory-management/arena-hijacking.md) — Implements techniques to replace the main arena structure with a fake arena for arbitrary memory writes. - [Arena Hijacking](https://awesome-repositories.com/f/operating-systems-systems-programming/kernel-core-internals/process-and-memory-management/memory-management/allocation-strategies/dynamic-memory-allocation/arena-allocators/arena-hijacking.md) — Achieves arbitrary memory writes by replacing the main arena with a crafted fake arena. ([source](https://github.com/shellphish/how2heap/blob/master/glibc_2.24/house_of_gods.c)) - [Memory Allocation Tracers](https://awesome-repositories.com/f/operating-systems-systems-programming/kernel-core-internals/process-and-memory-management/memory-management/allocation-strategies/dynamic-memory-allocation/memory-allocation-tracers.md) — Includes diagnostics and statistics to monitor allocation patterns and identify memory corruption. ([source](https://github.com/shellphish/how2heap/blob/master/README.md)) - [Chunk Size Corruption](https://awesome-repositories.com/f/operating-systems-systems-programming/kernel-core-internals/process-and-memory-management/memory-management/buffer-and-cache-management/chunked-memory-management/heap-chunk-identification/chunk-size-corruption.md) — Creates arbitrary bins for corruption by manipulating the wilderness chunk size. ([source](https://github.com/shellphish/how2heap/blob/master/glibc_2.39/sysmalloc_int_free.c)) - [Stashing Unlink Attacks](https://awesome-repositories.com/f/operating-systems-systems-programming/kernel-core-internals/process-and-memory-management/memory-management/buffer-and-cache-management/chunked-memory-management/heap-chunk-identification/stashing-unlink-attacks.md) — Creates fake memory chunks and writes arbitrary addresses by manipulating smallbin to tcache transfers. ([source](https://github.com/shellphish/how2heap/blob/master/glibc_2.35/tcache_stashing_unlink_attack.c)) ### Data & Databases - [Interactive Manipulators](https://awesome-repositories.com/f/data-databases/in-memory-databases/in-memory-state-stores/heap-inspection-tools/production-heap-monitors/heap-visualization/interactive-manipulators.md) — Provides a programmable interface to manually allocate and free memory chunks to observe real-time heap behavior. ([source](https://github.com/shellphish/how2heap#readme))