In this sixth part of our Exploit 101 series, we dive deeper into Advanced Heap Exploitation, covering heap metadata corruption, fastbin attacks, unlink exploitation, and other modern heap exploitation techniques.
Understanding the Heap Allocator
Most Linux systems use glibc's ptmalloc2 as the heap allocator. Understanding its structure is key to exploiting heap vulnerabilities.
Heap Chunk Structure (ptmalloc2)
A heap chunk consists of the following fields:
+--------------------+
| Prev Size | (If previous chunk is free)
+--------------------+
| Size | (Size of this chunk + metadata flags)
+--------------------+
| User Data | (Allocated memory returned to malloc caller)
+--------------------+
| Padding | (Aligns chunk size to 8/16 bytes)
+--------------------+
| Next Chunk Size | (Size of next chunk if it's free)
+--------------------+
Key Heap Attack Techniques
- Fastbin Duplication Attack – Abusing fastbins to allocate memory at arbitrary locations.
- Unlink Exploitation – Manipulating free chunk pointers to overwrite critical data.
- House of Force – Expanding the top chunk to overwrite memory regions.
- House of Spirit – Allocating fake chunks to bypass protections.
- House of Corrosion – Attacking heap metadata corruption.
Exploit 1: Fastbin Duplication Attack
Vulnerable C Code
#include <stdio.h>
#include <stdlib.h>
int main() {
char *a = malloc(64);
char *b = malloc(64);
free(a);
free(b);
char *c = malloc(64); // Reuses the same chunk
strcpy(c, "Exploited!");
printf("%s\n", c);
return 0;
}
Exploiting Fastbin Duplication
- Run the binary under GDB:
gdb -q ./fastbin_exploit - Set breakpoints after
free()to inspect heap:heap bins - Corrupt the fastbin list to allocate memory at an arbitrary address.
Exploit 2: Unlink Exploitation
Vulnerable C Code
#include <stdio.h>
#include <stdlib.h>
struct Chunk {
struct Chunk *fd;
struct Chunk *bk;
};
int main() {
struct Chunk *a = malloc(sizeof(struct Chunk));
struct Chunk *b = malloc(sizeof(struct Chunk));
free(a);
free(b);
a->fd = (struct Chunk*)&a - 2;
a->bk = (struct Chunk*)&a - 1;
malloc(sizeof(struct Chunk));
return 0;
}
Exploiting Unlink Attack
When malloc() reuses freed memory, unlink() writes to an arbitrary address, leading to control of program execution.
Heap Exploitation Mitigations
Modern Linux systems implement heap protections:
- Safe Linking – Protects against fastbin corruption.
- Heap Canaries – Detects overflows before they corrupt metadata.
- tcache (Thread Cache) – Prevents simple fastbin abuse.
- ASLR (Address Space Layout Randomization) – Makes address prediction difficult.
Bypassing Protections
- Heap Spraying – Flooding memory with controlled data to predict allocation.
- Leaking Heap Addresses – Using format string vulnerabilities or memory leaks.
- Brute Forcing – Attempting multiple allocations to find predictable heap structures.
Conclusion
Advanced heap exploitation requires deep knowledge of heap internals, allocator behavior, and bypassing modern mitigations. In the next part, we will cover Kernel Exploitation Techniques.
Stay tuned for Exploit 101: Part 7 – Kernel Exploitation Basics!



