abelrguezr/heap-overflow-exploitation
skills/binary-exploitation/libc-heap/heap-overflow/SKILL.md
How to identify, analyze, and exploit heap overflow vulnerabilities in binary exploitation challenges and real-world scenarios. Use this skill whenever the user mentions heap overflows, memory corruption, heap grooming, tcache poisoning, fast-bin attacks, or any heap-related vulnerability in CTF challenges, binary analysis, or security research. This skill covers heap overflow fundamentals, exploitation techniques, heap grooming strategies, and real-world CVE analysis.
$ install --global
skillsauthnpx skillsauth add abelrguezr/hacktricks-skills heap-overflow-exploitationInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 2:11 AM41.1s2 files scanned
SKILL.md
- name:
- heap-overflow-exploitation
- description:
- How to identify, analyze, and exploit heap overflow vulnerabilities in binary exploitation challenges and real-world scenarios. Use this skill whenever the user mentions heap overflows, memory corruption, heap grooming, tcache poisoning, fast-bin attacks, or any heap-related vulnerability in CTF challenges, binary analysis, or security research. This skill covers heap overflow fundamentals, exploitation techniques, heap grooming strategies, and real-world CVE analysis.
Heap Overflow Exploitation
A skill for understanding and exploiting heap overflow vulnerabilities.
What is a Heap Overflow?
A heap overflow occurs when data written to a heap-allocated buffer exceeds its allocated size, overwriting adjacent memory. Unlike stack overflows, heap chunks don't contain sensitive control data by default, but the criticality depends on what data can be overwritten.
Key Differences: Stack vs Heap Overflows
Stack Overflows
- Linear memory layout
- Predictable structure with registers and frame pointers
- Sensitive data (instruction pointer, return addresses) stored by default
Heap Overflows
- Non-linear memory with separated chunks
- Organized by bins and zones based on size
- Reuses freed memory before allocating new chunks
- Challenge: Difficult to predict which object will collide with the vulnerable chunk
Finding Overflow Offsets
Use the same pattern generation techniques as stack overflows to determine the exact offset where the overflow begins. See scripts/generate_pattern.py for creating cyclic patterns.
Heap Grooming
Heap grooming is a technique to force specific memory layouts by:
- Allocating multiple chunks to fill free lists
- Freeing specific chunks to create predictable patterns
- Allocating victim objects in desired positions
iOS Kernel Example
- When a zone runs out of memory, it expands by a kernel page
- Pages are split into chunks of expected sizes
- Out-of-line allocation with mach ports allows exact size specification
- Free lists release elements in LIFO order
Common Exploitation Techniques
1. Edit Free Chunk
- Overwrite the prev-in-use bit of the next chunk
- Modify the prev_size field
- Consolidate a used chunk (making it appear unused)
- Reallocate to overwrite data in different pointers
2. Pointer Overwrite
- Overflow into a nearby chunk containing function pointers
- Replace with address of arbitrary data
- Trigger execution through the corrupted pointer
3. Command Injection
- Store executable commands in adjacent chunks
- Overwrite with controlled input
- Execute modified commands
Real-World Example: CVE-2025-40597
Vulnerability Details
- Target: SonicWall SMA100 firmware 10.2.1.15
- Module:
mod_httprp.so(reverse-proxy) - Root Cause: Misuse of
__sprintf_chkwith-1size parameter
The Bug
char *buf = calloc(0x80, 1);
__sprintf_chk(buf, -1, 0, "%s%s%s%s", "/", "https://", path, host);
The -1 parameter disables _FORTIFY_SOURCE bounds checking, allowing overflow of the 0x80-byte chunk.
Exploitation
import requests, warnings
warnings.filterwarnings('ignore')
requests.get(
'https://TARGET/__api__/',
headers={'Host': 'A'*750},
verify=False
)
Key Takeaways
- _FORTIFY_SOURCE is not a silver bullet
- Always pass correct buffer size to
_chkfamily functions - Prefer
snprintfoversprintf
Practical Workflow
Step 1: Identify the Vulnerability
- Look for heap allocations with insufficient bounds checking
- Check for
sprintf,strcpy,getson heap buffers - Verify size parameters in
_chkfunctions
Step 2: Map the Heap Layout
- Use GDB with
heapcommands - Identify adjacent chunks and their contents
- Determine what data can be overwritten
Step 3: Apply Heap Grooming
- Allocate chunks to control memory layout
- Free specific chunks to create desired patterns
- Allocate victim objects in predictable positions
Step 4: Craft the Exploit
- Calculate exact overflow offset
- Prepare payload to overwrite target data
- Trigger the vulnerability
Step 5: Verify and Refine
- Test with GDB to confirm memory corruption
- Adjust grooming if needed
- Finalize exploit for target environment
Tools and Resources
Debugging
- GDB with
heapcommands heap_explorepluginpwndbgheap visualization
Pattern Generation
cyclicfrom pwnlibpattern_createandpattern_offset- See
scripts/generate_pattern.pyfor custom patterns
References
- GuyInATuxedo - Heap Overflow Examples
- 8ksec - ARM64 Heap Overflow
- Auth-or-out HTB
- watchTowr Labs - CVE-2025-40597
Related Skills
abelrguezr/house-of-lore-exploit
testing
VerifiedTrustedCommunity
How to perform a House of Lore (small bin attack) heap exploitation. Use this skill whenever the user mentions heap exploitation, small bin attacks, fake chunks, glibc heap vulnerabilities, or needs to insert fake chunks into small bins for arbitrary read/write. Trigger for CTF challenges involving heap corruption, glibc 2.31+ exploitation, or when the user needs to bypass malloc sanity checks using fake chunk linking.
5SKILL.mdUpdated Apr 16, 2026
abelrguezr/house-of-force-exploit
testing
VerifiedTrustedCommunity
How to perform House of Force heap exploitation attacks. Use this skill whenever the user mentions heap exploitation, House of Force, top chunk manipulation, arbitrary memory allocation, malloc manipulation, or wants to allocate chunks at specific addresses. Also trigger for CTF challenges involving heap overflows, top chunk size overwrites, or when the user needs to calculate evil_size for heap attacks. Make sure to use this skill for any binary exploitation task involving glibc heap manipulation, even if they don't explicitly say "House of Force".
5SKILL.mdUpdated Apr 16, 2026
abelrguezr/house-of-einherjar
tools
VerifiedTrustedCommunity
How to perform House of Einherjar heap exploitation to allocate memory at arbitrary addresses. Use this skill whenever the user mentions heap exploitation, glibc heap attacks, arbitrary memory allocation, off-by-one overflow exploitation, tcache poisoning, fast bin attacks, or any CTF challenge involving heap manipulation. This is essential for binary exploitation tasks where you need to control malloc() return addresses.
5SKILL.mdUpdated Apr 16, 2026
abelrguezr/heap-unlink-exploitation
testing
VerifiedTrustedCommunity
How to analyze and exploit the unlink operation in glibc heap management. Use this skill whenever the user mentions heap exploitation, unlink attacks, glibc malloc, heap chunks, double-linked lists, heap leaks, libc leaks, or any CTF challenge involving heap memory corruption. This skill helps understand the unlink mechanism, security checks, and how to leak addresses from unlinked chunks.
5SKILL.mdUpdated Apr 16, 2026