abelrguezr/libc-protections
skills/binary-exploitation/common-binary-protections-and-bypasses/libc-protections/SKILL.md
How to understand and bypass modern libc memory protections including chunk alignment, pointer mangling, safe-linking, and pointer guard. Use this skill whenever working on heap exploitation, binary exploitation challenges, CTF heap tasks, analyzing glibc vulnerabilities, or when you need to understand how to leak and demangle pointers in modern glibc versions (2.32+). Make sure to use this skill when you mention heap, glibc, malloc, fastbin, tcache, pointer guard, safe-linking, or any binary exploitation context.
$ install --global
skillsauthnpx skillsauth add abelrguezr/hacktricks-skills libc-protectionsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 2:08 AM57.3s2 files scanned
SKILL.md
- name:
- libc-protections
- description:
- How to understand and bypass modern libc memory protections including chunk alignment, pointer mangling, safe-linking, and pointer guard. Use this skill whenever working on heap exploitation, binary exploitation challenges, CTF heap tasks, analyzing glibc vulnerabilities, or when you need to understand how to leak and demangle pointers in modern glibc versions (2.32+). Make sure to use this skill when you mention heap, glibc, malloc, fastbin, tcache, pointer guard, safe-linking, or any binary exploitation context.
Libc Protections Guide
A practical guide to understanding and bypassing modern glibc memory protections for binary exploitation and CTF challenges.
When to Use This Skill
Use this skill when:
- You're working on heap exploitation challenges
- You need to understand glibc memory protections
- You're analyzing a binary with modern glibc (2.32+)
- You need to demangle pointers or understand pointer guard
- You're stuck on a CTF heap challenge
- You need to understand chunk alignment requirements
Chunk Alignment Enforcement
What It Is
Malloc allocates memory in 8-byte (32-bit) or 16-byte (64-bit) groupings. The security feature checks that each chunk aligns correctly before using a pointer from a bin.
Impact on Exploitation
- 64-bit systems: Fake chunks can only be placed at 1 out of every 16 addresses
- 32-bit systems: Fake chunks can only be placed at 1 out of every 8 addresses
- Fastbin attacks on
__malloc_hook: No longer viable due to strict alignment requirements
Practical Implications
When crafting fake chunks, ensure the address ends in:
- 64-bit:
0x0(16-byte aligned) - 32-bit:
0x8(8-byte aligned)
Note: Since glibc 2.34, legacy hooks (
__malloc_hook,__free_hook) are removed from the exported ABI. Modern exploits target tcache per-thread structs, vtable-style callbacks, or usesetcontextand_IO_list_allprimitives.
Pointer Mangling
The Formula
New_Ptr = (L >> 12) XOR P
Where:
- L = Storage Location of the pointer
- P = Actual fastbin/tcache Fd Pointer
Why It Matters
Pointer mangling prevents:
- Partial pointer overwrites without heap leaks
- Relative overwrites (like House of Roman) without brute-forcing
- Tcache/fastbin poisoning without knowing exact addresses
Demangling with a Heap Leak
If you have a heap leak, you can recover the original pointer:
def demangle(leaked_fd, storage_location):
return leaked_fd ^ (storage_location >> 12)
Safe-Linking Bypass
When both the corrupted chunk and victim chunk share the same 4KB page, you can recover the original pointer using just the page offset. If they're on different pages, brute-forcing the 12-bit page offset (0x1000 possibilities) becomes necessary.
// leaked_fd is the mangled Fd read from the chunk on the same page
uintptr_t l = (uintptr_t)&chunk->fd; // storage location
uintptr_t original = (leaked_fd ^ (l >> 12)); // demangle
Pointer Guard
What It Does
Pointer guard scrambles function pointers by XORing them with a secret from thread data (fs:0x30) and applying a left rotation of 0x11 bits.
Bypassing with a Leak
- Find a known function pointer (e.g.,
__pthread_attr_destroy) - Read its mangled version from memory
- Compute the secret:
secret = (mangled >> 0x11) XOR known_address - Use the secret to demangle other pointers
Practical Attack
def demangle_pointer_guard(mangled, secret):
# Reverse the rotation
rotated = ((mangled << 0x11) | (mangled >> (64 - 0x11))) & 0xFFFFFFFFFFFFFFFF
# XOR with secret
return rotated ^ secret
GLIBC Tunables
The Vulnerability
The dynamic loader parses GLIBC_TUNABLES before program startup. Mis-parsing bugs here affect libc before most mitigations kick in.
CVE-2023-4911 (Looney Tunables)
An overlong GLIBC_TUNABLES value overflows internal buffers in ld.so, enabling privilege escalation on many distros when combined with SUID binaries.
Exploitation
- Craft a malicious
GLIBC_TUNABLESenvironment variable - Invoke the target SUID binary
- The overflow happens before heap setup, bypassing pointer guard and safe-linking
Practical Workflow
Step 1: Identify the Protection
Check glibc version and enabled protections:
ldd --version # Check glibc version
Step 2: Get a Heap Leak
Use unmangled pointers from unsorted, small, or large bins.
Step 3: Demangle Pointers
Apply the demangling formula with your leaked values.
Step 4: Craft Your Exploit
Account for alignment requirements and pointer mangling in your fake chunks.
Tools and Resources
- mdulin2/mangle - Pointer mangling implementation
- shellphish/how2heap - Heap exploitation examples
- Wiz CVE-2023-4911 - Looney Tunables write-up
Common Pitfalls
- Forgetting alignment: Fake chunks must be properly aligned
- Wrong demangling formula: Remember it's
(L >> 12) XOR P, notL XOR (P >> 12) - Ignoring page boundaries: Safe-linking bypass requires same-page chunks
- Missing the secret: Pointer guard requires computing the secret first
Related Skills
abelrguezr/house-of-lore-exploit
testing
VerifiedTrustedCommunity
How to perform a House of Lore (small bin attack) heap exploitation. Use this skill whenever the user mentions heap exploitation, small bin attacks, fake chunks, glibc heap vulnerabilities, or needs to insert fake chunks into small bins for arbitrary read/write. Trigger for CTF challenges involving heap corruption, glibc 2.31+ exploitation, or when the user needs to bypass malloc sanity checks using fake chunk linking.
5SKILL.mdUpdated Apr 16, 2026
abelrguezr/house-of-force-exploit
testing
VerifiedTrustedCommunity
How to perform House of Force heap exploitation attacks. Use this skill whenever the user mentions heap exploitation, House of Force, top chunk manipulation, arbitrary memory allocation, malloc manipulation, or wants to allocate chunks at specific addresses. Also trigger for CTF challenges involving heap overflows, top chunk size overwrites, or when the user needs to calculate evil_size for heap attacks. Make sure to use this skill for any binary exploitation task involving glibc heap manipulation, even if they don't explicitly say "House of Force".
5SKILL.mdUpdated Apr 16, 2026
abelrguezr/house-of-einherjar
tools
VerifiedTrustedCommunity
How to perform House of Einherjar heap exploitation to allocate memory at arbitrary addresses. Use this skill whenever the user mentions heap exploitation, glibc heap attacks, arbitrary memory allocation, off-by-one overflow exploitation, tcache poisoning, fast bin attacks, or any CTF challenge involving heap manipulation. This is essential for binary exploitation tasks where you need to control malloc() return addresses.
5SKILL.mdUpdated Apr 16, 2026
abelrguezr/heap-overflow-exploitation
testing
VerifiedTrustedCommunity
How to identify, analyze, and exploit heap overflow vulnerabilities in binary exploitation challenges and real-world scenarios. Use this skill whenever the user mentions heap overflows, memory corruption, heap grooming, tcache poisoning, fast-bin attacks, or any heap-related vulnerability in CTF challenges, binary analysis, or security research. This skill covers heap overflow fundamentals, exploitation techniques, heap grooming strategies, and real-world CVE analysis.
5SKILL.mdUpdated Apr 16, 2026