Share
## https://sploitus.com/exploit?id=A2B593D5-FAD1-54D0-9C6C-45227A158A17
# Heap Mastery Course
> Learn heap vulnerability exploitation techniques from scratch β including advanced techniques like heap spraying and heap feng shui.
[](LICENSE)
[](https://www.linux.org/)
[](https://gcc.gnu.org/)
## Project Overview
This is a comprehensive heap vulnerability exploitation course designed for security beginners, CTF contestants, and security researchers. Through **7 progressively difficult levels**, you will gradually master advanced heap spraying and heap feng shui techniques.
### Key Features
- β
**7 progressive levels** β Smooth transition from basics to advanced skills
- β
**Step-by-step instruction** β Each level comes with detailed documentation and usage guides
- β
**Customized exploit programs** β Carefully designed for learning purposes
- β
**Complete solutions** β Code examples in Python and C language
- β
**Hint system** β Get hints when stuck
- β
**Docker environment** β Easily start an isolated training environment
- β
**Automated testing** β Verify all levels and exploit code
- β
**Modern technologies** β Includes Safe Linking, Tcache, and other latest technologies from 2024-2025
## Level Overview
| Level | Topic | Difficulty | Estimated Time | Core Technologies |
|------|------|------|----------|----------|
| [Level 0](level00_setup/) | Environment setup & basics | β | 1 hour | GDB, Pwndbg, heap basics |
| [Level 1](level01_overflow/) | Heap overflow basics | β | 2 hours | Chunk structure, heap metadata corruption |
| [Level 2](level02_uaf/) | Use-After-Free | ββ | 3 hours | UAF, heap reusing, dangling pointers |
| [Level 3](level03_fastbin_dup/) | Fastbin double free | βββ | 4 hours | Fastbin operations, double deallocation |
| [Level 4](level04_tcache/) | Tcache poisoning | βββ | 4 hours | Tcache mechanism, modern heap exploitation |
| [Level 5](level05_heap_spray/) | Heap spraying techniques | ββββ | 6 hours | Heap spraying, memory layout control |
| [Level 6](level06_feng_shui/) | Heap feng shui | βββββ | 8 hours | Precise heap layout, multi-bin coordination |
| [Level 7](level07_advanced/) | Advanced techniques & bypasses | βββββ+ | 12 hours | Safe Linking, House series |
## Quick Start
### Method 1: Docker (Recommended)
```bash
# Clone the repository
git clone https://github.com/yourusername/heap-mastery-course.git
cd heap-mastery-course
# Start the Docker environment
docker-compose up -d
# Enter the container
docker-compose exec course bash
# Build all levels
mkdir build && cd build
cmake.. make
# Test environment configuration./level00_setup/check_env
```
### Method 2: Local Installation
```bash
# Install dependencies
sudo apt-get update
sudo apt-get install -y build-essential gcc gdb python3 python3-pip
# Install Pwntools
pip3 install pwntools
# Install Pwndbg (Recommended)
cd ~
git clone https://github.com/pwndbg/pwndbg
cd pwndbg./setup.sh
# Build the project
mkdir build && cd build
cmake.. make
```
## Learning Path
1. **Start from Level 0** β Set up your debugging environment
2. **Learn in order** β Each level relies on the knowledge of the previous one
3. **Read documentation** β Understand the principles first, then practice
4. **Use hints** β Check hints.md when stuck
5. **Study solutions** β Compare with reference code in solution/
6. **Deep understanding** β Read the theoretical documents in `docs/`.
## File Structure for Each Level
```
levelXX_/
βββ README.md # Level description and challenges
βββ challenge/
β βββ vuln.c # Source code of the vulnerability program
β βββ vuln # Compiled binary file
β βββ flag.txt.template # Flag template (copied as flag.txt)
β βββ Makefile # Compilation script
βββ docs/
β βββ theory.md # Detailed explanation of technical principles
β βββ walkthrough.md # Step-by-step guide to exploitation
β βββ hints.md # Progressive hint system
βββ solution/
βββ exploit.py # Python exploitation script
βββ exploit.c # C language verification program
βββ solver.py # Automated solution tool
```
## Documentation
- [Course Introduction](docs/00_introduction.md) β Complete course overview
- [Prerequisites](docs/01_prerequisites.md) β Basic knowledge required
- [Environment Setup](docs/02_environment_setup.md) β Detailed environment setup guide
- [Debugging Tools](docs/03 DebuggingTools.md) β Usage guidelines for GDB/Pwndbg/Gef
- [Heap Internals](docs/04_heap_internals.md) β In-depth explanation of glibc malloc
- [Exploitation Using Protection Mechanisms](docs/05_exploit_mitigations.md) β Protection mechanisms like ASLR, PIE, etc.
## Testing
```bash
# Compile all levels
cd build && cmake.. && make
# Method 1: Use CMake to test targets (recommended)
make verify # Test all levels and exploitation scripts
make test_exploits # Alias for verify
# Method 2: Run the verification script directly./tests/verify_all.sh # Run from the build/ directory
# Test a specific level individually
cd level01_overflow/challenge
make flag # Create flag.txt./vuln # Run the vulnerability program
python3../../answer/exploit_solution.py # Run the exploitation script
# Compile with protections enabled
cmake -DENABLE_PROTECTIONS=ON.. make verify
```
### Explanation of the Verification Script
The `verify_all.sh` script will:
1. Create a `flag.txt` file for each level.
2. Run the corresponding `exploit_solution.py` script.
3. Check whether the flag was successfully obtained.
4. Generate a detailed test report.
## Example: Level 1 Challenge
```c
// level01_overflow/challenge/vuln.c
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
void winner() {
char flag[64];
FILE *f = fopen("flag.txt", "r");
if (f == NULL) {
printf("Error: Create flag.txt first!\n");
return;
}
fread(flag, 1, sizeof(char), f);
printf("Flag: %s\n", flag);
}
int main() {
char *chunk1, *chunk2;
chunk1 = malloc(32);
chunk2 = malloc(32);
printf("Enter data for chunk1: ");
read(0, chunk1, 100); // Vulnerability: Heap overflow! If strcmp(chunk2, "pwned!") == 0, then execute winner().
free(chunk1);
free(chunk2);
return 0;
}
```
**Goal**: Control the content of chunk2 through a heap overflow, making it equal to "pwned!".
**Solution Hint**:
```bash
# Use the script
python3 -c "print('A'*33 + 'pwned!')" |./level01_overflow/challenge/vuln
```
## Technical Highlights
### Level 1-2: Basic Heap Vulnerabilities
- Understand heap chunk structures (fields like size, fd, bk, etc.)
- Master heap buffer overflows
- Learn about the βUse-After-Freeβ concept
### Level 3-4: Core Exploitation Techniques
- Fastbin double release mechanism
- Tcache poisoning (glibc 2.26+)
- Arbitrary address reading/writing primitives
### Level 5-6: Advanced Layout Techniques
- Heap spraying: Controlling memory layout
- Heap: Precise control over chunk positions
- Multi-bin coordination for exploitation
### Level 7: Expert-Level Techniques
- Bypass of safe linking (glibc 2.32+)
- House of Einherjar/Force techniques
- Bypassing modern protection mechanisms
## Frequently Asked Questions
### Q: What background do I need? A: You need to have:
- Basic knowledge of C language (pointers, structures, memory management)
- Knowledge of Linux command lines
- Basic debugging concepts
- (Optional) Experience with CTF Pwn challenges
### Q: Why choose a Docker environment? A: Docker provides:
- An isolated and secure environment
- A unified glibc version
- Pre-installed debugging tools
- Avoid contaminating the host system
### Q: What if I encounter difficulties? A: Follow this order:
1. Read the challenge documentation (theory.md)
2. Review the hints (hints.md)
3. Study the exploitation guide (walkthrough.md)
4. Refer to solution code (solution/)
5. Consult external resources (see below)
## Learning Resources
### Recommended Reading
- [how2heap](https://github.com/shellphish/how2heap) β Encyclopedia of heap exploitation techniques
- [glibc heap exploitation training](https://github.com/SecurityInnovation/glibc_heap_exploitation_training)
- [Azeria Labs - Heap Exploitation](https://azeria-labs.com/heap-exploitation-part-2-glibc-heap-free-bins/)
### Reference Projects
- [HeapLAB](https://archive.ringzer0.training/archive/2020-august/heaplab-glibc-heap-exploitation.html)
- [pwnable.tw](https://pwnable.tw/) β Practical Pwn challenges
### Tool Recommendations
- [Pwndbg](https://github.com/pwndbg/pwndbg) β GDB enhancement plugin
- [Pwntools](https://docs.pwntools.com/) β Python exploitation framework
- [GEF](https://github.com/hugsy/gef) β Another excellent GDB plugin
## Contribution Guide
Welcome to contribute! You can:
- π Report bugs
- π‘ Suggest new challenges
- π Improve documentation
- π§ Optimize code
- π Promote the project
## Disclaimer
### β οΈ Educational Purpose Statement
This project is solely for **educational and learning purposes**. The techniques taught should:
β
**Be allowed to be used**:
- For practice on your own systems
- In authorized penetration testing
- In CTF competitions
- In security research environments
β **Strictly prohibited**:
- Unauthorized access to othersβ systems
- Conducting malicious attacks
- Stealing data or causing damage
- Any illegal activities
### Safety Tips
- All challenges run in isolated Docker environments
- Real-world applications have additional protection mechanisms
- These techniques should only be applied in learning environments
- Comply with all laws and ethical guidelines
## Thanks
This project was inspired by the following resources:
- [how2heap](https://github.com/shellphish/how2heap) by Shellphish
- [glibc_heap_exploitation_training](https://github.com/SecurityInnovation/glibc_heap_exploitation_training)
- [HeapLAB](https://archive.ringzer0.training/archive/2020-august/heaplab-glibc-heap-exploitation.html)
- Excellent tutorials from Azeria Labs
## License
This project is licensed for educational use only. See the [LICENSE](LICENSE) file for details. ---
**Start Learning**: [Level 0 - Environment Setup](level00_setup/) β
**Have questions?** Check [FAQs](#Frequently Asked Questions) or submit an [Issue](https://github.com/yourusername/heap-mastery-course/issues)
**Happy Hacking! π**