Share
## https://sploitus.com/exploit?id=A2B593D5-FAD1-54D0-9C6C-45227A158A17
# Heap Mastery Course

> Learn heap vulnerability exploitation techniques from scratch – including advanced techniques like heap spraying and heap feng shui.

[![License: MIT](https://img.shields.io/badge/License-Educational%20Use%20Only-blue.svg)](LICENSE)
[![Platform](https://img.shields.io/badge/platform-Linux-orange.svg)](https://www.linux.org/)
[![GCC](https://img.shields.io/badge/gcc-9.0+-brightgreen.svg)](https://gcc.gnu.org/)

## Project Overview

This is a comprehensive heap vulnerability exploitation course designed for security beginners, CTF contestants, and security researchers. Through **7 progressively difficult levels**, you will gradually master advanced heap spraying and heap feng shui techniques.

### Key Features

- βœ… **7 progressive levels** – Smooth transition from basics to advanced skills
- βœ… **Step-by-step instruction** – Each level comes with detailed documentation and usage guides
- βœ… **Customized exploit programs** – Carefully designed for learning purposes
- βœ… **Complete solutions** – Code examples in Python and C language
- βœ… **Hint system** – Get hints when stuck
- βœ… **Docker environment** – Easily start an isolated training environment
- βœ… **Automated testing** – Verify all levels and exploit code
- βœ… **Modern technologies** – Includes Safe Linking, Tcache, and other latest technologies from 2024-2025

## Level Overview

| Level | Topic | Difficulty | Estimated Time | Core Technologies |
|------|------|------|----------|----------|
| [Level 0](level00_setup/) | Environment setup & basics | ⭐ | 1 hour | GDB, Pwndbg, heap basics |
| [Level 1](level01_overflow/) | Heap overflow basics | ⭐ | 2 hours | Chunk structure, heap metadata corruption |
| [Level 2](level02_uaf/) | Use-After-Free | ⭐⭐ | 3 hours | UAF, heap reusing, dangling pointers |
| [Level 3](level03_fastbin_dup/) | Fastbin double free | ⭐⭐⭐ | 4 hours | Fastbin operations, double deallocation |
| [Level 4](level04_tcache/) | Tcache poisoning | ⭐⭐⭐ | 4 hours | Tcache mechanism, modern heap exploitation |
| [Level 5](level05_heap_spray/) | Heap spraying techniques | ⭐⭐⭐⭐ | 6 hours | Heap spraying, memory layout control |
| [Level 6](level06_feng_shui/) | Heap feng shui | ⭐⭐⭐⭐⭐ | 8 hours | Precise heap layout, multi-bin coordination |
| [Level 7](level07_advanced/) | Advanced techniques & bypasses | ⭐⭐⭐⭐⭐+ | 12 hours | Safe Linking, House series |

## Quick Start

### Method 1: Docker (Recommended)

```bash
# Clone the repository
git clone https://github.com/yourusername/heap-mastery-course.git
cd heap-mastery-course

# Start the Docker environment
docker-compose up -d

# Enter the container
docker-compose exec course bash

# Build all levels
mkdir build && cd build
cmake.. make

# Test environment configuration./level00_setup/check_env
```

### Method 2: Local Installation

```bash
# Install dependencies
sudo apt-get update
sudo apt-get install -y build-essential gcc gdb python3 python3-pip

# Install Pwntools
pip3 install pwntools

# Install Pwndbg (Recommended)
cd ~
git clone https://github.com/pwndbg/pwndbg
cd pwndbg./setup.sh

# Build the project
mkdir build && cd build
cmake.. make
```

## Learning Path

1. **Start from Level 0** – Set up your debugging environment
2. **Learn in order** – Each level relies on the knowledge of the previous one
3. **Read documentation** – Understand the principles first, then practice
4. **Use hints** – Check hints.md when stuck
5. **Study solutions** – Compare with reference code in solution/

6. **Deep understanding** – Read the theoretical documents in `docs/`.

## File Structure for Each Level

```
levelXX_/
β”œβ”€β”€ README.md # Level description and challenges
β”œβ”€β”€ challenge/
β”‚ β”œβ”€β”€ vuln.c # Source code of the vulnerability program
β”‚ β”œβ”€β”€ vuln # Compiled binary file
β”‚ β”œβ”€β”€ flag.txt.template # Flag template (copied as flag.txt)
β”‚ └── Makefile # Compilation script
β”œβ”€β”€ docs/
β”‚ β”œβ”€β”€ theory.md # Detailed explanation of technical principles
β”‚ β”œβ”€β”€ walkthrough.md # Step-by-step guide to exploitation
β”‚ └── hints.md # Progressive hint system
└── solution/
 β”œβ”€β”€ exploit.py # Python exploitation script
 β”œβ”€β”€ exploit.c # C language verification program
 └── solver.py # Automated solution tool
```

## Documentation

- [Course Introduction](docs/00_introduction.md) – Complete course overview
- [Prerequisites](docs/01_prerequisites.md) – Basic knowledge required
- [Environment Setup](docs/02_environment_setup.md) – Detailed environment setup guide
- [Debugging Tools](docs/03 DebuggingTools.md) – Usage guidelines for GDB/Pwndbg/Gef
- [Heap Internals](docs/04_heap_internals.md) – In-depth explanation of glibc malloc
- [Exploitation Using Protection Mechanisms](docs/05_exploit_mitigations.md) – Protection mechanisms like ASLR, PIE, etc.

## Testing

```bash
# Compile all levels
cd build && cmake.. && make

# Method 1: Use CMake to test targets (recommended)
make verify # Test all levels and exploitation scripts
make test_exploits # Alias for verify

# Method 2: Run the verification script directly./tests/verify_all.sh # Run from the build/ directory

# Test a specific level individually
cd level01_overflow/challenge
make flag # Create flag.txt./vuln # Run the vulnerability program
python3../../answer/exploit_solution.py # Run the exploitation script

# Compile with protections enabled
cmake -DENABLE_PROTECTIONS=ON.. make verify
```

### Explanation of the Verification Script

The `verify_all.sh` script will:
1. Create a `flag.txt` file for each level.
2. Run the corresponding `exploit_solution.py` script.
3. Check whether the flag was successfully obtained.
4. Generate a detailed test report.

## Example: Level 1 Challenge

```c
// level01_overflow/challenge/vuln.c
#include <stdio.h>
#include <string.h>
#include <stdlib.h>

void winner() {
 char flag[64];
 FILE *f = fopen("flag.txt", "r");
 if (f == NULL) {
 printf("Error: Create flag.txt first!\n");
 return;
 }
 fread(flag, 1, sizeof(char), f);
 printf("Flag: %s\n", flag);
}

int main() {
 char *chunk1, *chunk2;

 chunk1 = malloc(32);
 chunk2 = malloc(32);

 printf("Enter data for chunk1: ");
 read(0, chunk1, 100); // Vulnerability: Heap overflow! If strcmp(chunk2, "pwned!") == 0, then execute winner().

 free(chunk1);
 free(chunk2);
 return 0;
}
```

**Goal**: Control the content of chunk2 through a heap overflow, making it equal to "pwned!".

**Solution Hint**:
```bash
# Use the script
python3 -c "print('A'*33 + 'pwned!')" |./level01_overflow/challenge/vuln
```

## Technical Highlights

### Level 1-2: Basic Heap Vulnerabilities
- Understand heap chunk structures (fields like size, fd, bk, etc.)
- Master heap buffer overflows
- Learn about the β€œUse-After-Free” concept

### Level 3-4: Core Exploitation Techniques
- Fastbin double release mechanism
- Tcache poisoning (glibc 2.26+)
- Arbitrary address reading/writing primitives

### Level 5-6: Advanced Layout Techniques
- Heap spraying: Controlling memory layout
- Heap: Precise control over chunk positions
- Multi-bin coordination for exploitation

### Level 7: Expert-Level Techniques
- Bypass of safe linking (glibc 2.32+)
- House of Einherjar/Force techniques
- Bypassing modern protection mechanisms

## Frequently Asked Questions

### Q: What background do I need? A: You need to have:
- Basic knowledge of C language (pointers, structures, memory management)
- Knowledge of Linux command lines
- Basic debugging concepts
- (Optional) Experience with CTF Pwn challenges

### Q: Why choose a Docker environment? A: Docker provides:
- An isolated and secure environment
- A unified glibc version
- Pre-installed debugging tools
- Avoid contaminating the host system

### Q: What if I encounter difficulties? A: Follow this order:
1. Read the challenge documentation (theory.md)
2. Review the hints (hints.md)
3. Study the exploitation guide (walkthrough.md)
4. Refer to solution code (solution/)
5. Consult external resources (see below)

## Learning Resources

### Recommended Reading
- [how2heap](https://github.com/shellphish/how2heap) – Encyclopedia of heap exploitation techniques
- [glibc heap exploitation training](https://github.com/SecurityInnovation/glibc_heap_exploitation_training)
- [Azeria Labs - Heap Exploitation](https://azeria-labs.com/heap-exploitation-part-2-glibc-heap-free-bins/)

### Reference Projects
- [HeapLAB](https://archive.ringzer0.training/archive/2020-august/heaplab-glibc-heap-exploitation.html)
- [pwnable.tw](https://pwnable.tw/) – Practical Pwn challenges

### Tool Recommendations
- [Pwndbg](https://github.com/pwndbg/pwndbg) – GDB enhancement plugin
- [Pwntools](https://docs.pwntools.com/) – Python exploitation framework
- [GEF](https://github.com/hugsy/gef) – Another excellent GDB plugin

## Contribution Guide

Welcome to contribute! You can:
- πŸ› Report bugs
- πŸ’‘ Suggest new challenges
- πŸ“– Improve documentation
- πŸ”§ Optimize code
- 🌟 Promote the project

## Disclaimer

### ⚠️ Educational Purpose Statement

This project is solely for **educational and learning purposes**. The techniques taught should:

βœ… **Be allowed to be used**:
- For practice on your own systems
- In authorized penetration testing
- In CTF competitions
- In security research environments

❌ **Strictly prohibited**:
- Unauthorized access to others’ systems
- Conducting malicious attacks
- Stealing data or causing damage
- Any illegal activities

### Safety Tips

- All challenges run in isolated Docker environments
- Real-world applications have additional protection mechanisms
- These techniques should only be applied in learning environments
- Comply with all laws and ethical guidelines

## Thanks

This project was inspired by the following resources:
- [how2heap](https://github.com/shellphish/how2heap) by Shellphish
- [glibc_heap_exploitation_training](https://github.com/SecurityInnovation/glibc_heap_exploitation_training)
- [HeapLAB](https://archive.ringzer0.training/archive/2020-august/heaplab-glibc-heap-exploitation.html)
- Excellent tutorials from Azeria Labs

## License

This project is licensed for educational use only. See the [LICENSE](LICENSE) file for details. ---

**Start Learning**: [Level 0 - Environment Setup](level00_setup/) β†’

**Have questions?** Check [FAQs](#Frequently Asked Questions) or submit an [Issue](https://github.com/yourusername/heap-mastery-course/issues)

**Happy Hacking! πŸŽ“**