Heap Exploitation

Name: Heap Exploitation
Author: yaklang

yaklang/hack-skills

Apply named glibc heap techniques (House of Force, Spirit, tcache attacks) when binary exploit development is in scope.

Overview

Heap Exploitation is an agent skill for the Ship phase that documents named glibc heap exploitation methods and tcache attacks for authorized binary security work.

Install

npx skills add https://github.com/yaklang/hack-skills --skill heap-exploitation

What is this skill?

Named technique catalog: House of Force, Spirit, Lore, Orange, Einherjar, Roman, Pig, Banana, Cat, Apple
Tcache-specific attacks including Botcake and stashing unlink
Per-technique tables: primitive needed, glibc version constraints, and mechanism summary
House of Force example with top-chunk size overwrite and evil_size malloc arithmetic
Explicit AI load instruction: load after main SKILL.md for ptmalloc2 fundamentals
10+ named House-style techniques referenced in the skill header
House of Force blocked on glibc 2.29+ top-chunk validation

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 1.1k installs on skills.sh; 980 GitHub stars; 1/3 security scanners passed (skills.sh audits).

What problem does it solve?

You are exploiting a heap corruption primitive but lack a concise map of which House or tcache technique fits your glibc version and overflow type.

Who is it for?

Advanced solo practitioners doing CTF, binary auditing, or embedded native code reviews with existing heap fundamentals loaded.

Skip if: Web-only SaaS builders, beginner security learners, or production app hardening that stops at memory-safe languages and dependency scanning.

When should I use this skill?

You need specific named heap exploitation techniques or tcache-specific attacks and the main heap SKILL.md fundamentals are already loaded.

What do I get? / Deliverables

You select a concrete named technique with version constraints and implementation sketches (for example top-chunk abuse or fake fastbin headers) aligned to your primitive.

Selected technique chain with glibc version check
Exploit script or PoC steps aligned to the named method

Recommended Skills

Azure Compliancemicrosoft/azure-skills

Azure Compliance is a Microsoft agent skill for solo builders and small teams who need structured security and complianc…373k installs·1.2k stars

Openclaw Secure Linux Cloudxixu-me/skills

OpenClaw Secure Linux Cloud guides a hardened VPS deployment—rootless Podman, loopback-only gateway, SSH-tunneled Contro…201k installs·61 stars

Entra Agent Idmicrosoft/azure-skills

entra-agent-id is a Microsoft-authored agent skill for provisioning and operating OAuth-capable identities tailored to A…99.1k installs·1.2k stars

Firebase Security Rules Auditorfirebase/agent-skills

Firebase Security Rules Auditor turns your agent into a senior penetration-style reviewer for Firestore rulesets. Solo b…40.3k installs·345 stars

Firestore Security Rules Auditorfirebase/agent-skills

Firestore-security-rules-auditor is a checker skill for solo builders and small teams shipping Firebase-backed apps who …20.3k installs·345 stars

Skill Vetteruseai-pro/openclaw-skills-security

Skill Vetter is a security-first OpenClaw agent skill that makes your coding agent behave like a pre-install auditor for…19.2k installs·62 stars

Journey fit

Primary fit

Heap exploitation sits on the Ship → Security shelf for advanced native/binary hardening and CTF-style authorized assessments—not day-one app coding. Content is exploit-method reference for ptmalloc2/glibc constraints, assuming fundamentals already loaded from the parent SKILL.md.

How it compares

Specialized exploit cookbook layered on the main heap SKILL.md—not a general secure-coding or dependency audit skill.

Common Questions / FAQ

Who is heap-exploitation for?

Security researchers, CTF players, and advanced developers performing authorized native binary exploitation who need technique-specific guidance under glibc heap allocators.

When should I use heap-exploitation?

During Ship-phase security work on native binaries, lab exploits, or firmware assessments when you already have a heap primitive and must pick House of X or tcache-specific chains.

Is heap-exploitation safe to install?

The skill is educational exploit documentation; use only on systems you are authorized to test and review the Security Audits panel on this Prism page before relying on it in automation.

SKILL.md

READMESKILL.md - Heap Exploitation

# House of Techniques — Named Heap Exploitation Methods

> **AI LOAD INSTRUCTION**: Load this when you need specific named heap exploitation techniques (House of Force/Spirit/Lore/Orange/Einherjar/Roman/Pig/Banana/Cat/Apple) or tcache-specific attacks (Botcake, stashing unlink). Assumes the main [SKILL.md](./SKILL.md) is already loaded for ptmalloc2 fundamentals and glibc version constraints.

---

## 1. HOUSE OF FORCE

**Overwrite top chunk size → control next allocation address.**

| Aspect | Detail |
|---|---|
| Primitive needed | Overflow into top chunk size field |
| Glibc constraint | < 2.29 (2.29 adds top chunk size validation) |
| Mechanism | Set top chunk size to `0xffffffffffffffff`, then request `target_addr - top_addr - 0x20` bytes → next malloc returns near target |

```python
# Overwrite top chunk size to -1
edit(top_adjacent_chunk, b'A' * data_size + p64(0) + p64(0xffffffffffffffff))
# Calculate evil size
evil_size = target_addr - (top_chunk_addr + 0x10) - 0x10
malloc(evil_size)          # consume top chunk up to target
ptr = malloc(0x10)         # this allocation lands at target_addr
```

---

## 2. HOUSE OF SPIRIT

**Forge a fake chunk header → free it → allocate at fake location.**

| Aspect | Detail |
|---|---|
| Primitive needed | Write at least 16 bytes at target (fake chunk header) |
| Target | Get fastbin/tcache allocation at stack/BSS/anywhere |
| Mechanism | Craft fake `size` field (matching fastbin/tcache range), ensure next chunk's size is valid, free the fake chunk |

```python
# Stack layout: forge fake chunk
fake_chunk = target_addr - 0x10
# At fake_chunk+0x8: size = 0x41 (fastbin 0x40)
# At fake_chunk+0x48: next_chunk_size = 0x21 (valid, > 0x10, < av->system_mem)
free(fake_chunk + 0x10)    # free the "user data" pointer
ptr = malloc(0x30)         # returns fake_chunk + 0x10 = target_addr
```

**tcache variant (glibc ≥ 2.26)**: No next-chunk size validation needed. Only need valid `size` field matching tcache bin index.

---

## 3. HOUSE OF LORE

**Forge fake smallbin chunk → get allocation at arbitrary address.**

| Aspect | Detail |
|---|---|
| Primitive needed | Heap write to corrupt smallbin bk pointer |
| Mechanism | Insert fake chunk into smallbin via bk corruption → `malloc` returns fake chunk |
| Checks to satisfy | `victim->bk->fd == victim` (doubly linked list integrity) |

Requires crafting a fake chunk where `fake->fd = smallbin_head` to pass the check.

---

## 4. HOUSE OF ORANGE

**No `free()` needed → get shell via _IO_FILE.**

| Aspect | Detail |
|---|---|
| Primitive needed | Heap overflow to corrupt top chunk size |
| Glibc constraint | Works on 2.23; vtable check added in 2.24 (needs bypass); fully blocked in later versions without _IO_str_jumps trick |
| Mechanism | Shrink top chunk size → next large malloc triggers `sysmalloc` → old top freed into unsortedbin → unsortedbin attack writes `_IO_list_all` → trigger `_IO_flush_all_lockp` via abort/exit |

### Attack Flow

1. Overflow: corrupt top chunk size to small valid value (page-aligned, PREV_INUSE set)
2. Large malloc: triggers `sysmalloc`, old top chunk freed into unsortedbin
3. Unsortedbin attack: corrupt unsortedbin chunk's bk to `_IO_list_all - 0x10`
4. Next malloc (smallbin size): unsortedbin → smallbin sorting writes `main_arena+0x68` to `_IO_list_all`
5. `_IO_list_all` now points to `main_arena+0x68`, which overlaps with smallbin[5]
6. Forge fake _IO_FILE at that smallbin entry with vtable pointing to controlled memory
7. Trigger: malloc error → `_IO_flush_all_lockp` → calls `_IO_OVERFLOW` on fake FILE → shell

---

## 5. HOUSE OF EINHERJAR

**Off-by-null byte → backward consolidation → overlapping chunks.**

| Aspect | Detail |
|---|---|
| Primitive needed | Null byte overflow (off-by-one with `\x00`) |
| Mechanism | Clear PREV_INUSE bit of next chunk → set fake `prev_size` → `free` triggers backward consolidation with a fake previous chunk |

### Steps

1. Allocate A, B, C (B is the overflow target)
2. Overflow from

What is this skill?

Named technique catalog: House of Force, Spirit, Lore, Orange, Einherjar, Roman, Pig, Banana, Cat, Apple

Tcache-specific attacks including Botcake and stashing unlink

Per-technique tables: primitive needed, glibc version constraints, and mechanism summary

House of Force example with top-chunk size overwrite and evil_size malloc arithmetic

Explicit AI load instruction: load after main SKILL.md for ptmalloc2 fundamentals

10+ named House-style techniques referenced in the skill header

House of Force blocked on glibc 2.29+ top-chunk validation

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 1.1k installs on skills.sh; 980 GitHub stars; 1/3 security scanners passed (skills.sh audits).

Journey fit

Primary fit

SKILL.md

READMESKILL.md - Heap Exploitation

# House of Techniques — Named Heap Exploitation Methods

> **AI LOAD INSTRUCTION**: Load this when you need specific named heap exploitation techniques (House of Force/Spirit/Lore/Orange/Einherjar/Roman/Pig/Banana/Cat/Apple) or tcache-specific attacks (Botcake, stashing unlink). Assumes the main [SKILL.md](./SKILL.md) is already loaded for ptmalloc2 fundamentals and glibc version constraints.

---

## 1. HOUSE OF FORCE

**Overwrite top chunk size → control next allocation address.**

| Aspect | Detail |
|---|---|
| Primitive needed | Overflow into top chunk size field |
| Glibc constraint | < 2.29 (2.29 adds top chunk size validation) |
| Mechanism | Set top chunk size to `0xffffffffffffffff`, then request `target_addr - top_addr - 0x20` bytes → next malloc returns near target |

```python
# Overwrite top chunk size to -1
edit(top_adjacent_chunk, b'A' * data_size + p64(0) + p64(0xffffffffffffffff))
# Calculate evil size
evil_size = target_addr - (top_chunk_addr + 0x10) - 0x10
malloc(evil_size)          # consume top chunk up to target
ptr = malloc(0x10)         # this allocation lands at target_addr
```

---

## 2. HOUSE OF SPIRIT

**Forge a fake chunk header → free it → allocate at fake location.**

| Aspect | Detail |
|---|---|
| Primitive needed | Write at least 16 bytes at target (fake chunk header) |
| Target | Get fastbin/tcache allocation at stack/BSS/anywhere |
| Mechanism | Craft fake `size` field (matching fastbin/tcache range), ensure next chunk's size is valid, free the fake chunk |

```python
# Stack layout: forge fake chunk
fake_chunk = target_addr - 0x10
# At fake_chunk+0x8: size = 0x41 (fastbin 0x40)
# At fake_chunk+0x48: next_chunk_size = 0x21 (valid, > 0x10, < av->system_mem)
free(fake_chunk + 0x10)    # free the "user data" pointer
ptr = malloc(0x30)         # returns fake_chunk + 0x10 = target_addr
```

**tcache variant (glibc ≥ 2.26)**: No next-chunk size validation needed. Only need valid `size` field matching tcache bin index.

---

## 3. HOUSE OF LORE

**Forge fake smallbin chunk → get allocation at arbitrary address.**

| Aspect | Detail |
|---|---|
| Primitive needed | Heap write to corrupt smallbin bk pointer |
| Mechanism | Insert fake chunk into smallbin via bk corruption → `malloc` returns fake chunk |
| Checks to satisfy | `victim->bk->fd == victim` (doubly linked list integrity) |

Requires crafting a fake chunk where `fake->fd = smallbin_head` to pass the check.

---

## 4. HOUSE OF ORANGE

**No `free()` needed → get shell via _IO_FILE.**

| Aspect | Detail |
|---|---|
| Primitive needed | Heap overflow to corrupt top chunk size |
| Glibc constraint | Works on 2.23; vtable check added in 2.24 (needs bypass); fully blocked in later versions without _IO_str_jumps trick |
| Mechanism | Shrink top chunk size → next large malloc triggers `sysmalloc` → old top freed into unsortedbin → unsortedbin attack writes `_IO_list_all` → trigger `_IO_flush_all_lockp` via abort/exit |

### Attack Flow

1. Overflow: corrupt top chunk size to small valid value (page-aligned, PREV_INUSE set)
2. Large malloc: triggers `sysmalloc`, old top chunk freed into unsortedbin
3. Unsortedbin attack: corrupt unsortedbin chunk's bk to `_IO_list_all - 0x10`
4. Next malloc (smallbin size): unsortedbin → smallbin sorting writes `main_arena+0x68` to `_IO_list_all`
5. `_IO_list_all` now points to `main_arena+0x68`, which overlaps with smallbin[5]
6. Forge fake _IO_FILE at that smallbin entry with vtable pointing to controlled memory
7. Trigger: malloc error → `_IO_flush_all_lockp` → calls `_IO_OVERFLOW` on fake FILE → shell

---

## 5. HOUSE OF EINHERJAR

**Off-by-null byte → backward consolidation → overlapping chunks.**

| Aspect | Detail |
|---|---|
| Primitive needed | Null byte overflow (off-by-one with `\x00`) |
| Mechanism | Clear PREV_INUSE bit of next chunk → set fake `prev_size` → `free` triggers backward consolidation with a fake previous chunk |

### Steps

1. Allocate A, B, C (B is the overflow target)
2. Overflow from

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is heap-exploitation for?

When should I use heap-exploitation?

Is heap-exploitation safe to install?

SKILL.md

This week for builders

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is heap-exploitation for?

When should I use heap-exploitation?

Is heap-exploitation safe to install?

SKILL.md