OpenSkillIndex← back to search

Hacktricks-skills heap-overflow-exploitation

How to identify, analyze, and exploit heap overflow vulnerabilities in binary exploitation challenges and real-world scenarios. Use this skill whenever the user mentions heap overflows, memory corruption, heap grooming, tcache poisoning, fast-bin attacks, or any heap-related vulnerability in CTF challenges, binary analysis, or security research. This skill covers heap overflow fundamentals, exploitation techniques, heap grooming strategies, and real-world CVE analysis.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/binary-exploitation/libc-heap/heap-overflow/SKILL.MD
source content

Heap Overflow Exploitation

A skill for understanding and exploiting heap overflow vulnerabilities.

What is a Heap Overflow?

A heap overflow occurs when data written to a heap-allocated buffer exceeds its allocated size, overwriting adjacent memory. Unlike stack overflows, heap chunks don't contain sensitive control data by default, but the criticality depends on what data can be overwritten.

Key Differences: Stack vs Heap Overflows

Stack Overflows

  • Linear memory layout
  • Predictable structure with registers and frame pointers
  • Sensitive data (instruction pointer, return addresses) stored by default

Heap Overflows

  • Non-linear memory with separated chunks
  • Organized by bins and zones based on size
  • Reuses freed memory before allocating new chunks
  • Challenge: Difficult to predict which object will collide with the vulnerable chunk

Finding Overflow Offsets

Use the same pattern generation techniques as stack overflows to determine the exact offset where the overflow begins. See 

scripts/generate_pattern.py
for creating cyclic patterns.

Heap Grooming

Heap grooming is a technique to force specific memory layouts by:

  1. Allocating multiple chunks to fill free lists
  2. Freeing specific chunks to create predictable patterns
  3. Allocating victim objects in desired positions

iOS Kernel Example

  • When a zone runs out of memory, it expands by a kernel page
  • Pages are split into chunks of expected sizes
  • Out-of-line allocation with mach ports allows exact size specification
  • Free lists release elements in LIFO order

Common Exploitation Techniques

1. Edit Free Chunk

  • Overwrite the prev-in-use bit of the next chunk
  • Modify the prev_size field
  • Consolidate a used chunk (making it appear unused)
  • Reallocate to overwrite data in different pointers

2. Pointer Overwrite

  • Overflow into a nearby chunk containing function pointers
  • Replace with address of arbitrary data
  • Trigger execution through the corrupted pointer

3. Command Injection

  • Store executable commands in adjacent chunks
  • Overwrite with controlled input
  • Execute modified commands

Real-World Example: CVE-2025-40597

Vulnerability Details

  • Target: SonicWall SMA100 firmware 10.2.1.15
  • Module: 
    mod_httprp.so
    (reverse-proxy)
  • Root Cause: Misuse of 
    __sprintf_chk
    with 
    -1
    size parameter

The Bug

char *buf = calloc(0x80, 1);
__sprintf_chk(buf, -1, 0, "%s%s%s%s", "/", "https://", path, host);

The 

-1
parameter disables _FORTIFY_SOURCE bounds checking, allowing overflow of the 0x80-byte chunk.

Exploitation

import requests, warnings
warnings.filterwarnings('ignore')
requests.get(
    'https://TARGET/__api__/',
    headers={'Host': 'A'*750},
    verify=False
)

Key Takeaways

  1. _FORTIFY_SOURCE is not a silver bullet
  2. Always pass correct buffer size to 
    _chk
    family functions
  3. Prefer 
    snprintf
    over 
    sprintf

Practical Workflow

Step 1: Identify the Vulnerability

  • Look for heap allocations with insufficient bounds checking
  • Check for 
    sprintf
    , 
    strcpy
    , 
    gets
    on heap buffers
  • Verify size parameters in 
    _chk
    functions

Step 2: Map the Heap Layout

  • Use GDB with 
    heap
    commands
  • Identify adjacent chunks and their contents
  • Determine what data can be overwritten

Step 3: Apply Heap Grooming

  • Allocate chunks to control memory layout
  • Free specific chunks to create desired patterns
  • Allocate victim objects in predictable positions

Step 4: Craft the Exploit

  • Calculate exact overflow offset
  • Prepare payload to overwrite target data
  • Trigger the vulnerability

Step 5: Verify and Refine

  • Test with GDB to confirm memory corruption
  • Adjust grooming if needed
  • Finalize exploit for target environment

Tools and Resources

Debugging

  • GDB with 
    heap
    commands
  • heap_explore
    plugin
  • pwndbg
    heap visualization

Pattern Generation

  • cyclic
    from pwnlib
  • pattern_create
    and 
    pattern_offset
  • See 
    scripts/generate_pattern.py
    for custom patterns

References