Linux Heap Exploitation - Part 1
4.7 (75 ratings)
Course Ratings are calculated from individual students’ ratings and a variety of other signals, like age of rating and reliability, to ensure that they reflect course quality fairly and accurately.
391 students enrolled

Linux Heap Exploitation - Part 1

Learn hands-on GLIBC heap exploitation with HeapLAB.
4.7 (75 ratings)
Course Ratings are calculated from individual students’ ratings and a variety of other signals, like age of rating and reliability, to ensure that they reflect course quality fairly and accurately.
391 students enrolled
Created by Max Kamper
Last updated 7/2020
Current price: $69.99 Original price: $99.99 Discount: 30% off
5 hours left at this price!
30-Day Money-Back Guarantee
This course includes
  • 5 hours on-demand video
  • 3 downloadable resources
  • Full lifetime access
  • Access on mobile and TV
  • Certificate of Completion
Training 5 or more people?

Get your team access to 4,000+ top Udemy courses anytime, anywhere.

Try Udemy for Business
What you'll learn
  • Scripting exploits with pwntools
  • Introspecting the heap with pwndbg
  • The House of Force technique
  • The Fastbin Dup technique
  • The Unsafe Unlink technique
  • The Safe Unlink technique
  • The House of Orange technique
  • Using one-gadgets to drop a shell
  • Leveraging a single-byte heap overflow to drop a shell
  • Familiarity with the Linux command line environment
  • Basic debugging skills
  • A Linux VM or Host

For nearly 20 years, exploiting memory allocators has been something of an art form. Become part of that legacy with HeapLAB.

The GNU C Library (GLIBC) is a fundamental part of most Linux desktop and many embedded distributions; its memory allocator is used in everything from starting threads to dealing with I/O. Learn how to leverage this vast attack surface via different heap exploitation techniques, from the original "Unsafe Unlink" to the beautiful overflow-to-shell "House of Orange".

In this hands-on course, students will alternate between learning new techniques and developing their own exploits based on what they've learned. We'll make use of the pwntools and pwndbg frameworks to drop shells from vulnerable practice binaries, and you'll take on challenges that test what you've learned.

Who this course is for:
  • Exploit developers
  • Capture The Flag (CTF) players
  • Those wishing to learn more about exploit dev than just stack buffer overflows
  • Anyone interested in weird machines
Course content
Expand all 22 lectures 04:51:12
+ Introduction
4 lectures 13:38

Welcome to HeapLAB!

Preview 01:33

Learn about the GNU C library, and how it's tied to Linux heap exploitation.

What is GLIBC?

Learn about "malloc", the memory allocator at the core of the GLIBC heap implementation.

What is malloc?

In this video we set up our exploit development environment, it simply involves getting a VM started and installing a couple of tools.

Environment setup
+ The House of Force
4 lectures 47:01

Learn some basic heap mechanics, including how the malloc() function works and what the "top chunk" is. Along the way we get familiar with the GNU debugger and the pwndbg Python library.

The top chunk

We take a look at our first vulnerable practice binary, doing our due diligence to find out which protections it uses.

Preview 08:01

Learn the House of Force technique, which is part of the "Malloc Maleficarum" and leverage it to make an arbitrary write, overwriting target memory in our vulnerable binary. We'll make use of the pwntools Python library to script our exploit.

Arbitrary write via the House of Force

In this video we turn our House of Force arbitrary write into code execution.

Code execution via the House of Force
+ The Fastbin Dup
3 lectures 41:50

To prepare for our next heap exploitation technique, we learn about the free() function and how the fastbins operate.

Preview 09:54

Learn our 2nd heap exploitation technique, the Fastbin Dup, and leverage it to make an arbitrary write.

Arbitrary write via the Fastbin Dup

In this video we turn our Fastbin Dup primitive into a shell, along the way we'll learn about "one-gadgets" and how to meet their constraints.

Code execution via the Fastbin Dup
+ CHALLENGE: Fastbin Dup 2
1 lecture 24:04

Take on your first heap exploitation challenge.

Your objective is to drop a shell from the challenge binary using what you've learned so far, but be aware that this challenge has a couple of tricks up its sleeve.

Fastbin Dup 2
+ Unsafe Unlink
2 lectures 32:22

Learn about the unsortedbin and malloc's unlink() macro/function in preparation for the Unsafe Unlink technique.

Preview 10:13

Leverage the original heap exploitation technique, the Unsafe Unlink, developed by Alexander Peslyak a.k.a Solar Designer in the year 2000.

The original Unsafe Unlink
+ Safe Unlink
1 lecture 22:20

In this video we'll learn how to leverage the Safe Unlink technique to make an arbitrary write, followed by dropping a shell from the vulnerable binary.

The Safe Unlink
+ The House of Orange
4 lectures 01:01:33

A brief introduction to the House of Orange, a beautiful end-to-end heap exploitation technique developed in 2016 by Angelboy.

What is the House of Orange?

Learn about file stream exploitation, an alternative means of gaining, amongst other things, arbitrary code execution. This is how we'll drop a shell in the 3rd phase of the House of Orange.

File stream exploitation

Learn the 2nd phase of the House of Orange, the Unsortedbin Attack, which can write the address of an arena's unsortedbin to an arbitrary location.

The Unsortedbin Attack

Learn phase 1 of the House of Orange, top chunk extension, before putting all 3 phases together to finally drop a shell from our vulnerable binary.

The complete House of Orange
2 lectures 45:52

Prepare for your final challenge binary by learning about "remaindering", a process in which chunks are broken down into smaller chunks.


Take on your final challenge: One-Byte, in which you're tasked with dropping a shell from a binary with modern protections. You'll need to forge a libc leak and leverage what you've learned so far about heap exploitation to complete this challenge.

+ Farewell
1 lecture 02:32

Thank you for taking the HeapLAB part 1 course, now go exploit some heap bugs!