Rating: 5.0
We are given a way to craft fake chunks as much as we want in the `.bss` segment.
Using this, we first leak a libc address by crafting a fake chunk in the `.bss` segment.
Then use a fastbin poisoning attack to get a chunk inside the `main_arena` to overwrite the top chunk pointer to somewhere in `__free_hook-0x1100`.
Then use the fastbin poisoning attack to get a chunk right on top of the global chunk array so we can overwrite it with 0 and have as many chunks as we want.
Then allocate enough chunks to reach `__free_hook` and overwrite it with `system` to get RCE.
A different solution is also provided in the writeup.
