Tags: heap tcache
Rating:
TL; DR : used OOB write and UAF to construct a double-free primitive. First used double-free primitive to overwrite the number of chunks in each tcache bin in
prethread_tcache_struct. Then used the primitive to gain control of one of the cards arrays. Freed the cards array to write the address of prethread_tcache_struct to the
array, and then freed prethread_tcache_struct. Leaked libc by reading prethread_tcache_struct. After that got a pointer to free_hook and called system. More detailed
and coherent explanation in full writeup.
