When performing a chunked transfer, realloc doesn't take into account the size of the headers allowing an overflow in the next memcpy.

As the initial heap (0x100) is located inline we can overwrite the current heap location, see [uClibc](https://github.com/kraj/uClibc/blob/master/libc/stdlib/malloc/malloc.c#L27)

* overwrite __malloc_heap to point to our fake heap
* our fake heap size is huge so that memory os returned near the GOT
* overwrite memchr got with shellcode address

Full writeup at https://devcraft.io/2018/11/22/internet-of-seat-seccon-2018.html

-vakzz

Original writeup (https://devcraft.io/2018/11/22/internet-of-seat-seccon-2018.html).