Analyze

• Binary -- Three function: create notes, delete note, edit note. -- Create notes: malloc notes with fix size : 0x50 and we only malloc 3 notes. -- Edit notes: edit content of notes -- Delete notes: free notes and we can choice Clear (y/n) entry of note in notes array.
• Libc -- 2.27 -> using tcache.

Idea

• With 3 notes, we can using tcache dup to malloc to header of exist chunk. Edit size of this chunk = 0x91 (so when this chunk free, it fall into unsorted bin), free until tcache bin full.
• When tcache bin of size 0x90 full, edit size = 0x51 (origin size) and free it -> fall into tcache bin size 0x50. edit size = 0x91 and free -> fall into unsorted bin.
• Overwrite 2 byte in fd pointer of this chunk -> stdout addr (brute force 4bit). malloc 2 chunk, then the 2nd chunk will be malloc in stdout addr.
• Using FILE attack to leak libc addr. Then using tcache dup to edit __free_hook addr.

Original writeup (https://github.com/Hi-Im-darkness/CTF/tree/master/bctf2018/pwn/three).