Rating:

There are 20 heap pointers stored at bss(0x602060~0x602100-0x8).
And in Add(), Edit(), Delete(), there is a off-by-one bug, which allows attacker use the index 20(the 21st). And the 21st pointer points to g_name(0x602100) which can be fully controled by attacker.
So my strategy is to forge fake chunks in bss when edit g_name as following:
```
0x602060 g_list[0]
......
0x6020f8 g_list[19]
0x602100 g_name/g_list[20] -> 0x602120
0x602108
0x602110 fake_prev_size
0x602118 fake_size
......
```
As a result we can fully manipulate a heap chunk by editing g_name.
We can:
1. leak libc: forge a fake unsorted chunk at bss then free it. By showing name we can leak [main_arena](https://github.com/bash-c/main_arena_offset) + 96
2. control pc: forge a fake tcache bin at bss. Modify fd by editing g_name, then we can allocate to `__malloc_hook`

Here is my [exploit](https://github.com/bash-c/pwn_repo/blob/master/ISITDTU2019_iz_heap_lv1/solve.py). Follow [me](https://github.com/bash-c) if you like this writeup :)

Original writeup (https://github.com/bash-c/pwn_repo/blob/master/ISITDTU2019_iz_heap_lv1/solve.py).