There are 20 heap pointers stored at bss(0x602060~0x602100-0x8).
And in Add(), Edit(), Delete(), there is a off-by-one bug, which allows attacker use the index 20(the 21st). And the 21st pointer points to g_name(0x602100) which can be fully controled by attacker.
So my strategy is to forge fake chunks in bss when edit g_name as following:
0x602100 g_name/g_list -> 0x602120
As a result we can fully manipulate a heap chunk by editing g_name.
1. leak libc: forge a fake unsorted chunk at bss then free it. By showing name we can leak [main_arena](https://github.com/bash-c/main_arena_offset) + 96
2. control pc: forge a fake tcache bin at bss. Modify fd by editing g_name, then we can allocate to `__malloc_hook`
Here is my [exploit](https://github.com/bash-c/pwn_repo/blob/master/ISITDTU2019_iz_heap_lv1/solve.py). Follow [me](https://github.com/bash-c) if you like this writeup :)