It's easy to find the off-by-null bug in read_n(0x40091E), luckily there is no PIE.

So we can use unlink, then leak libc and control pc by modifying `__malloc_hook` or so.

Here is my [exploit](https://github.com/bash-c/pwn_repo/blob/master/ISITDTU2019_iz_heap_lv2/solve.py). Follow [me](https://github.com/bash-c/) if you like this writeup :)

Original writeup (https://github.com/bash-c/pwn_repo/blob/master/ISITDTU2019_iz_heap_lv2/solve.py).