Tags: binaryexploitation tcache-poisoning tcache
TCache Poisoning Attack. Use an unsorted bin to help leak libc address. Use the delete option to create a double free in a tcachebin. Then, make the next pointer point to free hook, so you can change it to system. Then use the option that calls free on a chunk with the /bin/sh string to pop a shell.