Tags: pwn
Rating:
Tcache poisoning attack -> chunk in cache perthread structure to overwrite 0x80 tcache bin count to 7 and leak libc
Overwrite tcache 0x80 chunk pointer to `__free_hook`, then overwrite `__free_hook` to `system` and get shell
I don't remember