Same as Trick or Treat from HITCON CTF 2019. You can read my writeup for that here.

Overwrite __realloc_hook with a one gadget and overwrite __malloc_hook with realloc+14 to meet the one gadget's constraints.