Tags: off-by-null pwn heap-overflow 

Rating:

Off-by-null. Corrupt heap metadata and trick `malloc()` into creating overlapping chunks, then:

1) Leak libc base address by printing out a smallbin libc pointer;
2) Overwrite `bk` of a fastbin chunk, in order to create a fake fastbin chunk. Overwrite `__malloc_hook` with a one_gadget address.

Original writeup (https://ypl.coffee/ijctf-2020-babyheap/).