- Leak GlibC. - Re-arrange the chunks in the heap somehow using the OBO, so that I can achieve tcache poisoning (I will show you how) - change __free_hook to system() and free a chunk containing "/bin/sh\x00"
Original writeup (https://pwn-maher.blogspot.com/2020/11/pwn11-heap-off-by-one-vulnerability.html).