Rating: 3.0

partial overwrite vtable to make puts call read()
puts does strlen also on the string it control rdx
buff is rsi, and rdi is the file number
it becomes, read(1,buff,strlen(buff))

over sockets we can read from stdout as well, but the stdout struct is broken so we won't be getting output. we have to recover stdout back again after corrupting the heap.

viewname() can be used to change the name now. because it does puts(name).
we can also change the pointer[0] because it's aligned.
then keep corrupting heap. by view(pointer[0]).
i first allocated (0x90) free it back to set tcache idx = 1. then set pointer[0] to point it to tcache struct address change it to 7.
same for fastbin. this is to save chunks. because of restriction of 14 max allocations.
to recover stdout. get libc pointer on heap. point freed chunk fd -> heap_pointer -> libc_stdout.
i partial overwrite stdout as well. it required bruteforce of 4 bits.
1/16. I kept a fake size (0x73) in stdout struct when writing to it.
after getting allocation to stdout. partial overwrite last byte of vtable to fix it back to normal.
then view chunk will leak libc.
before recovering stdout. I set the note[0] to fake chunk because after recovering stdout we need to corrupt stuff.
then simple malloc hook hijack```

Original writeup (https://gist.github.com/hkraw/33e052773c6b8c1daa7cfc35158da09b).