Tags: seccomp 2.32 heap tcache-stash-unlink poison-null-byte pwn 

Rating: 5.0

Perform a glibc 2.32 poison null byte attack without a heap leak by massaging unsorted and large bins, a tcache stash unlink attack to overwrite `mp_.tcache_bins`, and a tcache poison for controlled arb write to escape seccomp with a COP gadget involving rdi and rdx for the flag.

Original writeup (https://www.willsroot.io/2020/12/yet-another-house-asis-finals-2020-ctf.html).