### Exploit overview

The core strategy exploits the off-by-null bug to create overlapping chunks, then leverages tcache poisoning in an interesting way to bypass the heap limit restriction. Instead of trying to allocate chunks beyond the boundary, we manipulate tcache metadata to allocate a chunk directly inside the tcache entries array itself. We abuse this primitive to leak stack and binary addresses by redirecting allocations to arbitrary memory locations and reading the next chunk pointer, then finally overwrite a chunk pointer in the global chunks array to point to stdout and perform a file struct exploit to gain shell access.

Full writeup link:
[https://razvan.sh/writeups/limit-smileyctf/](https://razvan.sh/writeups/limit-smileyctf/)