Tags: #pwn 

Rating:

Exploit classic dangling pointer to UAF. In the first time, allocate a list_child object, which I used to get info disc and leak my chunk in the heap, and from that getting libc base addr. Then, allocate a string child, corrupt it's vtable and jump to pivot, which call system().

Original writeup (https://github.com/saaramar/32c3-tree-pwn500).