It didn't initialize key_list array and didn't check key_list in remove routine.
So, we can easily trigger fastbin attack.

I overwrite **malloc_hook** with system function and give **"/bin/sh"** address because it didn't check malloc size.

Original writeup (https://github.com/vngkv123/CTF/blob/master/ctf_in_2017/seccon/secure_keymanager.py).