Tags: pwn
Rating:
1) leak libc + heap since chunks are not null'd when they are free'd
2) create a fast chunk between some small chunks
3) use house of einherjar to create overlapping chunks
4) free fast chunk
5) use fastbin attack to overwrite fast chunk's FD ptr w/malloc_hook offset
6) overwrite malloc_hook w/one_shot
7) trigger memory corruption