exploit a use-after-free vuln and perform a tcache fastbin style attack to overwrite global array of user ptrs to get arbitrary read+write primitive which we can use to overwrite free@GOT w/ system