House of Botcake and how2heap

Alright, so it took us a while to do the fastbin dup justice.

In fact we need to finish the last steps (my House of Ninja) where we target a heap address in order to get back to tcache poisoning in practice.

This is a beautiful alternative to Fastbin Dup called House of Botcake, which is a beautiful name. Not sure why it's named that, maybe one of you can figure that out.

Maybe the fastbin dup takes the rest of my time and I, yet again, don't get to this. I'll drop some notes on it anyhow:

GOAL: Overlapping Chunks

We know that if we can edit after free we win. One way to achieve that is to have a chunk which starts in the middle of another, in-use, chunks.

Most of the techniques for doing this involve getting a chunk into two different bins.

In this case we want to get a chunk into both the tcache AND the unsorted bin.

Here we go: