Kyle Zeng

I think a technique variant is less interesting because the gist of the technique is already there unless it can achieve something very different.

If I understand correctly, this technique requires known heap addresses (fake chunk and p) and a target address (where to overwrite). In the demo attack, it uses out-of-bound access to...

Good job on finding this technique independently! However, this technique is not new; it has been extensively used in current techniques. For example, the same attack is used in [house_of_einherjar](https://github.com/shellphish/how2heap/blob/64bb684d3cda469fc4f9ead69f2477be9596b570/glibc_2.34/house_of_einherjar.c),...

Also, please add more output to the program to allow people understand how it works by only reading its output. And please explicitly mention what primitives this technique requires (heap...

@MaherAzzouzi you mentioned that libc leak is required. That is not true. You can have three unsorted bin chunks `head->A->B->C->head`. Now all both fwd and bk pointers in B are...

I think the idea is not very clear at the moment. I like the idea of bypassing double free protection by putting the same chunk into two different tcache. However,...

Actually, the new version doesn't use overwrite primitive but a UAF. Normal program won't realloc a chunk after it is freed.

@mdulin2 This is not addressed because it is actually a file io exploitation technique. Although attackers often abuse file io after heap exploit, personally, I'm not sure whether it belongs...

根据yt-dlp的log: WARNING: xxxxx: writing DASH m4a. Only some players support this container. Install ffmpeg to fix this automatically， 应该是youtube那边的问题。 把音乐用yt-dlp下载下来（diginal ocean上大概3秒）在服务器上架个RangeHTTPServer就完了

context: I'm developing a segment register filter for angrop: https://github.com/angr/angrop/blob/154310eccc153b44e868b8e454b3043207ea8525/angrop/arch.py#L60