200 points
Welcome to the sunny land of Halcyon Heap, where the fastbins are fast and the smallbins don't exist! (libc)
Hint: If you want smallbins done right you do it on your own.
Before we even run the binary let's check the security features with checksec:
| import os | |
| maps_file = open("/proc/25397/maps", "r") | |
| mem_file = open("/proc/25397/mem", "rb") | |
| for line in maps_file.readlines(): # for each mapped region | |
| pathname = "" | |
| addresses, perms, offset, dev, inode, *rest = line.split() | |
| if len(rest) > 0 and rest[0]: # for some reason not everything has a pathname | |
| pathname = rest[0] | |
| start, end, *rest = addresses.split("-") | |