Exploit Dev — The Heap

We leave the stack for the glibc heap, where the allocator's own bookkeeping is the attack surface. You will learn chunks, bins, and the tcache, then the bugs: use-after-free and double-free, and the headline technique, tcache poisoning, which overwrites a freed chunk's next pointer so malloc hands you an allocation at any address — an arbitrary write. We finish with modern mitigations and a worked UAF-to-shell exploit.