Unsorted Bin Attacks
The unsorted bin is a temporary holding area for freed chunks. Its insertion and removal logic can be abused to write large values or libc addresses to arbitrary locations.
| Technique | Description |
| Unsorted Bin Attack | Writing a large libc address to any location. |
| Into Stack | Tricking the bin into returning stack memory. |
| Unsafe Unlink | Exploiting backward/forward consolidation for arbitrary write. |