This attack does not work on the latest glibc anymore, because the freed chunk will not end up in the unsorted bin, but in the tcache instead. When reallocated the size of the chunk in the tcache will not be checked again, so the modification is irrelevant (in this step).
Of course the tcache is basically reducing security checks here, but in that case it destroys the particular attack vector.

@zardus We should think about a structure in this repo that differentiates attacks based on the glibc version. Or even hierarchical for different libcs like: libc -> version -> attack

True. This is not working in latest glibc.
But it does not prevent from the attack, but it's due to the change of its data structure.
Currently, most of techniques in how2heap are tested in Ubuntu 14.04 or 16.04.
This attack also works in the version, so I think it's fine to add this.

Also, I agree with that it's better to maintain this by glibc versions.
For example, current house of orange is broken due to the glibc patch.
Also, we can do the other attacks related to tcache as you mentioned.

I like the idea of splitting things up by libc version (and libc variant), especially with what's coming soon.

You should still be able to make this attack work by filling up the tcache first as after the tcache is full, chunks still go into the unsorted bin. In fact, I think any attack that works without tcache can work with tcache but you may need to do a lot of mallocs/frees in between to fill/clear the tcache.

If we have tcache, I think we can use tcache_poisoning instead of this one.

Thanks. Maybe we need to maintain based on version for these techniques.

Thank you!
I'm gonna build smth. this weekend