UAF to unsafe unlink ropchain onto stack

Blind flag exfiltration via side channel attacks

Using dl_resolve to get around no leaks

Exploiting linked list structure into FSOP rop

Integer overflow to get rich enough doing unsafe unlinking

Privilege escalation with null byte overwrite.

No heap, but oob access for got overwrites.

OOB access overwriting got entries

Chaining GOT overwrites into rop

Fastbin corruption to BSS