Blinded is a blind exploitation challenge that distills heap corruption to its absolute minimum: a single-byte write at an attacker-controlled index, repeated in a loop, with zero feedback beyond an initial banner. The binary has Full RELRO, PIE, and no output primitive. The exploit must be delivered as a single precomputed payload -- there is no interactive feedback loop.

The attack leverages a subtle C operator precedence bug to unlock negative indices, then chains heap metadata corruption into overlapping allocations that reach the dynamic linker's writable segment. From there, it forges a fake ELF symbol table entry and corrupts stdin's vtable pointer to trigger dso_find_for_object, which resolves through the forged symbol and jumps to a one-gadget. This is the same class of attack described in ret2dso research, applied here under maximally constrained conditions.

The vulnerable function is deceptively simple:

size_t vuln() {
    size_t size;
    int i;
    char c;
    if (scanf("%zu %d %hhd", &size, &i, &c) < 3 || size > 0x3e8 || !(0 <= i < size))
        _exit(EXIT_FAILURE);
    char* ptr = malloc(size);
    ptr[i] = c;
    free(ptr);
    return size;
}