tl;dr
- Adding the last character to a tab causes null byte overflow
- Use said overflow to unset prev_inuse bit
- Coalesce upwards with fake chunk to perform unlink attack
- Unlink attack places .bss pointer in place of heap pointer
- Editing .bss allows for Arbitrary R/W