After spending almost two months on the exploitation tutorial, I finally achieve the goal I made when I decided to start writing a tutorial on exploitation before new year. After a one-week break, I think I need to make some new goals next. So I will list the things I will do in the next two month as an appendices to my exploit tutorial.
Work Plan and references
(1) House of Lore
 The House Of Lore: Reloaded ptmalloc v2 & v3: Analysis & Corruption http://phrack.org/issues/67/8.html
 SECCON 2017 Qual Candy Store
(2) Thread Cache introduced in libc-2.26.
 CVE-2017-17426 https://bugzilla.redhat.com/show_bug.cgi?id=1524530
(3) Exploitation Technique: dlopen
 CODEBLUE 2017 CTF DEMONSCENEDB https://github.com/david942j/ctf-writeups/blob/master/codeblue-2017/demo_scene_db/demo_scene_db.rb
(4) Exploitation Technique: ret2-dl-resolve
Since in my previous post Dynamic Link, I leave a clue in conclusion part that lazy binding could be used for exploitation. Here I will introduce the ret2-dl-resolve technique in exploitation.
 HITCON 2015 CTF BLINKROOT http://ddaa.tw/hitcon_pwn_200_blinkroot.html
(5)Overlapping chunk: Attack on large bin