1. leak canary, stack address and libc.address using format string bug in router();
2. with known canary and libc.address, we're able to ROP.
3. I just want to send my payload using requests.get(), so I make a mprotect(stack, 0x1000, 7) and using rop then jump to my shellcode.

exploit here

Follow me if you like this writeup :)

Original writeup (https://github.com/bash-c/pwn_repo/blob/master/X-MAS2018_I_want_that_toy/solve.py).