Tags: pwn 

Rating: 0

The bug is a format string. Use it to get a libc infoleak, then do got overwrite. Check writeup for more details. Also checkout https://github.com/guyinatuxedo/nightmare for more pwn/re resources.