Rating: 4.0
Use UAF to leak libc and heap pointers. Then use a FSE to point a real FILE to a fake FILE, which will give code execution when it is closed.
See: https://github.com/ybieri/ctf-writeups/tree/master/pwn2win2020/at_your_command
I don't remember
