Rating:
1. Using double staged fsb, change the return address of the stack to main and leak the libc_start_main_ret address.
- a little brute forcing
2. Using double staged fsb, change the return address of the stack to one_gadget
3. Restore the SFP
- SFP should be changed when changing the return address of the stack.
- When the SFP changes, it moves to a different address
- a little brute forcing