File Stream Pointer Overwrite to corrupt opened file's vptr and point it to a fake vtable we craft.
Then when fclose() is called on the file, an entry in our fake vtable will be called to call the close virtual function.
But instead of being a innocuous virtual function, we get it to call system("/bin/sh\0") in our fake vtable.

Original writeup (https://github.com/conceptofproof/CTFs/blob/master/2017/inctf2017/jumpingjacks/solve.py).