* There is a out of bound access vulneribility in LFA.so.
* Use out of bound read to leak heap address and libc address
* Use out of bound write to write function pointer on the heap and hijack control flow
* Pivot stack and ROP to read flag from fd 1023 and write to stdout.

Original writeup (http://a7um.github.io/2017/12/31/LFA/).