Tags: pwn 

Rating: 5.0

Abuse a logical bug that results in an Out-Of-Bounds vulnerability when invoking `call_function` .
This OOB vulnerability allows invoking a function, only by knowing it's address.
It also requires us to have the address of the to-be-invoked function in the stack, and this is possible by editing the weights.

Note:
I also found a way to leak an address in the binary, but it turned out that ASLR is off, so I wasted my time on leaking, even though I didn't have to :(