Ok, after a few days, I am going to have to ask for a nudge on the memo exploit.
(disclaimer: I have not solved elasticity, nor decypted t**y’s openssl-generated files)
I can corrupt the heap (causing malloc() ‘corrupted top’ crashes), and can also overwrite enough stack to control RSI going into a printf() - which could leak the canary (or any address), but I can’t actually see a vuln that overwrites the canary in the first place…
I have been operating under the assumption I was after code execution, but realized last night that it might be a ‘leak-the-flag’ objective.
Any hints? (No solutions please, just a small push in the direction to look.)