###### Summary

* use large calloc size (`> mmap_threshold = 0x20000 by default`) to fallback to mmap => heap chunk has constant offset from libc
* overwrite stdout buffer to point before `_shortbuf`
* overwrite stdout/stdin flags to flush stdout before each read => leak absolute libc base
* overwrite stdout buffer + flush for arbitrary read
* leak stack => overwrite main return address => rop to execv => done

[Full writeup](https://github.com/bennofs/docs/blob/master/hxp-2017/impossible.md) and
[exploit script](https://github.com/bennofs/docs/blob/master/hxp-2017/impossible.py) (with extensive comments).

Original writeup (https://github.com/bennofs/docs/blob/master/hxp-2017/impossible.md).