The code here is similar to baby_scan_1. There are two main difference between this challenge and previous one.
alloc is replaced by malloc
program exit instead of ret.
Since program have PIE disabled and we can control the scanf format string. We basically have a write anywhere.
The idea is simple: write target address into the last 8 byte of local variable size. use %9$s to scan character into that address
1 2 3 4 5 6 7
=== some stack value <== rsp 9$s\x00\x00\x00\x00\x00 <== size[16] target_address RBP RIP ====
Also, since it is partial RELRO, we can overwrite the jmp address of exit in GOT and make it jump back to main again. Now we have an infinite number of write anywhere.
To leak the address. We can overwrite jmp address of atoi with printf. Then, we can leak libc address on the stack using %{offset}$p