Tags: aslr vsyscall pie

Rating: 0

An uninitialized value is being used as the amount of bytes that is being read from the user in a read() call.
This results in a stack-overflow, where both PIE and ASLR are enabled -- and we have no leaks!

The way we deal with it is using a vsyscall gadget, which allows us to "slide" in the stack until we can partially-overwrite a libc address.
From there, we partially overwrite it to make it jump to a **PATCHED-IN** gadget (the given libc had an additional gadget), and finally get a shell!