I'm working on a binary exploitation challenge where the target (ELF/x86_64) has stack canaries, NX and PIE enabled. It implements a simple forking TCP server. After a connection is established, it reads up to 0x420 bytes from the socket into a buffer of 0x400 bytes. When this data starts with a certain string, and sends a reply back before closing the socket.
As far as I can see, the above buffer overflow is the only vulnerability in the program.
So far, I've been able to brute force the stack canary, saved rbp and return address by overwriting them one byte at a time and checking if the server still sends a response.
My problem is that I can not find a way to exploit this overflow. Because of the stack layout, the return address is all the way at the end of the overflow buffer, which makes it impossible to set up a regular ROP chain.
I thought about adjusting rsp to the start of the writable buffer, but can't find a gadget that does that...
