The saved return address is different each run because of PIE. However, the offset between the saved return address and the base of the binary is constant ( 0x73f - base ). If we leak the saved RIP we can compute the base, then compute the address of system@plt (or any other PLT entry) relative to that base.

: The first step is to understand the context in which you encountered "MIDV-075". Was it in a scientific journal, a product catalog, or perhaps in a piece of software? Knowing the context can significantly narrow down the possibilities.

Midv-075 🎁

The saved return address is different each run because of PIE. However, the offset between the saved return address and the base of the binary is constant ( 0x73f - base ). If we leak the saved RIP we can compute the base, then compute the address of system@plt (or any other PLT entry) relative to that base.

: The first step is to understand the context in which you encountered "MIDV-075". Was it in a scientific journal, a product catalog, or perhaps in a piece of software? Knowing the context can significantly narrow down the possibilities. MIDV-075