ASLR bypass without infoleak

I am trying to bypass aslr. I found a memory region where the address is not randomized and it is executable so a perfect place to put shellcode. But I am having trouble reading/inserting shellcode in that region. So at first I tried finding mov gadgets with dereferencing to move data to that region. But I couldn’t find any gadgets. Then I thought maybe I can do a syscall to read (the binary only reads data from a file, only two libc functions are used “fopen” and “fgets”). But I couldn’t find any syscall gadget. Now I am trying to take input by using fgets but my problem is the third parameter in fgets. How do I get the value of file stream/stdin? So I can call fgets and take input in the memory region I found.

About the Binary:
It reads data from a file and has a buffer overflow in the logic. It only uses two libc functions in the code which are “fopen” and “fgets”. It has ASLR but NX is disabled also there is partial RELRO.

Go to Source
Author: user40061