linux - Exploiting a string-based overflow on x86-64 with NX (DEP) and ASLR enabled -

consider following vulnerable code/program:

#include <string.h>  int main(int argc, char *argv[]) {     char buf[16];     strcpy(buf, argv[1]);      return 0; } 

on ia-32 (x86, 32-bit) running linux nx , aslr enabled, exploit using got-overwrite technique, includes following steps:

1. overflow buffer till rip
2. overwrite rip address of strcpy@plt
3. use clean gadget .text, e.g. pop edi ; pop ebp ; ret, return address strcpy
4. write arguments strcpy: &bss-address destination , 1 byte of /bin/sh using .text
5. repeat steps 2-4 until /bin/sh written &bss
6. overwrite got-entry of strcpy system (using offset, requires knowledge used version of libc - let's ignore here)
7. write strcpy@plt on stack, followed 4-byte chunk , address of &bss points /bin/sh
8. profit

i want exploit on x86-64 same mitigation measures enabled. more difficult imagined. following reasons:

1. x86-64 register-based calling convention: function arguments passed using registers, not stack. therefore additional rop-gadgets required transfer arguments stack appropriate register. minor problem, affected following problem:

2. 64-bit return address: rip in x86-64 points .text not 32-bit long. therefore null-bytes must written on stack chain function calls. 1 can write null-bytes desired using chained calls strcpy , taking advantage of null-terminating character strcpy always writes. 1 may call strcpy once overwriting least significant bytes of rip.

   |0x00000000|        (most significant bytes) |0x00deadbe| <- rip (least significant bytes) |0x41414141| |0x41414141| <- sfp |   ...    |  

these major problems got exploiting program on x86-64 nx , aslr enabled. there techniques solve these problems? or x86-64 prevent working, shell-opening exploit?

x86-64 not prevent these type of exploits. see tutorial.