No Leak, No Problem – Bypassing ASLR with a ROP Chain to Gain RCE

The article discusses bypassing ASLR using a ROP chain to achieve Remote Code Execution (RCE) on an IoT target, specifically an INSTAR IP camera. The author details the process of gaining access to the device's firmware, identifying vulnerabilities, and exploiting a stack-based buffer overflow in the fcgi_server binary. The exploit involves chaining gadgets to manipulate registers, dereference addresses, and ultimately gain RCE by redirecting execution flow to the system function. The author also explores the challenges faced in building the ROP chain and the responsible disclosure of the vulnerabilities to the manufacturer.