No Leak, No Problem – Bypassing ASLR with a ROP Chain to Gain RCE

https://modzero.com/en/blog/no-leak-no-problem/

114•todsacerdoti•2mo ago

Comments

OneLessThing•2mo ago

Good job. It’s early 2000s level stuff but it’s still exciting when it’s happening on your desk. There are lots of options in this scenario outside of bypassing ASLR so I do find it odd to be the main feature of the title, but a fun read nonetheless.

It’s fun working on targets with a less established research history. And I love a soup to nuts writeup, Thanks.

nneonneo•2mo ago

If I read this correctly, they’re “bypassing ASLR” because the binary isn’t PIE, so it’s loaded at a static address.

I would not consider this actually bypassing ASLR, because ASLR is already turned off for a critically important block of code. Practically any large-enough binary has gadgets that can be useful for ROP exploitation, even if chaining them together is somewhat painful. For ASLR to be a reasonably effective mitigation, every memory region needs to be randomized.

OneLessThing•2mo ago

Yeah :/ that’s how I read it too. It would make more sense if they motivated the reason to find libc because like you said you could likely just use the non aslr gadgets exclusively. I think the author tried to use non aslr gadgets but had issues so went to the approach of using the GOT libc address and called that approach “bypassing ASLR”.

It’s a matter of opinion I guess. In the early days of ASLR it was common to look for modules that were not position independent for your ROP chain and that process was probably called bypassing aslr. These days we’d probably just call that not being protected by aslr.

aziz_k•2mo ago

you can't just use gadgets from the binary and pop a shell, if it was possible the author would have done it, they needed to ret2libc.

LegionMammal978•2mo ago

This is a bit interesting in how it doesn't require further interactivity with the attacker once the libc address has been obtained, unlike most basic ROP examples, which I've rarely seen require anything fancier than return-to-main. The more the chain does in a single pass, the more it might need gadgets smarter than "set register to immediate and return".

alchemio•2mo ago

The most shocking part is the absence of stack canaries. I know there are issues with them on microcontrollers, but still I would assume they’re enabled by default by the compiler.

BiraIgnacio•2mo ago

"No Leak, No Problem - Bypassing Address Space Layout Randomization with a Return-Oriented Programming Chain to Gain Remote Code Execution"

Expanding it, perhaps to the benefit of others like me.

kingforaday•2mo ago

You typically don't see ASLR enabled on these armhf embedded devices. I see the statement by the author, " quickly confirmed on the device that address space layout randomization (ASLR) was enabled...", but how was it quickly checked? What was the output of /proc/sys/kernel/randomize_va_space?

Also not familiar at all with the checksec program, but from my look at the documentation, you expect to see PIE enabled not DSO (which implies dynamic shared object).

alchemio•2mo ago

checksec is part of the pwntools suite. Along with other tools for finding ROP gadgets and shellcode generation.

manwe150•2mo ago

I’m somewhat curious why GOT and PLT are ever mapped readable these days, when it could have been only mapped readable and then glibc use one of the various API tricks that other JIT (ld.so is obviously a JIT too) often use to write to memory indirectly while maintaining security hardening, such as maintaining a dual mapping for writing at a random address offset from the readonly fixed address section. That way there is never a partial relo vs PIE vs performance vulnerability tradeoff

throwaway978FA•2mo ago

System architecture routing to /temp/ in order for bypassing ipc_server parameter, which ASLR memcpy string encoding stacks to the 516 byte buffer during overflow.

Ask HN: How much of your token use is fixing the bugs Claude Code causes?

Show HN: Agents – Sync MCP Configs Across Claude, Cursor, Codex Automatically

Hello

FSD helped save my father's life during a heart attack

Show HN: Writtte – Draft and publish articles without reformatting, anywhere

Portuguese icon (FROM A CAN) makes a simple meal (Canned Fish Files) [video]

Brookhaven Lab's RHIC Concludes 25-Year Run with Final Collisions

Transcribe your aunts post cards with Gemini 3 Pro

.72% Variance Lance

ReKindle – web-based operating system designed specifically for E-ink devices

Encrypt It

NextMatch – 5-minute video speed dating to reduce ghosting

Personalizing esketamine treatment in TRD and TRBD

SpaceKit.xyz – a browser‑native VM for decentralized compute

NotebookLM: The AI that only learns from you

Show HN: An open-source starter kit for developing with Postgres and ClickHouse

Game Boy Advance d-pad capacitor measurements

South Korean crypto firm accidentally sends $44B in bitcoins to users

Apache Poison Fountain

Web.whatsapp.com appears to be having issues syncing and sending messages

Google in Your Terminal

Shannon: Claude Code for Pen Testing: #1 on Github today

Anthropic: Latest Claude model finds more than 500 vulnerabilities

Brooklyn cemetery plans human composting option, stirring interest and debate

Why the 'Strivers' Are Right

Brain Dumps as a Literary Form

Agentic Coding and the Problem of Oracles

Malicious packages for dYdX cryptocurrency exchange empties user wallets

Show HN: I built a <400ms latency voice agent that runs on a 4gb vram GTX 1650"

Penisgate erupts at Olympics; scandal exposes risks of bulking your bulge