No Leak, No Problem – Bypassing ASLR with a ROP Chain to Gain RCE
8 days ago
- #ROP Chain
- #IoT Security
- #ARM Exploitation
- The article details the process of exploiting a modern IoT target, specifically an INSTAR IP camera, from firmware extraction to achieving unauthenticated RCE.
- Initial steps involved gaining access to the device via a UART interface, leading to a root shell and firmware extraction for analysis.
- The attack surface was mapped, identifying two main targets: fcgi_server and ipc_server, both reachable without authentication.
- A stack-based buffer overflow was discovered in the base64 decode function within fcgi_server, leading to a crash and potential RCE.
- Exploitation involved building an ARM ROP chain to bypass ASLR without an address leak, leveraging gadgets from the binary to calculate and jump to system().
- The exploit was refined to avoid brute-forcing libc addresses, ensuring reliability and minimizing noise in a red team scenario.
- All vulnerabilities were responsibly disclosed, with INSTAR promptly releasing fixes. The exploit is now publicly available.