No Leak, No Problem – Bypassing Aslr with a Rop Chain to Gain Rce

Postedabout 2 months agoActiveabout 2 months ago

todsacerdoti

113 points

11 comments

modzero.comTechstory

calmmixed

Debate

60/100

Exploit DevelopmentAslr BypassEmbedded Systems Security

Key topics

Exploit Development

Aslr Bypass

Embedded Systems Security

The post describes a ROP chain exploit to gain RCE on an embedded device, sparking discussion on the effectiveness of ASLR and other security measures in such systems.

Snapshot generated from the HN discussion

Discussion Activity

Light discussion

First comment

Peak period

5-6h

Avg / period

1.1

Comment distribution8 data points

Loading chart...

Based on 8 loaded comments

Key moments

01Story posted
Nov 14, 2025 at 6:39 PM EST
about 2 months ago
Step 01
02First comment
Nov 14, 2025 at 9:55 PM EST
3h after posting
Step 02
03Peak activity
2 comments in 5-6h
Hottest window of the conversation
Step 03
04Latest activity
Nov 15, 2025 at 11:24 AM EST
about 2 months ago
Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (11 comments)

Showing 8 comments of 11

nneonneo

about 2 months ago

2 replies

If I read this correctly, they’re “bypassing ASLR” because the binary isn’t PIE, so it’s loaded at a static address.

I would not consider this actually bypassing ASLR, because ASLR is already turned off for a critically important block of code. Practically any large-enough binary has gadgets that can be useful for ROP exploitation, even if chaining them together is somewhat painful. For ASLR to be a reasonably effective mitigation, every memory region needs to be randomized.

OneLessThing

about 2 months ago

1 reply

Yeah :/ that’s how I read it too. It would make more sense if they motivated the reason to find libc because like you said you could likely just use the non aslr gadgets exclusively. I think the author tried to use non aslr gadgets but had issues so went to the approach of using the GOT libc address and called that approach “bypassing ASLR”.

It’s a matter of opinion I guess. In the early days of ASLR it was common to look for modules that were not position independent for your ROP chain and that process was probably called bypassing aslr. These days we’d probably just call that not being protected by aslr.

aziz_k

about 2 months ago

you can't just use gadgets from the binary and pop a shell, if it was possible the author would have done it, they needed to ret2libc.

LegionMammal978

about 2 months ago

This is a bit interesting in how it doesn't require further interactivity with the attacker once the libc address has been obtained, unlike most basic ROP examples, which I've rarely seen require anything fancier than return-to-main. The more the chain does in a single pass, the more it might need gadgets smarter than "set register to immediate and return".

alchemio

about 2 months ago

The most shocking part is the absence of stack canaries. I know there are issues with them on microcontrollers, but still I would assume they’re enabled by default by the compiler.

OneLessThing

about 2 months ago

Good job. It’s early 2000s level stuff but it’s still exciting when it’s happening on your desk. There are lots of options in this scenario outside of bypassing ASLR so I do find it odd to be the main feature of the title, but a fun read nonetheless.

It’s fun working on targets with a less established research history. And I love a soup to nuts writeup, Thanks.

BiraIgnacio

about 2 months ago

"No Leak, No Problem - Bypassing Address Space Layout Randomization with a Return-Oriented Programming Chain to Gain Remote Code Execution"

Expanding it, perhaps to the benefit of others like me.

kingforaday

about 2 months ago

You typically don't see ASLR enabled on these armhf embedded devices. I see the statement by the author, " quickly confirmed on the device that address space layout randomization (ASLR) was enabled...", but how was it quickly checked? What was the output of /proc/sys/kernel/randomize_va_space?

Also not familiar at all with the checksec program, but from my look at the documentation, you expect to see PIE enabled not DSO (which implies dynamic shared object).

3 more comments available on Hacker News

View full discussion on Hacker News

ID: 45933497Type: storyLast synced: 11/20/2025, 8:00:11 PM

Want the full context?

Jump to the original sources

Read the primary article or dive into the live Hacker News thread when you're ready.

Open link View on HN