BlogAll blog posts from modzero.
- RESEARCH
No Leak, No Problem - Bypassing ASLR with a ROP Chain to Gain RCE
November 10, 2025
Following a previous post on ARM exploitation, this post walks through extracting and analyzing modern IoT firmware to discover a previously unknown vulnerability. We then construct an ARM ROP chain that bypasses ASLR without an address leak to achieve unauthenticated RCE.
- DISCLOSURE
When Backups Open Backdoors: Accessing Sensitive Cloud Data via "Synology Active Backup for Microsoft 365"
June 27, 2025
A credential leaked by Synology allowed anyone unauthorized access to sensitive data of all Microsoft cloud tenants using “Active Backup for Microsoft 365” (ABM).
- PLAYGROUND
ROPing our way to RCE
February 7, 2025
This post traces the development of a leak‑free ARM ROP chain that defeats ASLR on a modern IoT firmware. Read the reverse‑engineering, gadget‑hunting and exploit engineering that turned a firmware bug into unauthenticated RCE.
- PLAYGROUND
Exploiting SSTI in a Modern Spring Boot Application (3.3.4)
January 8, 2025
Learn how to exploit Server-Side Template Injection (SSTI) in a Spring Boot application using the Thymeleaf templating engine. Special focus will be set on bypassing defenses in newer versions.
- PLAYGROUND
Tutorial: How we learned to love the doc(umentation)
October 14, 2024
Just read documentation to get RCE?! Our colleague Theresa designed a tutorial guiding you through an OpenVPN exploit scenario — for you to try at home!
- DISCLOSURE
Beyond the @ Symbol: Exploiting the Flexibility of Email Addresses For Offensive Purposes
June 7, 2024
We exploited an unauthenticated command injection within the spam filter appliance MailCleaner that can be triggered through a malicious email address.
1 of 3
Next ⟶
All blog posts from modzero.
- RESEARCH
No Leak, No Problem - Bypassing ASLR with a ROP Chain to Gain RCE
November 10, 2025
Following a previous post on ARM exploitation, this post walks through extracting and analyzing modern IoT firmware to discover a previously unknown vulnerability. We then construct an ARM ROP chain that bypasses ASLR without an address leak to achieve unauthenticated RCE.
- DISCLOSURE
When Backups Open Backdoors: Accessing Sensitive Cloud Data via "Synology Active Backup for Microsoft 365"
June 27, 2025
A credential leaked by Synology allowed anyone unauthorized access to sensitive data of all Microsoft cloud tenants using “Active Backup for Microsoft 365” (ABM).
- PLAYGROUND
ROPing our way to RCE
February 7, 2025
This post traces the development of a leak‑free ARM ROP chain that defeats ASLR on a modern IoT firmware. Read the reverse‑engineering, gadget‑hunting and exploit engineering that turned a firmware bug into unauthenticated RCE.
- PLAYGROUND
Exploiting SSTI in a Modern Spring Boot Application (3.3.4)
January 8, 2025
Learn how to exploit Server-Side Template Injection (SSTI) in a Spring Boot application using the Thymeleaf templating engine. Special focus will be set on bypassing defenses in newer versions.
- PLAYGROUND
Tutorial: How we learned to love the doc(umentation)
October 14, 2024
Just read documentation to get RCE?! Our colleague Theresa designed a tutorial guiding you through an OpenVPN exploit scenario — for you to try at home!
- DISCLOSURE
Beyond the @ Symbol: Exploiting the Flexibility of Email Addresses For Offensive Purposes
June 7, 2024
We exploited an unauthenticated command injection within the spam filter appliance MailCleaner that can be triggered through a malicious email address.