This is all about a heap-based overflow that was originally deemed as "unexploitable" due to the target utilizing mitigations such as DEP and ASLR. But after weeks of perseverance I was able to reliably gain arbitrary code execution. I will go over all of the pains, struggles, dead-ends that were encountered, and how the techniques used in this exploit can transfer over to other UPnP libraries and applications too.
Elvis is a Senior Researcher on Exodus Intelligence’s 0day team. Prior to Exodus, he worked at TippingPoint DVLabs where he researched submissions to the world’s largest and most diverse bug bounty program and developed filters for them. After DVLabs, Elvis worked as a consultant for Praetorian performing penetration tests for large manufacturers of embedded devices. While at Exodus, Elvis has developed a good amount of 0day exploits against market leading routers, firewalls, and smart devices.