Research

Some of my research and tools.

Vulnerabilities, exploits, tools

2024

• lightyear – A tool to dump files in tedious (blind) conditions using PHP filters – blogpost – github.
• Iconv, set the charset to RCE – blogposts 1 2 3 – talks OffensiveCon, DEFCON, ...

2023

• wrapwrap – Generates a php://filter chain that adds a prefix and a suffix to the contents of a file – blogpost – github
• ownCloud authentication bypass, RCE – blogpost
• vBulletin RCE – blogpost
• XORtigate: Pre-authentication Remote Code Execution on Fortigate VPN (CVE-2023-27997) – blogpost – talk

2022

• Blind exploits to rule WatchGuard firewalls – blogpost
• PHPWN: Generic Remote Exploit Techniques for the PHP allocator, and 0days – talks TyphoonCon GreHack

2021

• PHP-FPM local root vulnerability (CVE-2021-21703) – blogpost
• Laravel <= v8.4.2 debug mode RCE – blogpost

2020

• Remote code execution on Sqreen: exploiting the microagent – blogpost
• Secret fragments: Remote code execution on Symfony based websites – blogpost
• Breaking PHP's mt_rand() with 2 values and no bruteforce – blogpost

2019 and prior

• CVE-2019-0211 Apache Local Root – blogpost
• PHP imagecolormatch() OOB Heap Write exploit – blogpost
• CVE-2019-7139 Magento SQL injection – blogpost
• Drupal 8 REST unauthenticated RCE – blogpost
• CVE-2018-13784 Prestashop Privilege Escalation – blogpost

Tools

• PHPGGC - PHPGGC is a library of unserialize() payloads along with a tool to generate them, from command line or programmatically.
• ten - My (small) web exploit framework.
• wrapwrap - Generates a php://filter chain that adds a prefix and a suffix to the contents of a file.
• lightyear - A tool to dump files in tedious (blind) conditions using PHP filters.

Others

• My old exploits are available on Exploit-DB, here and here.