Hiroki MATSUKUMA
Hiroki MATSUKUMA (@hhc0null) is a middle manager at Cyber Defense Institute, Inc. in Japan, where he leads reverse engineering section. His main areas of interests involve vulnerability research and exploit development. 'House of Einherjar', a GLibc heap exploitation technique used in CTFs, is one of his works.
Session
Some PHP libraries mitigate PHP Object Injection by adding a __wakeup() that throws an exception in classes that could serve as Property-oriented Programming (POP) gadgets, eliminating them in one stroke. Traditional bypasses exploit interpreter bugs, yet patches quickly kill those attacks. This talk introduces a new bypass built on an Arbitrary Object Instantiation (AOI) primitive: we trigger dynamic class instantiation entirely outside the process of unserialize(), so the guarding __wakeup() never runs. The only prerequisite is a POP gadget that executes new $className(...). Because the technique relies solely on core language behavior, future patches are unlikely to break it. A live demo revives the retired Guzzle/RCE1 chain of PHPGGC and gains remote code execution on a default Neos Flow installation.
Takeaways — Pentesters: learn how to resurrect “dead” chains and locate AOI primitives; Developers: adopt practical defenses such as migrating to JSON or adding HMAC-protected serialization.