Mat Saulnier
With a passion for Offensive Security, he automates OffSec Tools to improve the security posture of organizations around the world. Building on his strong technical background he now focuses on Threat Research, Threat Hunting, Detection Engineering and Incident Response.
Mat (better known as Scoubi in this community) is a recognized security professional and Core Mentor for Defcon’s Blue Team Village that has over 2 decades of experience in security. He shared his passion for IT Security and captivated audiences at Derbycon, SANS Summits and RSAC, amongst others.
Sessions
This is the story of three organizations: EvilCats (a criminal group), YOLO Corp (a new company that don't have any security staff) and CoolSec (a company that goes above security compliance). We will see how two corporations fret against EvilCats during various attack scenarios that all involve passwords.
Some PHP libraries mitigate PHP Object Injection by adding a __wakeup() that throws an exception in classes that could serve as Property-oriented Programming (POP) gadgets, eliminating them in one stroke. Traditional bypasses exploit interpreter bugs, yet patches quickly kill those attacks. This talk introduces a new bypass built on an Arbitrary Object Instantiation (AOI) primitive: we trigger dynamic class instantiation entirely outside the process of unserialize(), so the guarding __wakeup() never runs. The only prerequisite is a POP gadget that executes new $className(...). Because the technique relies solely on core language behavior, future patches are unlikely to break it. A live demo revives the retired Guzzle/RCE1 chain of PHPGGC and gains remote code execution on a default Neos Flow installation.
Takeaways — Pentesters: learn how to resurrect “dead” chains and locate AOI primitives; Developers: adopt practical defenses such as migrating to JSON or adding HMAC-protected serialization.