TL;DR: I’m the author of a Metasploit module with various different OS/architecture targets, I wrote a couple of advisories, several Burp extensions, multiple AFL related tools and I found a TLS session resumption race condition in the Twitter iOS app. I have also developed a cracking technique for private keys in Java JKS files and wrote the "15:12 Nail in the Java Key Store Coffin" POC||GTFO article about it. I’ve contributed to projects like mona.py, AFL, Browser Exploitation Framework (BeEF) and w3af.

I’m interested in all kind of security topics and I’m working as a penetration testing consultant. Before I started working I got two nice little pieces of papers from my university.

Let’s start with my past: A long time ago I was active on the remote-exploit.org forums (former backtrack and now kali linux). For example I played with Fake Wireless Access Points (you can download one of my very old scripts here), which I still use from time to time. I wrote some new, simpler, smaller and cleaner scripts for private use.

Later I developed a fuzzer plugin for the web application scanner w3af and contributed other plugins.

For a couple of months I was all into Advanced Google Search Operators, nowadays I mainly use the ip: operator of Bing’s Advanced Operators to detect shared hosting.

I wrote two plugins (taking pictures from a webcam and sending it to the attacker as well as a Gmail XSRF logout plugin) for the Browser Exploitation Framework (BeEF).

At one point I wanted to move on and explore other areas, I got a little fed up with web application security. I started playing with Atmega microcontrollers, my Raspberry Pi and I built a small 3x3x3 LED Cube with an Arduino. I never dived extremely deep into hardware, but from time to time I’m still soldering stuff.

I did some research and had a few public speeches about Android security, I broke some Android related things that were never made public. However, this was also where I got the “Android guy” branding on my forehead.

At the same time I was lucky to be able to attend the corelan exploit development training. One and a half years later I wrote my first feature for corelan’s awesome mona.py tool. The unicodealign command I wrote automatically generates code alignment code for Unicode buffer overflows. The feature is available in mona.py with “!mona unicodealign”.

The next step was to use my exploitation knowledge in the wild, I weaponised a Proof of Concept crash and turned it into a full exploit which circumvents DEP and ASLR, works on x86 and ARM and targets Windows, Linux and FreeBSD. The entire process took a lot of code porting (python to ruby), implementing as a Metasploit module, separating protocol and exploit and so on. In the end it landed in the official Metasploit repository.

I’ve been fuzzing a lot, mostly with AFL and helping to improve the tool where I can. I also bought some odroid u3s which are under heavy load to fuzz C/C++ code. For example I reported a couple of issues to the libtiff maintainers.

Breaking the products of all three major Mobile Device Management (MDM) vendors is part of my job for many years already. Although most of the found issues are under NDA, a XSS and a little authentication trick aren’t anymore.

I always came back to my web application security roots from time to time, this time to release two Burp Suite extensions, an HTTP fuzzer and a response cluster extension. Moreover, I gave a workshop at the area41.io conference about the massive UploadScanner Burp extension I wrote during an entire year (it is also available through the official Burp BApp store).

I have also developed a cracking technique for private keys in Java JKS files and wrote the "15:12 Nail in the Java Key Store Coffin" POC||GTFO article about it.

As I like trying new AFL-fuzzer related things, I started fuzzing Java programs with several AFL-based Java fuzzers and found several DoS issues in Apache Commons, Apache PDFBox, Apache Tika and rediscovered an issue in the Java standard library.

Languages are important. I know enough German, English, Java, Python, PHP, SQL, Search Engine Operators, HTML, French, Javascript, XML, Bash, Regex, C/C++, Assembler, Ruby, Vallader Romansh and clef (music) to get along. And probably some others. Let’s not start with tools. And of course there are metasploit modules I’d like to release and a hundred things I’d like to write about in public. But that’s not how our industry works.

I’ve been speaking and giving workshops at various conferences and meetups, including area41, hashdays (the former area41), 0sec, BSides Zurich and other security meetups as well as private conferences.

My CVEs: CVE-2015-8870, CVE-2015-9232, CVE-2016-10511, CVE-2017-10356, CVE-2018-1338, CVE-2018-1339, CVE-2018-8017, CVE-2018-8036, CVE-2018-12418, CVE-2018-11771, CVE-2018-3214

You can send me an email to floyd at floyd dot ch. Or simply leave me a message here.

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.