Home

Sunrise from Crib Goch

Welcome to my space on the web! I’m a coder and an information security consultant and researcher. I love a good challenge that gets the cogs turning, particularly if it involved reverse engineering tech and even more so when somebody says “it can’t be done” or “it’s really secure”!

I founded a company in the UK called Cognitous to help businesses use and implement technology securely by providing security expertise through training, penetration testing (simulated hacking attacks), and team augmentation.

Check out my blog to see what I’ve been up to. Let me know if you find it useful and feel free to ask questions, leave a comment, or get in touch.

Latest blog posts:

  • HP Device Manager – CVE-2020-6925, CVE-2020-6926, CVE-2020-6927 5/10/2020 - Ever come across a system that did so many little things wrong that you were certain you could “get r00t”? You chip away, gradually uncovering the links in the chain,...
  • X-Cart 5 <= 5.4.0.12/5.4.1.7 Unauthenticated RCE via File Write 21/8/2020 - This one was a fun little hack. Versions 5.4.1.7 and below, and 5.4.0.12 and below of the X-Cart PHP ecommerce platform are affected by an unauthenticated vulnerability that allows an...
  • Patching Android Split APKs 29/3/2020 - I recently came up against my first split APK during an Android app security assessment. My usual toolkit doesn’t support split APKs, so I hacked together a solution to allow...
  • Reversing JNBridge to Build an n-day Exploit for CVE-2019-7839 12/10/2019 - I was chatting to @Random_Robbie at the inaugural BSides Liverpool (@BSidesLivrpool), when he mentioned a new Adobe ColdFusion RCE and then said… “There’s no public exploit.” I’ve dabbled a bit...
  • Drupal Coder Module – Unauth RCE – SA-CONTRIB-2016-039 19/7/2018 - Note: This is an old write-up from 2016 but I was prompted to resurrect it after my tweet about it was recently retweeted. I do think it’s a good example...
  • Another ColdFusion RCE – CVE-2018-4939 18/6/2018 - In October 2017 I published an overview and video proof-of-concept of a Java RMI/deserialization vulnerability affecting the Flex Integration service of Adobe ColdFusion. I held off on publishing all of...
  • POPping WordPress 28/2/2018 - Fun with PHP deserialization and some accidental WordPress bugs. A few months ago I was putting together a blog post on PHP deserialization vulnerabilities. I decided to look for a...
  • Popping Password-“Protected” JMX 26/1/2018 - The name gives it away, Java Management Extensions (JMX) is a potentially juicy target for attack. One of the ways that a JMX service may be exposed is using Java...
  • Improving the BMC RSCD RCE Exploit 8/1/2018 - Last week I wrote about how I semi-blindly produced an RCE exploit for the BMC Server Automation RSCD service without access to a test environment. Since then I’ve got my...
  • RCE with BMC Server Automation 1/1/2018 - If you’ve ever come across BMC Server Automation during network scanning then you may have seen Nessus flag up a Critical vulnerability titled “BMC Server Automation RSCD Agent Weak ACL NSH...