On this page, you’ll find my past public research and publications.

Pwn competitions

I participated to the following competitions:

• Pwn2Own 2022 Embedded
• Pwn2Own 2022 Desktop (attempt)
• Pwn2Own 2021 Embedded

Online publications

You will find below direct links to my research and associated publications:

• Hunting for overlooked cookies in Windows 11 KTM and baking exploits for them + Video + Exploits (OffensiveCon, with Jael Koh, May 2025)

I am so proud of Jael who attended my training 🔥, found 2 CVEs 🪲🐛 and developed a working exploit for them on Windows 11. This presentation is the journey of this awesome research.

• Exploiting the Lexmark Postscript Stack (HITB by colleague Aaron Adams, August 2023)
• Your not so “Home Office” - SOHO Hacking at Pwn2Own (HITB by colleagues Alex Plaskett & McCaulay Hudson, April 2023)
• Exploit Engineering – Attacking the Linux Kernel + Tools + Video (OffensiveCon, May 2023)
• Toner deaf - Printing your next persistence + Video (Hexacon, October 2022)
• SETTLERS OF NETLINK: Exploiting a limited UAF in nf_tables (CVE-2022-32250) (blog, September 2022)
• Pwn2Own 2021 - Remotely Exploiting 3 Embedded Devices (NCCCon, July 2022)
• Pwn2Own 2021 - How to Win $$$ at a Hacking Contest? (NCCCon, July 2022)
• Remote Code Execution on Western Digital PR4100 NAS (CVE-2022-23121) (blog, March 2022)
• Analyzing a PJL directory traversal vulnerability – exploiting the Lexmark MC3224i printer (part 2) (blog, February 2022)
• BrokenPrint: A Netgear stack overflow (blog, February 2022)
• Exploiting the Sudo Baron Samedit vulnerability (CVE-2021-3156) on VMWare vCenter Server 7.0 (blog, July 2021)
• CVE-2018-8611 Exploiting Windows KTM 5-part blog post series (blogs, April 2020)

Part 1: Introduction
Part 2: Patch analysis and basic triggering
Part 3: Triggering the race condition and debugging tricks
Part 4: From race win to kernel read and write primitive
Part 5: Vulnerability detection and a better read/write primitive

• How CVE-2018-8611 Can be Exploited to Achieve Privilege Escalation on Windows 10 1809 (RS5) and Earlier + Video (OffensiveCon, February 2020)
• BKScan, a BlueKeep (CVE-2019-0708) scanner supporting NLA: Tools (July 2019)
• Cisco ASA 8-part series of blog posts + Tools (blogs, October 2017)

Part 1: Intro to the Cisco ASA
Part 2: Static analysis & datamining of Cisco ASA firmware
Part 3: Debugging Cisco ASA firmware
Part 4: dlmalloc-2.8.x, libdlmalloc, & dlmalloc on Cisco ASA
Part 5: libptmalloc gdb plugin
Part 6: Cisco ASA mempools
Part 7: Checkheaps
Part 8: Exploiting the CVE-2016-1287 heap overflow over IKEv1

• Cisco ASA - Internals and mitigations + Video (44Con, September 2017)
• A journey in analysing heaps on Cisco ASA + Video (BSidesMCR, August 2017)
• Exploiting the IKEv1 heap overflow on Cisco ASA firewalls (Warcon, June 2017)
• Flash Neutrino Exploit Kit technical note + Tools (paper, July 2016)
• Exploiting CVE-2015-2426 on a Recent Windows 8.1 64-bit (paper, September 2015)
• Exploiting a vulnerability in HTC One bootloader + Tools (blog, July 2014)
• Debugging HTC phones bootloaders a.k.a. hbootdbg + Tools (Hack.lu, October 2013)
• Forensics on Android phones and security measures + Tools (blog, June 2012)
• HTC unlock internals (blog, April 2012)
• Passcode bypass of the HTC Desire Z (blog, May 2011)
• iPhone security model & vulnerabilities (HITB Malaysia, October 2010)
• PoC(k)ET, les détails d’un rootkit pour WM6 + slides (French) (SSTIC, June 2010)
• When E.T. comes into Windows Mobile 6 (a.k.a. PoC(k)ET) (Hack.lu, October 2009)

Paper publications

I also published in the famous French MISC magazine:

• Analyse d’un fichier Flash délivré par l’Exploit Kit Neutrino (MISC 88, 2016)
• Exploitation du navigateur Chrome Android (MISC 78, 2015)
• Quelques techniques de forensics sur les téléphones Android (MISC 63, 2012)
• L’iphone OS et le jailbreak “Spirit” (MISC 51, 2010)