Exetools  

Go Back   Exetools > General > Source Code

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 08-30-2018, 15:25
DavidXanatos DavidXanatos is offline
Friend
 
Join Date: Jun 2018
Posts: 34
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 15
Thanks Rcvd at 45 Times in 22 Posts
DavidXanatos Reputation: 1
Windows ALPC Zero-Day Exploit on github

Quote:
The zero-day vulnerability is in the Windows task scheduler in the ALPC interface. The abbreviation ALPC stands for Advanced Local Procedure Call. The Microsoft Windows Task Scheduler contains a vulnerability in ALPC call handling that allows a local user to gain SYSTEM privileges.
Sounds interesting

https://github.com/SandboxEscaper/randomrepo/blob/master/PoC-LPE.rar
Reply With Quote
The Following 3 Users Say Thank You to DavidXanatos For This Useful Post:
chants (08-30-2018), Indigo (07-19-2019), nimaarek (09-08-2018)
  #2  
Old 08-30-2018, 23:40
Giotis Giotis is offline
Friend
 
Join Date: Aug 2016
Posts: 24
Rept. Given: 0
Rept. Rcvd 2 Times in 1 Post
Thanks Given: 36
Thanks Rcvd at 46 Times in 19 Posts
Giotis Reputation: 2
I find it quite amazing that the person behind this, is looking for a job and can't find one. And consider that this one is not the first 0day she's posting.
Reply With Quote
The Following User Says Thank You to Giotis For This Useful Post:
Indigo (07-19-2019)
  #3  
Old 05-31-2019, 07:52
zyNoT zyNoT is offline
Friend
 
Join Date: Feb 2018
Posts: 11
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 5
Thanks Rcvd at 8 Times in 8 Posts
zyNoT Reputation: 0
Quote:
Originally Posted by Giotis View Post
I find it quite amazing that the person behind this, is looking for a job and can't find one. And consider that this one is not the first 0day she's posting.
Agreed....
Reply With Quote
The Following User Says Thank You to zyNoT For This Useful Post:
Indigo (07-19-2019)
  #4  
Old 05-31-2019, 21:48
argie argie is offline
Family
 
Join Date: Oct 2010
Posts: 135
Rept. Given: 78
Rept. Rcvd 64 Times in 30 Posts
Thanks Given: 103
Thanks Rcvd at 99 Times in 51 Posts
argie Reputation: 65
She released 2 more zerodays after that for Win 10. Both extremely dangerous. AND found more but didn't disclose publicly.

I guess people helped her.
Reply With Quote
The Following User Says Thank You to argie For This Useful Post:
Indigo (07-19-2019)
  #5  
Old 06-02-2019, 15:23
deepzero's Avatar
deepzero deepzero is offline
VIP
 
Join Date: Mar 2010
Location: Europe
Posts: 215
Rept. Given: 99
Rept. Rcvd 60 Times in 38 Posts
Thanks Given: 83
Thanks Rcvd at 95 Times in 50 Posts
deepzero Reputation: 60
Did she ever mention what process/workflow she uses to find those, or how she chooses the windows components to analyze?
Reply With Quote
The Following User Says Thank You to deepzero For This Useful Post:
Indigo (07-19-2019)
  #6  
Old 06-02-2019, 20:00
argie argie is offline
Family
 
Join Date: Oct 2010
Posts: 135
Rept. Given: 78
Rept. Rcvd 64 Times in 30 Posts
Thanks Given: 103
Thanks Rcvd at 99 Times in 51 Posts
argie Reputation: 65
Quote:
Originally Posted by deepzero View Post
Did she ever mention what process/workflow she uses to find those, or how she chooses the windows components to analyze?
Not that I am aware of.

(at that time) she just dumped the zerodays with some basic information.

- what bug it is
- how to exploit it
- PoC in 3 cases (2 are no longer on her github)

But she never talked about methodology except as said, some basic info about the exploit.

After she would dump the info she would then talk about depression and general IRL stuff. Then "general" twitter chatter started with people saying she could report to MS or other bug bounty program and wished her well about her health and other RL stuff.
Reply With Quote
The Following User Says Thank You to argie For This Useful Post:
Indigo (07-19-2019)
  #7  
Old 06-05-2019, 10:24
Fyyre's Avatar
Fyyre Fyyre is offline
Fyyre
 
Join Date: Dec 2009
Location: 0°N 0°E / 0°N 0°E / 0; 0
Posts: 173
Rept. Given: 44
Rept. Rcvd 65 Times in 29 Posts
Thanks Given: 39
Thanks Rcvd at 184 Times in 71 Posts
Fyyre Reputation: 65
It's obvious why she cannot find employment.

1). Intelligent, but acts emo.

2). Has made hostile remarks at powerful Nation State actors. It is not hard to learn from a little history... i.e. OpenBSD

Granted this is no longer the start of the GWOT, as in 2003.... There is no need to bite any prospective hands that _could_ feed you. Your Moral Compass May Vary.

3. Github is open source, there are forks, mirrors... like many of you I too have a copy of this POC. Once online, always online.

4. It is down right confusing as to why anyone would openly dump a working 0day instead of trying to monetize(legally, or illegally) or at very least... follow the standard channels for "responsible disclosure"

5. Many of us have done research of our own that has lead, or been an asset to malicious works. Not due to the fact we directly contributed or were involved. In the fact that in years past we were able to see parts of that research directly reflected in source code leaks, or what have you. It's a strange feeling, although one not often directly attributed.

I guess she went for the less subtle approach. Again, this is all speculation on my part.
__________________
-Fyyre

--
https://github.com/Fyyre
https://twitter.com/Fyyre
Reply With Quote
The Following 4 Users Say Thank You to Fyyre For This Useful Post:
argie (06-05-2019), goku (06-06-2019), Indigo (07-19-2019), MarcElBichon (06-05-2019)
  #8  
Old 06-05-2019, 14:37
argie argie is offline
Family
 
Join Date: Oct 2010
Posts: 135
Rept. Given: 78
Rept. Rcvd 64 Times in 30 Posts
Thanks Given: 103
Thanks Rcvd at 99 Times in 51 Posts
argie Reputation: 65
Quote:
Originally Posted by Fyyre View Post
It's obvious why she cannot find employment.

1). Intelligent, but acts emo.
Yep, that was my conclusion also. Very intelligent and VERY well versed in inner workings of Windows because these exploits are not simple but also either emo or fighting some real depression...

Quote:
2). Has made hostile remarks at powerful Nation State actors. It is not hard to learn from a little history... i.e. OpenBSD

Granted this is no longer the start of the GWOT, as in 2003.... There is no need to bite any prospective hands that _could_ feed you. Your Moral Compass May Vary.
Yeah she did also make a few posts to "spite" Microsoft and their products. Also threw quite a lot of insults toward MS and bounty programs.

But I think the worst thing was taunting MS and people in general by saying things like:
- "I might dump another one soon..."
- "Found another, F*** MS, here it is"
- "Dunno what to do... release or not release...

and such...

Quote:
3. Github is open source, there are forks, mirrors... like many of you I too have a copy of this POC. Once online, always online.
APLC is still up. tasksche impersonation LPE and win32k.sys race condition LPE are removed. I searched the net (by filenames) but didn't have much luck. I guess VT-I has it at least.

Quote:
4. It is down right confusing as to why anyone would openly dump a working 0day instead of trying to monetize(legally, or illegally) or at very least... follow the standard channels for "responsible disclosure"
I am also at a loss here. After a first dump (APLC), she ended up on several major "Hacking" news site and made quite the stir because she released the exploit on thursday and "patch tuesday" was long way away so basically for minimum of 5 days people were 100% vulnerable to this.

As to why she didn't report, she never said directly, always steered the conversation away from that...

And also she said MANY times she was low on money. These exploits she is doing are worth like 25k+ Maybe up to 100k. Weird.

Quote:
Many of us have done research of our own that has lead, or been an asset to malicious works. Not due to the fact we directly contributed or were involved. In the fact that in years past we were able to see parts of that research directly reflected in source code leaks, or what have you. It's a strange feeling, although one not often directly attributed.

I guess she went for the less subtle approach. Again, this is all speculation on my part.
Well I agree. Lots of various source code flying around that is useful for malware or other malicious things but many of the authors didnt intend it that way.

This was quite malicious. Leaving people vulnerable once, then do it again...
Not that subtle.

I won't and am in no position to judge anyone. I can "understand" the 1st one but after that MANY people came to her and tried to convice her to go to proper channels of disclosure. But then (after a while) came 2 more and who knows what else what she left private.
People still tried to help but as said earlier she mostly steered the conversations into health and general RL stuff.

Weird cookie.

Last edited by argie; 06-05-2019 at 14:48.
Reply With Quote
The Following 3 Users Say Thank You to argie For This Useful Post:
Fyyre (06-08-2019), Giotis (06-09-2019), Indigo (07-19-2019)
  #9  
Old 06-08-2019, 15:42
Fyyre's Avatar
Fyyre Fyyre is offline
Fyyre
 
Join Date: Dec 2009
Location: 0°N 0°E / 0°N 0°E / 0; 0
Posts: 173
Rept. Given: 44
Rept. Rcvd 65 Times in 29 Posts
Thanks Given: 39
Thanks Rcvd at 184 Times in 71 Posts
Fyyre Reputation: 65
Quote:
Originally Posted by argie View Post
Yep, that was my conclusion also. Very intelligent and VERY well versed in inner workings of Windows because these exploits are not simple but also either emo or fighting some real depression...
From my personal experience, very intelligent people are seldom 'normal'. I think she is very bright... but yes, probably depressed, feels out of place and this allows her to feel some kind of power, or temporary boost from that depression. It's hard to analyze someone. I just remember my own teenage years being hell =)

Quote:
Originally Posted by argie View Post
APLC is still up. tasksche impersonation LPE and win32k.sys race condition LPE are removed. I searched the net (by filenames) but didn't have much luck. I guess VT-I has it at least.
I think you want this one? If is the wrong one, let me know, will hunt it down.

sandboxescaperdemo-master.zip

Here is the one from original post, as the link was dead: PoC-LPE.rar

Quote:
Originally Posted by argie View Post
And also she said MANY times she was low on money. These exploits she is doing are worth like 25k+ Maybe up to 100k. Weird.
If she is depressed, or has bipolar type mood swings -- the illogical act of just releasing, kind of explains that. Again, I don't want to try and diagnosis her from afar.

Quote:
Originally Posted by argie View Post
Well I agree. Lots of various source code flying around that is useful for malware or other malicious things but many of the authors didnt intend it that way.
I'm 99% sure some of my initial PatchGuard and Driver signing disablement work contributed to some of the earlier bootkits for x64 Windows. That was never my intention, I just was looking for something to do when I started on PatchGuard.

Quote:
Originally Posted by argie View Post
This was quite malicious. Leaving people vulnerable once, then do it again...
Not that subtle.

I won't and am in no position to judge anyone. I can "understand" the 1st one but after that MANY people came to her and tried to convice her to go to proper channels of disclosure. But then (after a while) came 2 more and who knows what else what she left private.
People still tried to help but as said earlier she mostly steered the conversations into health and general RL stuff.
I never really considered the full implications of her actions, but yea.. you are correct; once is something. Twice is something else.

-Fyyre
__________________
-Fyyre

--
https://github.com/Fyyre
https://twitter.com/Fyyre
Reply With Quote
The Following 2 Users Say Thank You to Fyyre For This Useful Post:
Indigo (07-19-2019), niculaita (06-09-2019)
  #10  
Old 06-09-2019, 04:22
atom0s's Avatar
atom0s atom0s is offline
Family
 
Join Date: Jan 2015
Location: 127.0.0.1
Posts: 233
Rept. Given: 24
Rept. Rcvd 101 Times in 47 Posts
Thanks Given: 40
Thanks Rcvd at 407 Times in 161 Posts
atom0s Reputation: 100-199 atom0s Reputation: 100-199
She removed the files on Git but she didn't rebase the repo so you can use the commit history to snapshot the original files and such to get all the things she removed. I'd assume she is not too familiar with Git and didn't realize it saves history for everything unless you entirely rebase the repo.

As for her mental health and her blog posts and such. I don't see how she is acting as anything out of the normal for someone in her position. She's hurt, upset and feels alone. Her closest 'friends' betrayed her and probably stole things from her (be it info, 0days, exploits, etc.) for personal gain. She has a hatred for the blackmarket, I'd assume its because of this.

Her more suicidal posts seem more like a cry for help and friendship. She doesn't seem to respond to anyone though that reaches out, while I don't blame her for wanting to keep her distance from new people. Hopefully she finds peace during her current travels and returns and gets help she needs.

She's extremely talented, so I do hope she can get the help she needs and finds the work she desires.
__________________
No longer active on this site/forum much. If you need to contact me, you can find me on my personal site here: https://atom0s.com/forums/
Reply With Quote
The Following 2 Users Say Thank You to atom0s For This Useful Post:
Giotis (06-09-2019), Indigo (07-19-2019)
  #11  
Old 06-09-2019, 17:19
ARUBA ARUBA is offline
Friend
 
Join Date: Dec 2018
Posts: 20
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 35
Thanks Rcvd at 48 Times in 19 Posts
ARUBA Reputation: 0
All her/his files here:
_https://github.com/SandboxEscaper/polarbearrepo/commits/master

Interesting stuff:
_https://twitter.com/maxbridgland/status/1137051836249255937
Reply With Quote
The Following User Says Thank You to ARUBA For This Useful Post:
Indigo (07-19-2019)
  #12  
Old 06-10-2019, 02:24
niculaita's Avatar
niculaita niculaita is offline
Family
 
Join Date: Jun 2011
Location: here
Posts: 1,066
Rept. Given: 835
Rept. Rcvd 85 Times in 57 Posts
Thanks Given: 2,402
Thanks Rcvd at 404 Times in 286 Posts
niculaita Reputation: 85
https://github.com/SandboxEscaper/polarbearrepo/commits/master not found
__________________
Decode and Conquer
Reply With Quote
The Following User Says Thank You to niculaita For This Useful Post:
Indigo (07-19-2019)
  #13  
Old 06-10-2019, 07:13
RiRye RiRye is offline
Friend
 
Join Date: Mar 2017
Location: US
Posts: 18
Rept. Given: 0
Rept. Rcvd 2 Times in 1 Post
Thanks Given: 14
Thanks Rcvd at 29 Times in 12 Posts
RiRye Reputation: 2
Quote:
Originally Posted by niculaita View Post
https://github.com/SandboxEscaper/polarbearrepo/commits/master not found
https://web.archive.org/web/20190608...arrepo?files=1


Looks like wayback machine was able to grab copies of all of it
Reply With Quote
The Following User Says Thank You to RiRye For This Useful Post:
Indigo (07-19-2019)
  #14  
Old 06-10-2019, 17:54
atom0s's Avatar
atom0s atom0s is offline
Family
 
Join Date: Jan 2015
Location: 127.0.0.1
Posts: 233
Rept. Given: 24
Rept. Rcvd 101 Times in 47 Posts
Thanks Given: 40
Thanks Rcvd at 407 Times in 161 Posts
atom0s Reputation: 100-199 atom0s Reputation: 100-199
That Twitter feed is really sad and disgusting to see. A bunch of kids doxing someone for the sake of saying they figured something out. For what? Literally nothing, and yet the amount of damage they are causing to someone who is already not in a stable mental position just doesn't seem to matter to any of them.

Her being transgender shouldn't matter to anyone. It has nothing to do with her work. Yet people are focusing on it like it's a circus. I opt'd to not mention it at all in my post above but wished for her to get the help she needs regarding it. Her posts on her blog and around the web hinted towards her status but it had nothing to do with her releases so it didn't need to be mentioned.

I've dealt with a very close friend coming out to me as trans and dealing with the process of transitioning. It is extremely damaging to that person when things are done against them out of their control, such as these stupid witch hunts to determine someones sex, name, etc. like it's a game. Suicide is extremely common in the trans community because of toxic people making someone elses life out to be a game.

She deleted her repo altogether now as well as made her blog private. She deleted a ton of posts and other stuff around the web because of the attention people are putting on things that don't matter and shouldn't be the topic of discussion at all.

I don't blame her at all for trying to disappear and distance herself from everyone because of how people are treating the entire situation as it is. Best of luck to her and again I really hope she gets the help she needs.
__________________
No longer active on this site/forum much. If you need to contact me, you can find me on my personal site here: https://atom0s.com/forums/
Reply With Quote
The Following 7 Users Say Thank You to atom0s For This Useful Post:
argie (06-12-2019), Fyyre (06-10-2019), Giotis (06-12-2019), Indigo (07-19-2019), p4r4d0x (06-11-2019), tonyweb (06-14-2019), WaSt3d_ByTes (06-13-2019)
  #15  
Old 06-10-2019, 23:50
Fyyre's Avatar
Fyyre Fyyre is offline
Fyyre
 
Join Date: Dec 2009
Location: 0°N 0°E / 0°N 0°E / 0; 0
Posts: 173
Rept. Given: 44
Rept. Rcvd 65 Times in 29 Posts
Thanks Given: 39
Thanks Rcvd at 184 Times in 71 Posts
Fyyre Reputation: 65
Quote:
Originally Posted by atom0s View Post
That Twitter feed is really sad and disgusting to see. A bunch of kids doxing someone for the sake of saying they figured something out. For what? Literally nothing, and yet the amount of damage they are causing to someone who is already not in a stable mental position just doesn't seem to matter to any of them.

Her being transgender shouldn't matter to anyone. It has nothing to do with her work. Yet people are focusing on it like it's a circus. I opt'd to not mention it at all in my post above but wished for her to get the help she needs regarding it. Her posts on her blog and around the web hinted towards her status but it had nothing to do with her releases so it didn't need to be mentioned.
This is a part of a larger problem of today's Internet. So many young people have this "cyber-war-fuck" mindset. Yes, her being trans is irrelevant. But when someone is gifted (and she very clearly is), the world will use anything and everything to try and tear you down.
__________________
-Fyyre

--
https://github.com/Fyyre
https://twitter.com/Fyyre
Reply With Quote
The Following 9 Users Say Thank You to Fyyre For This Useful Post:
argie (06-12-2019), ARUBA (06-11-2019), bolo2002 (06-11-2019), Giotis (06-12-2019), Indigo (07-19-2019), niculaita (06-10-2019), p4r4d0x (06-11-2019), tonyweb (06-14-2019), WaSt3d_ByTes (06-13-2019)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On


Similar Threads
Thread Thread Starter Forum Replies Last Post
Meltdown exploit and Spectre chants General Discussion 2 01-09-2018 13:27
Rowhammer Exploit mcp General Discussion 1 03-11-2015 05:52


All times are GMT +8. The time now is 15:39.


��ICP��05004977��
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX