Jonas L Profile picture
Jul 14, 2020 8 tweets 1 min read Read on X
As Microsoft have no intensions of ever paying me for all my submitted vulnerabilities I am forced to do this.
Countdown starts today- then I will post them all public.
Ms is just trying to get time to patch them then never pay me.
I have for over 100.000$ in submissions.

14
I have not had a bounty paid for over 7 months I am in debt, my life is ruined- because I trusted that money was on the way.
I am getting sick by stress, but they just ignore me.

I have submitted hyper-v virtual file system escape.
bitlocker full hd encryption bypass
lock screen / login bypass
Total ntfs access control and file lock bypass for read from lowbox token sandbox
Uefi partition writeable from low box token sandbox
So many Escalation of privelegies I cannot keep track
Hyper-v file cache poisoning
Hyper-v host mem corruption
I have nothing left to loose, my adventure as trying to live from bug bounties have broken me.

I had the skill, but i placed the trust the wrong place.
Group policy service - Escalation of privelegie
Shell Create Object Task Server- Privilege escalation
DmEnrollment Service - Escalation of Privilege
XXXXXXXXXX - NTFS symlink mitigation bypass
Teredo driver - Escalation of Privelegie
Projected file system - Escalation of privelegie
Diagnostic tracking service - Escalation of privilege
Storage service - Escalation of privelegie
MSI Installer service - Escalation of privelegie
.net core - Escalation of privelegie

And all have been delivered with working proofs of concepts.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Jonas L

Jonas L Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @jonasLyk

Feb 28, 2023
Breaking assumptions tend to cause interesting effects...
Lets mess with processes- ill likely post code later

POC: raw.githubusercontent.com/jonaslyk/temp/… Image
Allright - ever wondered what are the assertions for image file of a running a process?

pretty much nothing is safe to assume- its impossible to link a running process to its "origin data".
The file locks are easily bypassed(as unprivileged) and involving a filesystem driver is not even a requirement.

In the posted poc i use webdav to programmatically write the content of the emulated file used for spawning the "forked" copy.
Read 8 tweets
Dec 3, 2022
@0gtweet @Hexacorn Lets not forget the hidden ones, those that begin with = the cmd: set " will show them

We find the setting for current directory on each drive amongs them Image
@0gtweet @Hexacorn Allright, first we see them then we wreck them.
Notice the = is used as split character- so what if we make a drive with that as its letter? Image
@0gtweet @Hexacorn yah, logic error- we are now eternally trapped on the weird frankenstein drive :D

You can get out- can you figure out how?
Read 4 tweets
Jul 19, 2022
so let me introduce a new attack- I call it RipZip, I havent weaponised it to an feasible attack- but it should be doable.

For now ill just demo how to make an zip file that extracts to an unexspected path Image
Image
Image
Read 12 tweets
Jan 2, 2022
github.com/jonaslyk/temp/…

My webdav based reflective loader/per process devicemap based dll injector POC is by now usable.

I would really like to have a OOP wrapper for NT- designing such is surprisingly difficult, but this approach shows potential especially considering simple
namespace httpd is simple local httpd using http.sys exposed with this interface:
httpd d{ L"LOCALHOST", L"" , L"8990", [&](request_response r) { try {
switch (r.requestVerb) {
case HttpVerbOPTIONS:
r.sendResponse(200, "");
webdav namespace implements webdav functionality using the httpd- interesting is handler for GET and PROPFIND.

Propfind is query like file search- c:\ is by default served
GET will respond with any file wanted, though special case for .dll in system32
Read 11 tweets
Aug 30, 2021
For quite some time ive been suspecting that ive been bootkitted.

Suddenly I couldnt read my SMBIOS table, windows detected a hyper visor even when disabled with bcdedit.

I could find traces of vpn connections getting established to MS ip addresses.
Sometimes there was invisible cpu devours, and what appeared to be something invisible scanning my files.

My pcr4 didnt change even when entering repair mode...

Now I finally identified the reason
Read 20 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(