There are new articles available, click to refresh the page.
βœ‡ Place where polar bears dwell

Static Analysis 101

By: SandboxEscaper β€”

(Click on images to enlarge)Β 

Github link to trigger code shown in write-up:Β 


Disclaimer: This blog-post has nothing to do with my employer. And to the more technically skilled reader this blogpost will be really lame. I'm new to this, and even at the company where I work, I don't know anyone who does security that I can ask for advice, I'm just trying to learn all this by myself from books and youtube videos.. just as I did before getting a real job.

Static code analysis 101

I wanted to write this blogpost after I had a bug patched that I found by static analysis, but this will take a long time and I was bored. As I can't copy paste source code into my blog without getting fired, it is hard to have a really indepth discussion. I would much prefer to share a bunch of source code snippets and show you how I would approach static analysis on them. Having the work with decompiler output sucks (still better then ASM!), and I gave up half-way writing this blogpost, so apologies if it seems kind of unstructured.Β 

Lets say we want to find bugs in windows (same would apply to other software).

We have to find an entrypoint. You can't just start reversing code ad random (you can, but don't).
For local privilege escalation, think of areas that cross privilege boundaries (user->kernel, rpc/com)
For remote bugs, think of areas that cross device boundaries (network protocols.. rdp, smb, etc)

For purpose of demonstration, lets pick COM. (I didn't just want to write about static analysis as there are books that have served this purpose way better, so I figured I might as well just show you how to get started reversing COM and applying static analysis on that. Apologies if this makes the write-up seem convoluted)

Using available tooling to enumerate the attack surface

(Scroll to the next chapter if already familiar with OleView)

With drivers, you would go hunting IOCTL codes and whatnot in a dissassembler. For RPC you would use tooling like RPCview or similar. For COM we have a great tool by James Forshaw:


After downloading make sure you set-up the path of dbghelp.dll (part of the windows sdk) in file->settings (make sure to run OleView as Admin btw):


Lets focus on system services, select 'Local Services' from the Registry drop-down menu:


Β I'm just randomly going to pick a COM interface to reverse, scroll to the bottom and expand 'Xbox Live Game Save'.

Β Right clickΒ  '(5B3E6773-3A99-4A3D-8096-7765DD11785C) ' and select 'Create Instance':


Select the 'IXblGameSaveProviderEnumerator' interface. Then at the bottom select operations->Marshal->View Properties

Press view:


Double click on any of the methods listed in the next tab.

Now we can see the interface methods (with symbolic names):


At this point you would decide if this interface is worth investigating or not.

There's no complex parameters being used in any of the methods. If I was bug hunting I would skip this one because I know Microsoft does a lot of fuzz testing and would prefer to prioritize other functions first. Especially now that race conditions are out of scope for COM, which would be the only bug class fuzz testing might not catch (I think).

Going back we can see where this server is implemented (hover over 'Xbox Live Game Save'):


Static code analysis

I will use Ghidra for this write-up, normally I would use IDA pro, which supports source code and windbg, but if you don't have source code, the decompiler in Ghidra is pretty nice. Load up XblGameSave.dll.

I would not recommend trying to make sense of a function by looking at raw asm. Nearly all the researchers finding complex bugs are using decompilers.Β 

If decompiler output is still too difficult, I would recommend starting with an open source project. If open source is still too difficult I would recommend spending some time learning coding so you can be better at reading it.

Search for the name of our first method 'GetItems' (which we found earlier in OleView), it's pretty easy to find this one with symbols.

Β Β  Β Β Β  Β Β Β  Β Β Β  Β Β Β  Β Β Β  Β Β Β  Β Β Β  Β Β Β  Β Β Β  Β 

At this point you could go ahead and write a PoC to trigger this code, then trace input in a debugger. But it's better to first read the code 'statically' (hence static code analysis) and see if there could be any potential bugs.

The GetItems function as seen in OleView:

Β HRESULT GetItems(/* Stack Offset: 8 */ [In] int p0, /* Stack Offset: 16 */ [In] /* range: 0,50 */ int p1, /* Stack Offset: 24 */ [Out] /* C:(FC_TOP_LEVEL_CONFORMANCE)(16)(FC_ZERO)(FC_ULONG)(Early, Range) */ struct Struct_0[] p2, /* Stack Offset: 32 */ [Out] int* p3);


We see that the first two parameters have [In] infront of them and the last two [Out]. This means the first two parameters provide a value and the last two return a value. You want to focus on the [In] parameters first, and trace them.

We see both param_1 and param_2 being used in the following snippet. This is basically a for loop. It does a check against param_1 and param_2, if it matches it returns otherwise it continues the loop.

Β  while( true ) {

Β  Β  if (((uint)((lVar1 - lVar2) / 0x38) <= param_1) || (param_2 <= uVar7)) {

Β  Β  Β  *param_4 = uVar7;

Β  Β  Β  __security_check_cookie(local_48 ^ (ulonglong)auStack296);

Β  Β  Β  return extraout_EAX;

Β  Β  }

Then inside the loop we see:

Β  Β  lVar6 = (ulonglong)param_1 * 0x38;

Β  Β  pXVar8 = param_3 + uVar7;

Β  Β  iVar4 = WindowsDuplicateString(*(undefined8 *)(lVar6 + *(longlong *)&this->_results),pXVar8);

Β  Β  if (iVar4 < 0) break;

_results is an array. The size of each element is 0x38:Β 

lVar6 = (ulonglong)param_1 * 0x38.

So it's going to multiple the size of an element with param_1.

Meaning it's doing array indexing using the first parameter. As you can see here:

lVar6 + *(longlong *)&this->_results

It's just moving a pointer to match the index of the array. This is the funny thing about decompiler output, in a way it does make sense, but you need some experience recognizing what this translates to in code written by hoomans.

When dealing with user controlled indexing, it's good to make sure the bound checks are done well (which is done in the if-statement mentioned earlier).

Also the data type being used is important. If they didn't use UINT but regular int, you could bypass checks overflowing into a negative number and even cause negative array indexing. You don't want this to happen. Microsoft has good coding practices though, but a lot of novices just use signed datatypes everywhere.Β 

Not having source code and proper symbolic names everywhere can be a pain, but when in doubt or unable to make sense of something, just run it through a debugger. Switch from static analysis to dynamic analysis. I would use static analysis to find code that looks suspicious and requires further investigation.

Once we ruled out integer related bugs, we can focus on the [Out] parameters.

This function will basically return an array containing elements copied from the _result array.Β 

At this point we need to figure out other functions that could manipulate this array.

Perhaps we can do something with this other interface?Β 
I will leave this up to the reader to investigate.

You will need to see if adding and deleting from the array we just accessed is done safely. Make sure the element is fully initialized before added to the array, otherwise you got a timing to read uninitialized memory when there is no proper locking.
Race conditions are pretty straight forward, there are a lot of com race conditions where you can force an object to be freed and then access it in another thread, these are common because they are extremely hard to find by fuzzing.

But since Microsoft is mitigating Rpc\COM race conditions, I completely ignore any bug that would require two threads or more. And I frigging wish someone at Microsoft could tell me what these mitigations look like, because I want to hunt for race conditions as they are one of the most interesting bug classes, but I don't want to do pointless work either.

This should be enough practical information to get started.


-Find an entrypoint. Such as COM methods as described above.Β 

-Load your targeted code in a disassembler. And start tracing input you can control.

Based on the type of input there are different things you need to look out for.

Here is a really short summary:

1. BuffersΒ 

Are buffer being copied into a static array? This can be a problem if you can supply a larger buffer then the size of the array.Β 

Is there any length calculating being done on the buffer? Make sure the buffer size will not overflow the return value of this length calculation. With modern day computers you can easily construct buffers that take up a couple of gigs.

There are many issue that can arise with buffers, but in general COM marshalling/unmarshalling will prevent a lot of them by design.

2. Integers

Are signed datatypes being used when they should be unsigned? As mentioned earlier, you don't want negative values bypassing checks or resulting in negative array indexing. Also if user supplied integers, in anyway can affect array indexing, this can potentially result in out of bound bugs if proper bound checking is not done.

Again, I recommend reading up on integer bugs, as there is a lot of subtle things that can happen with them, not just integer overflowing.

3. Objects

Some COM interfaces will have methods that take com interfaces as parameter. This means you can make your own implementation of a com interface and a remote server will call into them. You can also have methods that return interface pointers, turning that interface's methods into another part of your attack surface. Objects in general add so much more complexity, but you need to know what you're doing and it may require a lot of reversing.

4. Complex datatypes

COM marshalling works well on simple datatypes, but less so on complex ones. There is less validation on what the user supplies and it will assume the COM server does all the validating. This can lead to a lot of bug types, including type confusion.

5. Race conditions

One of the more difficult bugs to find, even if they are really common. This one does not rely on the type of user input as much. But you will need to look at internal objects and data that gets accessed and see if you can mess with them in another thread, i.e forcing a free on the object.

Either way, on the note of object life time bugs, they don't always come in the shape of race conditions. If you have a bunch of methods that do things with internal objects inside the server process, it's worth investigating.

6. Info leaks

Without doubt the most common bug, but not all info leaks are created equal and you may not get a CVE for them (if you care about that). Info leaks can happen by out of bound reads, but these are less common as they can be found by fuzzing, more common is returning uninitialized memory, as these will not trigger an access violation and make them near impossible to find by anything but static analysis.

7. Logic bugs

See previous write-ups for this. But be aware that logic bugs can come in many forms, not just filesystem related. You need to force yourself to think out of the box to abuse program logic.

-Static analysis is very time intensive. I really recommend when going after windows code to assume it has been heavily fuzzed. So search for complexity and those cases that can't be found by fuzzing.

βœ‡ Place where polar bears dwell


By: SandboxEscaper β€”

Β When the polar bear dresses like (wo)men.

And wanders the human world.

It is not curiousity.

For one day, when you are all a lost cause, ice will engulf humanities flaws, into a frozen landscape. And there will be no more pain or suffering.

βœ‡ Place where polar bears dwell


By: SandboxEscaper β€”

Β Once you go crazy. You end up at Microsoft.

Microsoft is where all the crazy people go, because there is no other place to go.

Put polar bear stickers all over the office. Ask colleagues if they want to buy 0days. Or walk the hallways trying to find where your desk is hiding. Those damned desks.

Maybe once or twice a year, you'll have clarity again. Find a few more bugs.Β 

Microsoft is the only thing thats stable in my life. I can rave like a lunatic. Ask Satya to fire me. I'm still here. Like that friend whose always there despite your insane attempts to push them away.

I dread the day this comes to an end. I'm not like the sane people, who would simply find a new job. Once that last remnant of stability is gone. There will only be madness.Β 

I wish I had been more protective of my mental health. I wish I had never dropped 0days. I wish others other didnt go down that self destructive path. Fame or infamy is bullshit. Who cares. A few good friends. Thats all someone needs.Β 

βœ‡ Place where polar bears dwell

Transgender, harassment and anonimity

By: SandboxEscaper β€”

Β I'm now at one month post bottom surgery. I've met a lot of awesome trans women here in Thailand. All of them have awesome and fullfilled lifes. Those obsessive haters are so wrong about everything.Β 

I'll go back home a mentally much stronger person. These haters can't be more wrong. They just scream jealousy. All the trans folks I've met are beautiful on the inside and outside. Perhaps that's what frightens those who literally spent years of their lifes harassing us.

It's funny how this stalker tries to get into my head (see my recent tweets for context: https://twitter.com/Essb33/status/1460149107083808772), saying I won't have a legacy. Dude, I'm here living my life to the fullest. I make the world a more secure place. I find massive security vulnerabilities affecting many millions of machine. That's my legacy. This stalker's legacy on the other hand is nothing but misery, sadism and hatred.

Being faced with online harassment by a stalker for close to 4 years, I do wish people on the internet could be held accountable.

Its kind of insane how this stalker always sends me these tailored e-mails when he detects I'm struggling with my mental health, with the clear purpose of pushing me over te edge into comitting suicide. Although, those e-mails never get to me.. this kind of obsessive predatory behavior, someone who is literally trying to harm someone, even indirectly is extremely worrying. When does this guy graduate from being a psychopath on the internet to being one in the real world? I worry for folks from my community. I once got an IP capture on this guy, when he used guerillamail, which actually discloses the sender's IP in the header. It showed that he was from eastern Canada (assuming no vpn), and his torrent history showed he likes barely legal porn (which says a lot about his pysche).. so if ever trans people go missing in eastern Canada.. high change of it being this guy. I'm not even kidding. 4 years of stalking me, reading everything I write and trying to push me over the edge.

Anonimity is a double edged blade. It really is. But these experiences have definitely changed my view. Actions on the internet, can have real world consequences. Perhaps, being at Microsoft, I will be in a position one day to make the internet a safer place.. not just in terms of security flaws.

Anyway. Just had to write this one last blog post. I won't be active online anymore. I've got everything I ever wanted already. Friends and an awesome career. If haters want to get to me, they'll have to come face me in the real world. But I'm a polar bear so I'm not scared.

βœ‡ Place where polar bears dwell


By: SandboxEscaper β€”

Β Sometimes I worry my anger is irrational. And im just fighting imagined demons in my head because I share a lot of symptoms with borderline personality disorder. But I can make a long list of shitty industry experiences that eventually resulted in me just dropping bugs. So no, I dont think im just crazy even if thats what people maybe think.

βœ‡ Place where polar bears dwell


By: SandboxEscaper β€”

Β Someone hire or mentor @klinix5

If you knew the things I knew you would understand. Don't turn this person into a burned out mess like me. Because unlike me, that would be a true waste of potential and talent.Β 

That's al I have left to say anymore. I don't do social media anymore or talk to people in general.

βœ‡ Place where polar bears dwell


By: SandboxEscaper β€”

Β You know who first started finding all those bugs in windows installer and windows error reporting? That was me, not Forshaw. Aside from that, I did plenty of original work with my earlier sandbox escapes. My edge browser sandbox escape being a good example. Yet I was always downplayed to being some lame person just cloning Forshaw. I know in the end, everything fell into place.. but those 5 years, of social isolation, going hiking for weeks alone, to escape the pain, all the bullshit with this industry. I was mentally so much more stable before I got into bug hunting. 5 years is a long time. I just feel burned out ever since I've joined Microsoft and I can't get rid of that feeling anymore. Nothing is worth sacrificing your mental health over.

βœ‡ Place where polar bears dwell

Logic bugs

By: SandboxEscaper β€”

Logic bugs are great. A lot of logic bug based exploits are version agnostic. And they don't bluescreen your computer when they fail.

After that task scheduler exploit drop, so many people wanted to buy similar exploits, while on social media and that side of infosec regarded my work as a Forshaw rip-off or inferior to kernel exploits. System to kernel isn't even a boundary so I don't see why that should matter.

It was surreal. People ready to throw down huge sums of money and meanwhile failing job interview after job interview. I'm glad I ended up where I am now, because in retrospect, my current managers are probably the only people in this world I could have tolerated as bosses.Β 

I don't know. Having found plenty of memory corruption bugs now. This industry is so full of sh*t. I never sold a bug because I just really just wanted a job, get out of my country and have colleagues to work with.. and maybe back then, I also just wanted to do the 'right' thing. But as you grow older, you learn there is no 'right' thing. Perhaps the only 'right' thing is the one best for your mental health and quality of life.Β 

In the end, everyone is just living for their own interests. Selfless people rarely survive in this world. They get devoured by it. Maybe the manager who hired me being the exception. My loyalty is only to those who took a risk with me, not the corporate world. I couldn't care less about that. Once that loyalty ends, I'm not making the same mistakes again.

βœ‡ Place where polar bears dwell


By: SandboxEscaper β€”
Emotions suck.
Emotions are just in your head.
I guess the distress we feel when faced with isolation comes from our tribal history. Being an outcast or getting seperated from the tribe would have meant certain death.
It's funny how much pain can be caused by an evolutionary gimmick.

It's better to become a polar bear. Find strength and determination in being alone. At the end of the day, life is but a temporary thing. Everything is temporary. One day, the day that comes for us all will come for me too. There are so many paths I can take until then. But I know I won't leave anything behind that I will care about when that day comes. I don't know yet what I care about.Β 
βœ‡ Place where polar bears dwell

The polar bear method

By: SandboxEscaper β€”

Mandatory book:Β Secure Coding in C and C++Β  Β  Β Β 


I have been a bug hunter since 2015. You can see my CVEs here:Β http://sandboxescaper.blogspot.com/p/disclosures_8.html

A large majority of those bugs have been logic bugs. I started my career as an high school drop-out with nearly no coding experience. Back in 2015 I was heavily inspired by the work James Forshaw did. He exposed a previously mostly untouched gold mine of logic bugs. I quickly figured out how to find these logic bugs despite my limited coding and reversing experience. I continued to do this until I joined Microsoft. However, in retrospect, despite having had success in finding bugs, my technical skills quickly plateaued and I wasn't learning anything new or improving my skills.

So now I will introduce to you, the correct way to lay a solid foundation to become a bug hunter.

The Polar Bear method

Disclosed bugs found using this method.Β 

This method is a huge departure from what I used to do before.

Now I just read source code and use windbg.

-CVE-2021-33772: Windows TCP/IP remote DoS

This is a remote DoS. Won't go into detail

-CVE-2021-34511: Windows installer LPE

This is an UaF in the system service (first exploitable mem corruption bug in msi in its history I believe discounting one from 2000s that didn't cross priv boundaries)

-CVE-2021-28479: Windows CSC Service Information Disclosure

This is a big stack memory info leak

To add more credibility to my method, watch for Januaries patch tuesday as the majority of my past year's work will get patched then. And those bugs are also by far more severe then anything I've ever found.

Finding your target

Variant hunting is an easy way to find bug. And often the safer option.

However, I would strongly recommend exploring new components.

You can find information about components on the msdn pages or books such as windows internals.

There's a lot of areas with no history of CVEs. This could be an indicator that nobody has really looked at them.Β 

A target is usually defined as something that either crosses privilege or device boundaries (or both!).

Finding an entry point in your target

A little background:

Going forward I will be using network protocols as an example. The majority of my work in the last year has been in network protocols (you will see in January's patch tuesday).

About a year ago, one of my bosses told me about these crazy tcpip bugs in the msrc tracker.

I got curious. Until that moment my world was limited to local bugs. Sending bytes and pwning a device remotely, WHAT THE HELL? I couldn't believe this type of bug existed. I was fascinated by it.

I spent atleast one or two months taking these PoCs apart, learning scapy to construct packets and reading much of the code in tcpip.sys.Β 

Doing this was vital, because it taught me about bug patterns that can occur in network facing attack surfaces.Β 

I have never talked to the person who found all these doomsday tcpip bugs, they work at Microsoft and I believe their twitter handle is: @piazzt .. their PoCs opened up a whole new world for me, so I can't in good conscience write this blogpost without giving credits there.

Getting started:

Unless you can read assembly or decompiler output just as easily as actual code, start with open source.

Seriously. Don't be cocky. Find an open source project, and build a debug build so you have pdb files.

Like, find some crappy open source ftp server or something,

Next you download windbg next (windows store). In the settings, point to pdb and source files.

What you want is the ability to step through source code. You have to be able to step through source code, otherwise you are not doing the polar bear method. No sane person steps through assembly instructions unless you are an elite hacker with 50 years of experience, and in that case this blog post is not aimed at you.

Generate legitimate traffic:

Ideally you want two seperate VMs. One ubuntu VM (or whatever) for running wireshark and one Windows VM with the target you want to exploit.

So you're running an ftp server on windows. While Wireshark is running, logon to the ftp server from your ubuntu VM.

The reason we do this, is that you may see keywords that you can use to search the source code and set an initial breakpoint in Windbg (on the windows VM).

Getting a breakpoint to hit:

Just set a bunch of breakpoints in windbg using functions that you suspect are used in that initial packet parsing.

One you get a hit. View the callstack. Keep going up the callstack until you find the mother of all functions. With that I mean, the function where all of the packet parsing starts.

This is your main goal! Get a breakpoint at the start of packet parsing!!!!


You can capture legitimate traffic. So you know atleast one valid way to structure a packet. Is the protocol public? Then there's probably and RFC out there which you can use. RFCs are awesome.

The first step is to recreate the packet that triggers your breakpoint in a tool like scapy.

In scapy you can just add raw bytes to a variable and send it to your target, it should be the same bytes you see in wireshark (scapy also supports protocols, but for more obscure protocols I just write my entire packets in bytes). Scapy is not hard to learn. And you can find many examples. I've decided against a complete step-by-step guide this time, because learning to figure out things yourself is important too and will make this write-up even more convoluted. Aside from that, I'm always willing to answer questions if I know the answer.

Take note of the initial code path of your legitimate packet. When I refer to code path. I mean, your initial packet parsing function until it returns again.

Your entire packet is user controlled. Find out what you can 'taint' using this packet.

Are things from your packet being copied into buffers? How are size calculations done?Β  Is there any indexing you control? Any pointer math you can influence? These are the first things I will look at. At this point, I won't worry too much yet about object lifetime bugs, to find those you often need a more complete picture first.

Once you have exhausted your first codepath. Go down the next codepath.

Your initial packet parsing function is the root, the rest are the many branches.Β 
You go down a different branch by modifying your PoC in scapy so it takes another route during a switch case, if statement, whatever. Then you just walk down the code path in your debugger, again try to spot bugs. Try to make things go out of bounds, stuff like that.

After a while of going down code paths, exploring, you will learn where the most complexity happens. Once you know these areas. Spent a couple of days just trying to break them. Be creative. Sometimes you'll get that Eureka moment when in bed.


There will be days when you just don't want to stare at code in a debugger all day.

These will be your FUN days!

You come up with craaaaazy ideas. Like, how can I come up with a worst case complexity scenario?

Can I make it consume resources without them being released? Or just blindly try out potential UaF cases.

Remember that UaF in the MSI installer?Β 

I found that bug during a day like this.Β 

There were 3 API calls, one that created something, one that used it, and one that deleted it.

In one thread I called the functions that created and deleted it.

In another thread I called the function that used it asynchronously.

There was no locking on the internal object being used and I had just found a UaF without much effort!

Many weeks later

Once you have explored most of the code paths. You can begin thinking about object lifetime bugs. One important thing you will need to check first is see if packets are process multithreaded or put in a queue. I hope by god nobody doesn't use a queue for packets that operate on the same internal objects (or use perfect locking).

Β You can either audit the slow methodical way. Or just use intuition.. like, don't see locking? Just quickly create a PoC.Β  At this point you can also start coming up to create more complex testcases. Hit codepaths that you're not supposed to be hitting in your current state. Try to free an object, but instead of making it return, make it continue processing until it either frees again or uses it. There's a lot of weird things that can happen. Sometimes you can directly control lifetime of internal object using options in your packet. Just be creative, have fun, shit doesn't have to be boring.

Closing word and fuzzing

People at Microsoft are elite fuzzers and they use very cool technology. They will always be better and faster at bug hunting then me.Β 

However, I do see merit in becoming good at spotting bug by reading code and using a debugger. You get a very intimate understanding of both bugs and components. Personally I also just enjoy this more then writing fuzzers. It's important to do things you enjoy. Doing things you don't enjoy is for adults and shit.

When assembly and debugger?

Once you have found enough bugs using source code and debugger, you can try hardcore mode. Just be careful because if you die in hardcore mode, it's game over.

Good luck.

βœ‡ Place where polar bears dwell

Using filepickers to escape sandboxes

By: SandboxEscaper β€”

edit: this would have worked with literally any sandbox inΒ  windows having filepicker functionalityΒ through a broker, not just adobe.Β 

Edit2: that special junction didnt need to be placed on a network share, but also worked locally.

Because I am feeling depressed as fuck, I decided to do another write-up about an un-patched bug (feeling sorry for myself and being sad gets boring after a while).

I really did not get anything for this bug, and I know I'm probably forfeiting an acknowledgement too right now. But I wasted alot of time on this bug, and nobody but me should be able to decide what to do with it. People who criticize this type of behavior I find frankly annoying. I used to be one of those self-righteous types, but I'm also pretty annoying, so perhaps there is a correlation.

Adobe Reader

After finding this lame bug (CVE-2018-4872 ):Β https://sandboxescaper.blogspot.com/2018/01/adobe-reader-escape-or-how-to-steal.html I started thinking about other ways I could escape the sandbox.

To be honest, the Adobe Reader sandbox is pretty tough. Microsoft's sandboxes are way easier, because you get access to a ton of COM, RPC stuff and things like that.

Things I could do on the filesystem were really limited, and I like my filesystem trickery.
Ofcourse, being out of inspiration, and because I'm dumb as hell and can't come up with anything creative myself I went looking at Forshaw's work.

I saw that he did some work using network shares.

Instead of feeding a local filepath into a broker function (broker functions run outside the sandbox) we can use a filepath on an anonymous network share. This basically gives us an adhoc filesystem where we can use junctions and all the fun stuff that we by default do not have access to in the reader sandbox. My thought process was that I could probably use some symlinks or junctions to trick a broker function and bypass a check somewhere.

I tried a bunch of things, and while I got alot of interesting results, I did not get my lucky break.

Again, because I'm stupid, I decided to steal a trick from vault7 (https://wikileaks.org/ciav7p1/cms/page_13763489.html).

If you create a folder with the name:Β f.{0AFACED1-E828-11D1-9187-B532F1E9575D}
and then put a .lnk file in it, it basically becomes a really funny junction that confuses the hell out of code.

The bug

I'm going to explain the full attack chain.

First we create a folder called f.{0AFACED1-E828-11D1-9187-B532F1E9575D} and we put it on an anonymous network share (this can totally be a network share on the internet that is attacker controlled, not just intranet). Inside the folder we put a .lnk file with the following target:

C:\Users\%username%\AppData\Roaming\Adobe\Acrobat\DC\a.htm (use %username% and not the actual username).

It will look like this on our remote network share:

Now from within the Adobe Reader sandbox we call the broker functionality to open a filepicker window and set the folder on our remote share as root (i.e \\\s\b\f.{0AFACED1-E828-11D1-9187-B532F1E9575D} )

This will redirect the filepicker window to a local .htm page on the victim's pc which we dropped in a sandbox write-able location , and for some reason it will render it. It will render it at medium and we even can get some activex objects working without prompts (which should not happen because we are rendering in the local machine zone, which should be locked down! But we are rendering html in a filepicker window.. so I guess I should not be surprised).

This will work with any filepicker window, since they are managed by windows code, here is a filepicker window opened in chrome using this trick:

Now we can run activex in a filepicker window, but how do we exploit it?
You can complete this attack chain in multiple ways.Β 
Since the code rendering the html page is basically a castrated version of IE11, we can just complete the chain with an IE bug and gain medium RCE.
But because memory corruption bugs make me sleepy I wanted a logic bug!

We can use the system monitor activex object to write an .hta file to startup!

Here is the full chain exploiting this bug in Adobe Reader (I made sure to hide the filepicker window, because I was still innocent back then and thought it could be useful for attackers when I made it.. but hey, this proves that even if your poc spawns windows and stuff, its not hard to hide them because code runs fast as hell, the only issue this might have had was latency.. but you could have tested for that prior to running the escape.. but still, its way to complicated.. there is better ways to escape sandboxes, even with logic bugs):

Here is the activex object code:

<OBJECT ID="target" WIDTH="1" HEIGHT="1"

target.DataSourceType =2;Β 
logfiles = target.LogFiles;
Counters = target.Counters;
Counters.Add('\\\\<IMG SRC=\'javascript:WshShell=new ActiveXObject(&quot;WScript.Shell&quot;);WshShell.Run(&quot;notepad.exe&quot);\'>\\LogicalDisk(*)\\*');
target.Relog("C:\\Users\\test\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ByeSandbox.hta",5,1);

So we have a logfile (ew.csv) on our remote network share.
You can generate a log file like this, I forgot how, but I'm sure you can figure it out... but it needs to be in a specific format to be able to be used by the system monitor activex object.

Eitherway, in the csv file we replace all references to our computer name with javascript.

In this line:

Counters.Add('\\\\<IMG SRC=\'javascript:WshShell=new ActiveXObject(&quot;WScript.Shell&quot;);WshShell.Run(&quot;notepad.exe&quot);\'>\\LogicalDisk(*)\\*');

Normally where you would have the computer name, we now also have javascript (this has to be the same as in the csv file).

When we do target.Relog we can write a file with working javascript to any folder outside the sandbox, including start-up. This will result in an .hta file with working javascript code inside (since we have partial control over the contents of the file write).Β 

Meaning its game over and I now have access to your p*rn collection. 😱


I have learned alot from this bug. This bug was not useful for attackers because of its complexity. I should have known when I started entertaining the idea of remote network shares, that it would add to much complexity and stopped right there. The take away: When bughunting, you need to know when to limit your scope.
On the other hand, don't let it stop you from doing crazy stuff.Β 
Everyone is just fuzzing or looking at memcpy functions, and while alot of that stuff is really impressive, I doubt it compares to the fun I had constructing this chain ;).

I do think filepickers are an interesting attack surface, because nearly all sandboxes have broker functionality to open them. If its not done through a broker you wouldn't be able to save files outside the sandbox. Its just not something people really think about when considering a sandbox attack surface.

While I did not get anything from this bug, and I doubt people even give a damn, I hope there is some poor soul out there that might get inspired to get into logic bugs.Β 
I'm not really good at this stuff, but perhaps someone else might actually be useful to this industry and do meaningful stuff.

When the days of memory corruption bugs are counted, logic bugs will rule.Β 

βœ‡ Place where polar bears dwell

How to backpack in cold and miserable places

By: SandboxEscaper β€”


I switched from maps to gps devices fairly quickly.Β 

When I started to hike, I once got stuck on a ridge in Scotland for 3 days because of dense fog and not being able to use maps to navigate as there was no visible trail or visibility to see landmarks.

Ever since then I relied mostly on GPS devices.

During my six week hike in the Arctic I relied on a system of having a solar charger, a battery pack, a satellite phone and gps device.

This was easy in the Arctic as in spring and summer it is almost always light and the sun never sets.

This allowed me to charge my devices while sleeping.

My plan was that if there was any point of failure, my solar charger or gps device, I would fall back on using the gps functionality on my phone and make my way to safety. However, it would have probably been wise to atleast carry some maps and a compass.Β 

I opted for this as that particular hike in the Arctic stretched 700km, and having detailed maps of that entire stretch would have meant a lot of extra weight and space.

In the Arctic I used the garmin explorer plus (Satellite device + gps). And a solar charger from Goal Zero (I have found these to be very good)

Anyway.. I am pretty sure a lot of more hardcore folks would scold my over reliance on technology.. but it works for me and as long as one point of failure doesn't knock out my ability to navigate it is worth the risk for me.


A good 4 season tent is a must. I have two 4 season tents from Hilleberg. The Akto and Nammatj 2. The Nammatj 2 came to good use hiking off-season (fall and winter) in Scotland. With wind speeds of sometimes over 100 km/h in exposed terrain.Β 

I would also carry a sewing kit with repair rope used for repairing sails (which is pretty strong!). Heavy duty stakes and extra guy line rope if there's a possibility of severe weather.

Having reliable shelter is very important when you're not hiking in Summer, or when hiking in extreme environments.Β 

Food and Stove

For long hikes, I love freeze dried food.Β 
To cover a 3 week stretch in the Artic, I carried these:


These are great weight and calorie wise.
In addition I would strongly recommend vitamin C supplements.. to avoid scurvy.

As stove I used this one:


It's a dual purpose stove that can both burn gas and liquid fuel.
Liquid fuel is important in cold weather, as gas does not burn properly below freezing.


Flowing water in cold and miserable places is usually perfectly fine to drink. Especially when it comes directly from snow melt. The only thing that makes you sick is either dead animals or animal poop.. this is usually only a problem at low altitudes or stagnant water such as lakes. I've rarely used a water filter on any of my hikes and I'm still alive. Water with soil particles in it is usually not dangerous and safe to drink even though it may not look completely clean.. as long as it's flowing water. Soil/dirt doesn't make you sick. Just animals.

Sleeping bag / mat

I have several sleeping bags. For winter I have one that can easily withstand -25c temperatures.
In summer I usually use a down quilt. As those pack smaller then normal sleeping bags.
In below freezing conditions, make sure to bring a 4-season sleeping mat. You need enough insulation from the ground.. it is very uncomfortable otherwise.
It's important to anticipate for the correct temperatures. Especially in cold weather.

River Crossings

From personal experience, this has always been my biggest issue. Be extra careful when crossing rivers. They can be extremely easy to underestimate. It all depends on the current and how deep you have to go. Sometimes I can go waist deep if the current isn't too bad. And sometimes I struggle if the water is just to my knees. One time in Scotland, I screwed up and was grabbed by the current.. my backpack kept me afloat.. but it was a terrifying experience. Especially being alone out there in the middle of nowhere. Slowly test the water, and if in any doubt, withdraw.Β 
Sometimes it's better to wait until morning to cross a river, as there will have been less snow melt.Β 

Avalanches and snowy terrain

Never cross a glacier alone, especially not without technical gear. In winter, when there is a lot of fresh snow, you also need to be wary of possible avalanches. Avoid camping in gullies or near steep slopes. I recommend doing a lot of reading to learn about avalanches if you're headed into avalanche prone terrain. Crossing snow fields, from personal experiences, is usually fine.. just keep in mind that even in snow fields, especially near slopes, crevasses can form (albeit usually not very deep). Go slow, take the safest route and observe the terrain for irregularities. A lot of this comes from experiences.. but sadly you do not have a lot of chances to screw up and learn from mistakes either.


I can tell you from experience it's nearly impossible to hike on top of a ridge with 100 km/h winds. Keep an eye out for the weather forecast. Make sure to check to forecast for the relevant altitude. Sea level winds and mountain winds can differ day and night. In case of doubt, make camp on a sheltered slope and wait it out or descent down the mountain.

Gear ListΒ 

This is a short list that I made, which gives some general guidelines while packing. Ofcourse it varies wildly on where you're going. I always use waterproof storage bags to compartmentalize my gear inside my backpack. It keeps everything sorted and dry.

Main equipment
Waterproof storage bags (sea to summit or whatever)
Backpack + rain cover (I prefer 100L backpack, so nothing is hanging outside if rainy)
Sleeping mat
Sleeping bag
Sat phone
Bear spray + bear sack for food storage
Basic first aid (usually I only bring blister packs. They can also be used to cover up wounds, anything more severe usually requires evac anyway)
Solar charger and/or battery pack
Repair kit and some cord
Walking poles
Glacier glasses / Snow goggles (depending on conditions)
Cooking and stuff
Stove + stove fuel + windshield for stove
Cooking pot
Sugary stuff to turn water into sports drink
Freeze dried food! (or whatever)
Water bottle and water bag for storing clean water when camping
Water filter (probably not needed, but never know)
Hiking boots
1 softshell pant
1 hardshell pant (for rain)
2 base layer shirts
1 mid layer fleece
1 insulation layer (i.e down jacket)
1 rain jacket
Something to keep head warm (balaclava in very cold and windy weather)
thin gloves (if gets chilly/windy)
big gloves (if very cold weather to pull over liner gloves)
Snow/Mud Gaithers
Other stuff
Camera to be famous on twitter
Tooth paste, tooth brush and a brick of soap used to wash clothes
Toilet Paper
βœ‡ Place where polar bears dwell

Arctic adventure photos!

By: SandboxEscaper β€”
These are mostly picture of the first part of my 700km trek in the arctic. There was a lot of snow! During the second part of my trek the heatwave that was tormenting the rest of Europe finally hit and most of the snow melted. For the first part I had to traverse nearly 400km without options to resupply, so I had to carry a loooot of food! Towards the end I was hiking on 1000 calories a day, which was really hard, walking in snow all day is exhausting and it was hard making distance in this type of terrain. I did not meet any other hikers during the first part. It was one of the wildest things I have done in my life. I miss it a lot right now.

  • There are no more articles