Tutorial Winlockpwn

**williamc** · 05-22-2008, 09:42 AM

This has worked on a Dell D630 and an Inspiron 8600, both XP SP2. No luck on another D630 or any Vista machines yet. I'm trying to figure out the modified msv1_0.dll technique mentioned by the author, but no luck there either.

William

**imported_spudgunman** · 05-22-2008, 09:44 AM

no, one was a D630 the other was a shuttle. and newly tested on a old Dell (don't know what model its just old) - what dell did you get this to work on? and what was the driver of the FW?

They were each fully patched Sp2 boxes that are also members of a domain. however the latest test was on a SP2 fully patched with no domain.

would the hardware be the lock up? wouldn't it be the drivers on the OS-To-be-pwn?

at work today Im going to test it all over the place to see if I can find something that will allow the hack to continue.

**imported_spudgunman** · 05-22-2008, 11:08 AM

UPDATE: May22

I got it to work, who knows if I was sleepy or a reboot fixed it. But when I powered up. Started from "step 5" and followed steps exactly.

Dell630 fully patched on the domain and it worked! I had full access as advertised.

something I noticed was that this morning businfo has 1 on the node 0 and not 0 for all the data it spits out on what will and wont work.

now how do I dump the contents of the memory to get access to a WDE key?

**seb-taz** · 06-17-2008, 01:27 AM

Originally Posted by williamc

This has worked on a Dell D630 and an Inspiron 8600, both XP SP2. No luck on another D630 or any Vista machines yet. I'm trying to figure out the modified msv1_0.dll technique mentioned by the author, but no luck there either.

William

3w.sec-consult.com/fileadmin/Whitepapers/Vista_Physical_Attacks.pdf

**williamc** · 07-30-2008, 02:13 PM

Thanks for the above link.

Link above is no longer valid, so you can find it here:
http://packetstormsecurity.org/paper...al_Attacks.pdf
This link I came across is very detailed:
https://www.moonloop.org/bin/view/Mo...Red6cUaILIXVGw

I've gone through the whitepapers and have updated winlockpwn with SP3 and Vista Firewire exploits. I'm in the process of testing it, but I left my firewire cables at home, so it wont be until tomorrow.

In the meantime, please reference both links and see if I implemented it correctly:

Code:

 {"name":"WinXP SP3 msv1_0.dll technique",
                "notes":"Patches the call which decides if an account requires password authentication. Page Offset signature changed from SP2.",
                "phase":[{
                "sig":"8BFF558BEC83EC50A1",
                "pageoffset":[0x81B],
                "patch":"B001",
                "patchoffset":0xa5}]
                },
                {"name":"Windows Vista msv1_0.dll technique",
                "notes":"Patches the call which decides if an account requires password authentication. Signature and offsets changed with Vista.",
                "phase":[{
                "sig":"8BFF558BEC81EC88000000A1A4",
                "pageoffset":[0x76A],
                "patch":"B001",
                "patchoffset":0xBD}]
                },

You'll notice that in the second whitepage linked in my post, they claim the Vista exploit wouldnt work, but the first link gives a different memory address which claimed to be successful! If you can take the first linked page and locate the signature and offset, that would be helpful!

William

**williamc** · 07-31-2008, 12:52 PM

Ok, looking into this further, I've come to the conclusion that Vista is preventing DMA via the firewire. If you open your Device Manager while plugging in the firewire cable, you will see it installing the Ipod device. If you run the tool immediately, you will start to parse the memory. However, once Vista finishes installing the driver, DMA will be cut off, and the tool will stop working with a "Resource temporarily unavailable" error.

I guess there are a few approaches. First, can we get ahold of another csr file. Perhaps for a hard drive or camera? My guess would be that Microsoft patched this issue, but only for the ipod.csr. Using a different one would restore DMA. Second, is it possible to have the the firewire port disassociate and reassociate while having the tool continue dumping from last memory location?

William

**naskata** · 08-04-2008, 04:39 AM

I also had difficulties accessing the memory via Firewire under Vista, once I plug the cable in it starts dumping the memory but after a few seconds the connection is dropped. So I considered that maybe the native Vista Firewire driver is causing that problem. Then I found the following link:
w3.unibrain.com/download/download.asp,
installed the listed driver on the Vista PC and the problem seems to be resolved. Maybe, as williamc suggests, another ipod or hard drive image would be a good idea, so that there will be no need to install the drivers.

Atanas

**jonah_15** · 08-04-2008, 05:40 AM

I will try creating a different csr image as I notice the Romtool allows you to snarf another nodes csr

**williamc** · 08-04-2008, 02:25 PM

naskata,
Did you use the vista code I provided? I havent had any luck due to the driver issue discussed above. Thanks.

William

**jonah_15** · 08-04-2008, 04:53 PM

I've had the same issue Willamc using the Vista code as naskata, runs for a few seconds then stops. I've created a csr from a firewire external disk drive but i can't get it to autoinstall on firewire connection. It looks like it loads ok with romtool. I might have done something wrong when snarfing so will keep trying.

BackTrack Linux - Penetration Testing Distribution

Thread: Tutorial Winlockpwn

Thread Tools

Search Thread

Display

paper for winlockpnw on vista

Dma

Posting Permissions