Page 2 of 5 FirstFirst 1234 ... LastLast
Results 11 to 20 of 46

Thread: Tutorial Winlockpwn

  1. #11
    Good friend of the forums williamc's Avatar
    Join Date
    Feb 2010
    Location
    Chico CA
    Posts
    285

    Default

    This has worked on a Dell D630 and an Inspiron 8600, both XP SP2. No luck on another D630 or any Vista machines yet. I'm trying to figure out the modified msv1_0.dll technique mentioned by the author, but no luck there either.

    William

  2. #12
    Junior Member imported_spudgunman's Avatar
    Join Date
    Feb 2007
    Posts
    78

    Default

    no, one was a D630 the other was a shuttle. and newly tested on a old Dell (don't know what model its just old) - what dell did you get this to work on? and what was the driver of the FW?

    They were each fully patched Sp2 boxes that are also members of a domain. however the latest test was on a SP2 fully patched with no domain.

    would the hardware be the lock up? wouldn't it be the drivers on the OS-To-be-pwn?

    at work today Im going to test it all over the place to see if I can find something that will allow the hack to continue.

  3. #13
    Junior Member imported_spudgunman's Avatar
    Join Date
    Feb 2007
    Posts
    78

    Default

    UPDATE: May22

    I got it to work, who knows if I was sleepy or a reboot fixed it. But when I powered up. Started from "step 5" and followed steps exactly.

    Dell630 fully patched on the domain and it worked! I had full access as advertised.


    something I noticed was that this morning businfo has 1 on the node 0 and not 0 for all the data it spits out on what will and wont work.

    now how do I dump the contents of the memory to get access to a WDE key?

  4. #14
    Just burned his ISO
    Join Date
    Dec 2007
    Posts
    16

    Default paper for winlockpnw on vista

    Quote Originally Posted by williamc View Post
    This has worked on a Dell D630 and an Inspiron 8600, both XP SP2. No luck on another D630 or any Vista machines yet. I'm trying to figure out the modified msv1_0.dll technique mentioned by the author, but no luck there either.

    William
    3w.sec-consult.com/fileadmin/Whitepapers/Vista_Physical_Attacks.pdf

  5. #15
    Good friend of the forums williamc's Avatar
    Join Date
    Feb 2010
    Location
    Chico CA
    Posts
    285

    Default

    Thanks for the above link.

    Link above is no longer valid, so you can find it here:
    http://packetstormsecurity.org/paper...al_Attacks.pdf
    This link I came across is very detailed:
    https://www.moonloop.org/bin/view/Mo...Red6cUaILIXVGw

    I've gone through the whitepapers and have updated winlockpwn with SP3 and Vista Firewire exploits. I'm in the process of testing it, but I left my firewire cables at home, so it wont be until tomorrow.

    In the meantime, please reference both links and see if I implemented it correctly:
    Code:
     {"name":"WinXP SP3 msv1_0.dll technique",
                    "notes":"Patches the call which decides if an account requires password authentication. Page Offset signature changed from SP2.",
                    "phase":[{
                    "sig":"8BFF558BEC83EC50A1",
                    "pageoffset":[0x81B],
                    "patch":"B001",
                    "patchoffset":0xa5}]
                    },
                    {"name":"Windows Vista msv1_0.dll technique",
                    "notes":"Patches the call which decides if an account requires password authentication. Signature and offsets changed with Vista.",
                    "phase":[{
                    "sig":"8BFF558BEC81EC88000000A1A4",
                    "pageoffset":[0x76A],
                    "patch":"B001",
                    "patchoffset":0xBD}]
                    },
    You'll notice that in the second whitepage linked in my post, they claim the Vista exploit wouldnt work, but the first link gives a different memory address which claimed to be successful! If you can take the first linked page and locate the signature and offset, that would be helpful!

    William

  6. #16
    Good friend of the forums williamc's Avatar
    Join Date
    Feb 2010
    Location
    Chico CA
    Posts
    285

    Default

    Ok, looking into this further, I've come to the conclusion that Vista is preventing DMA via the firewire. If you open your Device Manager while plugging in the firewire cable, you will see it installing the Ipod device. If you run the tool immediately, you will start to parse the memory. However, once Vista finishes installing the driver, DMA will be cut off, and the tool will stop working with a "Resource temporarily unavailable" error.

    I guess there are a few approaches. First, can we get ahold of another csr file. Perhaps for a hard drive or camera? My guess would be that Microsoft patched this issue, but only for the ipod.csr. Using a different one would restore DMA. Second, is it possible to have the the firewire port disassociate and reassociate while having the tool continue dumping from last memory location?

    William

  7. #17
    Just burned his ISO
    Join Date
    Jun 2008
    Posts
    4

    Default Dma

    I also had difficulties accessing the memory via Firewire under Vista, once I plug the cable in it starts dumping the memory but after a few seconds the connection is dropped. So I considered that maybe the native Vista Firewire driver is causing that problem. Then I found the following link:
    w3.unibrain.com/download/download.asp,
    installed the listed driver on the Vista PC and the problem seems to be resolved. Maybe, as williamc suggests, another ipod or hard drive image would be a good idea, so that there will be no need to install the drivers.

    Atanas

  8. #18
    Junior Member jonah_15's Avatar
    Join Date
    Jan 2010
    Posts
    25

    Default

    I will try creating a different csr image as I notice the Romtool allows you to snarf another nodes csr

  9. #19
    Good friend of the forums williamc's Avatar
    Join Date
    Feb 2010
    Location
    Chico CA
    Posts
    285

    Default

    naskata,
    Did you use the vista code I provided? I havent had any luck due to the driver issue discussed above. Thanks.

    William

  10. #20
    Junior Member jonah_15's Avatar
    Join Date
    Jan 2010
    Posts
    25

    Default

    I've had the same issue Willamc using the Vista code as naskata, runs for a few seconds then stops. I've created a csr from a firewire external disk drive but i can't get it to autoinstall on firewire connection. It looks like it loads ok with romtool. I might have done something wrong when snarfing so will keep trying.

Page 2 of 5 FirstFirst 1234 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •