| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 1 Aug 2010 05:08:17 -0400
From: "McGhee, Eddie" <Eddie.McGhee@....com>
To: Makoto Shiotsuki <shio@...rim.or.jp>, "full-disclosure@...ts.grok.org.uk"
<full-disclosure@...ts.grok.org.uk>
Subject: Re: Screen_unlock - Windows logon screen unlocker
Cool idea but come on, once we have physical access there's no need to disconnect the hdd and connect to another machine, there is plenty tools out there already to get access, I suppose it does show a slightly different method though so thumbs up I suppose.
-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Makoto Shiotsuki
Sent: 01 August 2010 04:20
To: full-disclosure@...ts.grok.org.uk
Subject: [Full-disclosure] Screen_unlock - Windows logon screen unlocker
When you have "suspended or hibernated Windows box" and you want to resume it without user's password, you may be able to accomplish this by the Winlockpwn in case the box has Firewire port (or PCMCIA slot).
Or you may be able to do this through Ethernet interface by the Metasploit using pass-the-hash method and meterpreter script
(screen_unlock.rb) if it is not protected by personal firewall.
But what if there is no Firewire port / PCMCIA slot?
What if you cannot access to the box through the Network Card?
Windows' Accessibility tools (mangify.exe, osk.exe, narrator.exe,
sethc.exe) can be executed on the Logon screen and run with "System"
privilege. By overwriting exe file of the Windows' Accessibility tool (ex. magnify.exe) in the hard disk directly from another OS, you will be able to execute any program on the Logon screen with system privilege.
Screen_unlock is Winlockpwn-like tool based on the screen_unlock.rb meterpreter script. But this is a standalone executable runs on the target box and unlocks the Logon screen by patching msv1_0.dll loaded by LSASS.
You can download the source code and executable from,
http://www.st.rim.or.jp/~shio/tools/screen_unlock/screen_unlock.zip
MD5: 44c804da3ab1491ac34a5a997242f372
Usage:
1. Download "screen_unlock.exe" from the web site.
2. Remove the hard disk from target box and connect it to BT4.
3. Examine MFT number of the program file you want to overwrite.
4. Overwrite it with screen_unlock.exe cluster-by-cluster using dd.
For example:
(i=0; for c in `istat -f ntfs /dev/sda1 MFT_No | grep '^[1-9]' |
tr -d '\n'`; do echo $c; dd if=screen_unlock.exe bs=4096 skip=$i
count=1 | dd of=/dev/sda1 bs=4096 seek=$c count=1 conv=notrunc;
i=`expr $i + 1`; done)
Cluster size (bs=) must be confirmed before execution!
5. Put the hard disk back to target box and turn it on.
6. On the Logon screen, execute utilman by pressing Windows_Key + U.
7. Select the tool overwritten with screen_unlock.exe and start it.
As you know overwriting hard disk cluster may cause serious damage to the target system. Please do this at your own risk.
In case the program file to overwrite (ex. magnify.exe) has been executed previously, this method may fail. The SuperFetch feature of Vista and 7 may become a hurdle. If you know effective way to avoid such restrictions, please let me know. :)
Any feedbacks are welcome.
Thank you.
Makoto Shiotsuki
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists