| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 01 Aug 2010 12:19:40 +0900
From: Makoto Shiotsuki <shio@...rim.or.jp>
To: full-disclosure@...ts.grok.org.uk
Subject: Screen_unlock - Windows logon screen unlocker
When you have "suspended or hibernated Windows box" and you want to
resume it without user's password, you may be able to accomplish this
by the Winlockpwn in case the box has Firewire port (or PCMCIA slot).
Or you may be able to do this through Ethernet interface by the
Metasploit using pass-the-hash method and meterpreter script
(screen_unlock.rb) if it is not protected by personal firewall.
But what if there is no Firewire port / PCMCIA slot?
What if you cannot access to the box through the Network Card?
Windows' Accessibility tools (mangify.exe, osk.exe, narrator.exe,
sethc.exe) can be executed on the Logon screen and run with "System"
privilege. By overwriting exe file of the Windows' Accessibility
tool (ex. magnify.exe) in the hard disk directly from another OS,
you will be able to execute any program on the Logon screen with
system privilege.
Screen_unlock is Winlockpwn-like tool based on the screen_unlock.rb
meterpreter script. But this is a standalone executable runs on
the target box and unlocks the Logon screen by patching msv1_0.dll
loaded by LSASS.
You can download the source code and executable from,
http://www.st.rim.or.jp/~shio/tools/screen_unlock/screen_unlock.zip
MD5: 44c804da3ab1491ac34a5a997242f372
Usage:
1. Download "screen_unlock.exe" from the web site.
2. Remove the hard disk from target box and connect it to BT4.
3. Examine MFT number of the program file you want to overwrite.
4. Overwrite it with screen_unlock.exe cluster-by-cluster using dd.
For example:
(i=0; for c in `istat -f ntfs /dev/sda1 MFT_No | grep '^[1-9]' |
tr -d '\n'`; do echo $c; dd if=screen_unlock.exe bs=4096 skip=$i
count=1 | dd of=/dev/sda1 bs=4096 seek=$c count=1 conv=notrunc;
i=`expr $i + 1`; done)
Cluster size (bs=) must be confirmed before execution!
5. Put the hard disk back to target box and turn it on.
6. On the Logon screen, execute utilman by pressing Windows_Key + U.
7. Select the tool overwritten with screen_unlock.exe and start it.
As you know overwriting hard disk cluster may cause serious damage to
the target system. Please do this at your own risk.
In case the program file to overwrite (ex. magnify.exe) has been
executed previously, this method may fail. The SuperFetch feature
of Vista and 7 may become a hurdle. If you know effective way to
avoid such restrictions, please let me know. :)
Any feedbacks are welcome.
Thank you.
Makoto Shiotsuki
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists