New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

New offsets for msv1_0.dll for Windows 7 Entreprise #132

Merged
merged 1 commit into from Aug 18, 2018

Conversation

Projects
None yet
3 participants
@Fist0urs
Contributor

Fist0urs commented Sep 16, 2017

Hi there,

first of all, thank you for your awesome tool 馃憤

Lately I had to proceed to a DMA attack on a workstation using Windows 7 Entreprise and the offset was not existing in the unlock.py. So here is a new one that was working.

In order to be able to retrieve automatically some offsets, I coded a little script (available at https://github.com/Synacktiv/stuffz/blob/master/search_offsets_DMA.py if you want to take a look) to do so.
I asked a good friend of mine if he could extract for me all the msv1_0.dll and NtlmShared.dll from VirusTotal with legitimate Microsoft signatures in order to do a list of possible found offsets and add the missing ones to your tool.

Here was the result:

$ ./search_offsets_DMA.py -h
usage: search_offsets_DMA.py [-h]
                             [--os {WindowsXP,WindowsVista,Windows7,Windows8,Windows8.1}]
                             [--archi {x86,x64}] (-f FILE | -d DIRECTORY)

Script to extract all offsets needed by 'inception' tool in order to proceed
to a DMA attack through FireWire connection, by jean-christophe.delaunay <at>
synacktiv.com

optional arguments:
  -h, --help            show this help message and exit
  --os {WindowsXP,WindowsVista,Windows7,Windows8,Windows8.1}
                        Specify Windows version which DLL is from
  --archi {x86,x64}     Specify architecture of Windows version
  -f FILE, --file FILE  Dll to search offsets in (msv1_0.dll or
                        NtlmShared.dll). Cannot be used with '-d'
  -d DIRECTORY, --directory DIRECTORY
                        Directory containing Dlls to search offsets in
                        (msv1_0.dll or NtlmShared.dll). Cannot be used with
                        '-f'

$ ./search_offsets_DMA.py -d ./msv1_0s/
dll name: ./msv1_0s/599380a5229e3ab1097f6c4f84f61d82df7002664d616e312a657da4c2ce89e7
  file version:    6.3.9600.18468
  product version: 6.3.9600.18468

  MD5:    2ce3233b09ec1af8b71a035559b25511
  SHA1:   e4453c5ae599297177d31acded3ccaa7e295dd1d
  SHA256: 599380a5229e3ab1097f6c4f84f61d82df7002664d616e312a657da4c2ce89e7

    OS version:      Windows8.1
    architecture:    x86
    service_pack(s): 
    offset(s):       0x12572

    OS version:      Windows8
    architecture:    x86
    service_pack(s): 
    offset(s):       0x12572

dll name: ./msv1_0s/9e12eafaf5c120931d6be0cabc7b04cc6c5ae8c0cd2c34ea4a729c3573335136
  file version:    6.3.9600.18192
  product version: 6.3.9600.18192

  MD5:    c3ae667f60e043515838ab868c9b0e5b
  SHA1:   fdebbdf0920eb235b9406be8e764941e3e737dbb
  SHA256: 9e12eafaf5c120931d6be0cabc7b04cc6c5ae8c0cd2c34ea4a729c3573335136

    OS version:      Windows8.1
    architecture:    x86
    service_pack(s): 
    offset(s):       0x12533

    OS version:      Windows8
    architecture:    x86
    service_pack(s): 
    offset(s):       0x12533

dll name: ./msv1_0s/3b2c000c098ee3738c6b98c9c62221f5080e509e8542a6f0e24e7a2f8731ed8f
  file version:    6.3.9600.18405
  product version: 6.3.9600.18405

  MD5:    14571a53a8d68ce72aebae110d63d3ef
  SHA1:   8549723d203b3182d83a3374678806ebecaf1056
  SHA256: 3b2c000c098ee3738c6b98c9c62221f5080e509e8542a6f0e24e7a2f8731ed8f

    OS version:      Windows8.1
    architecture:    x86
    service_pack(s): 
    offset(s):       0x12513

    OS version:      Windows8
    architecture:    x86
    service_pack(s): 
    offset(s):       0x12513

dll name: ./msv1_0s/adef9f5d2b0c2a30cb1b395c774e7fe75437135a09d3d4e6f97ee8656ce139b4
  file version:    6.1.7601.17514
  product version: 6.1.7601.17514

  MD5:    ef12b8385aa2849999008a977918f96b
  SHA1:   a88c8332a0b39d272c4da7cdea99755084509d69
  SHA256: adef9f5d2b0c2a30cb1b395c774e7fe75437135a09d3d4e6f97ee8656ce139b4

    OS version:      WindowsVista
    architecture:    x64
    service_pack(s): SP2
    offset(s):       0xf321

    OS version:      Windows7
    architecture:    x64
    service_pack(s): SP0, SP1
    offset(s):       0xf321

dll name: ./msv1_0s/f982abb2353e45e3e09b30ea99efdc2a905ad75b43cdb0a34db33d91aaddab17
  file version:    6.1.7601.17514
  product version: 6.1.7601.17514

  MD5:    4c1e16b9a53102c8d6fba587cbcb95de
  SHA1:   9fc022a5b12d879a1ace860e2c42c31fcdfeb769
  SHA256: f982abb2353e45e3e09b30ea99efdc2a905ad75b43cdb0a34db33d91aaddab17

    OS version:      Windows7
    architecture:    x86
    service_pack(s): SP1
    offset(s):       0xd312

dll name: ./msv1_0s/507c7802fdcc10ce699b84fde070f2363bf1a288394977c15d9faca8188d566a
  file version:    6.3.9600.18264
  product version: 6.3.9600.18264

  MD5:    4b86791ba7d8c6bd1cefa0ddb65396f5
  SHA1:   ccadd401fb8e862d9dc043fe928a6a02a9232c8e
  SHA256: 507c7802fdcc10ce699b84fde070f2363bf1a288394977c15d9faca8188d566a

    OS version:      Windows8.1
    architecture:    x86
    service_pack(s): 
    offset(s):       0x12513

    OS version:      Windows8
    architecture:    x86
    service_pack(s): 
    offset(s):       0x12513

dll name: ./msv1_0s/dcbeee43972509842ff52afbb7d04bec7960c18a655406322fb25e0007f682b0
  file version:    6.1.7600.16385
  product version: 6.1.7600.16385

  MD5:    f40388a19f3be3cec25656ce07392877
  SHA1:   442f07f6961b3c484aa0c83d3b213db9ec08313c
  SHA256: dcbeee43972509842ff52afbb7d04bec7960c18a655406322fb25e0007f682b0

    OS version:      WindowsVista
    architecture:    x86
    service_pack(s): SP0, SP1, SP2
    offset(s):       0xd926

    OS version:      Windows7
    architecture:    x86
    service_pack(s): SP0
    offset(s):       0xd926

dll name: ./msv1_0s/85f164213f28ae01d944f8522692095bb6cad4f1042944350faa4ea940dbefc4
  file version:    6.1.7601.23714
  product version: 6.1.7601.23714

  MD5:    02af6e3d34312f16343c122ba4e277c7
  SHA1:   54fad1646659c7e8d0526a8dab01b44f48a38d28
  SHA256: 85f164213f28ae01d944f8522692095bb6cad4f1042944350faa4ea940dbefc4

    OS version:      Windows7
    architecture:    x86
    service_pack(s): SP1
    offset(s):       0xb642

dll name: ./msv1_0s/aed7b850b5fd8756c7f1b5aa84676bc0d39acb7f274fef7582748c6bf3619732
  file version:    6.3.9600.18512
  product version: 6.3.9600.18512

  MD5:    3f5b34126f767b7faa6cb5bee2c615a8
  SHA1:   a715bb4b24f1bcf4100cb7c847219edaf935456a
  SHA256: aed7b850b5fd8756c7f1b5aa84676bc0d39acb7f274fef7582748c6bf3619732

    OS version:      Windows8.1
    architecture:    x86
    service_pack(s): 
    offset(s):       0x122d2

    OS version:      Windows8
    architecture:    x86
    service_pack(s): 
    offset(s):       0x122d2

dll name: ./msv1_0s/06a28d229540f728c60dea5e9baba90cace94aa8190a6a12d71783b7fe226243.dll
  file version:    6.3.9600.16384
  product version: 6.3.9600.16384

  MD5:    f931d28f625beb9fc7e8c6909b8dbc45
  SHA1:   1666ae0c313275bb6a1a8db8c79f00583cfd32dc
  SHA256: 06a28d229540f728c60dea5e9baba90cace94aa8190a6a12d71783b7fe226243

    OS version:      Windows8.1
    architecture:    x86
    service_pack(s): 
    offset(s):       0x11ca0

    OS version:      Windows8
    architecture:    x86
    service_pack(s): 
    offset(s):       0x11ca0

dll name: ./msv1_0s/7128ac37b5dcc307c00806caeca3d7c92fde6a8fd89fad46736dd574184b55cc
  file version:    6.3.9600.18512
  product version: 6.3.9600.18512

  MD5:    a1009197814718e106df268e0e15fb78
  SHA1:   3d421d03fc446fa76bc969fa3a8f74b25efaa519
  SHA256: 7128ac37b5dcc307c00806caeca3d7c92fde6a8fd89fad46736dd574184b55cc

    OS version:      Windows8.1
    architecture:    x64
    service_pack(s): 
    offset(s):       0x16704

    OS version:      Windows8
    architecture:    x64
    service_pack(s): 
    offset(s):       0x16704

dll name: ./msv1_0s/f72ab21b18715aa7b1f235fc9e02c9b02c20f36ce28faee831f57b39784bfbea
  file version:    6.3.9600.17415
  product version: 6.3.9600.17415

  MD5:    c997df628b7258b4ae62b8eccfbd09e9
  SHA1:   ba619f0aed7820e7548d6653fd67892fd975d9b9
  SHA256: f72ab21b18715aa7b1f235fc9e02c9b02c20f36ce28faee831f57b39784bfbea

    OS version:      Windows8.1
    architecture:    x86
    service_pack(s): 
    offset(s):       0x14cb3

    OS version:      Windows8
    architecture:    x86
    service_pack(s): 
    offset(s):       0x14cb3

dll name: ./msv1_0s/93cc37b8df1cf0db3c6e1d3230f5bd343cc9e3e7bc374d931b5edc6e1e0708b9
  file version:    6.1.7601.23796
  product version: 6.1.7601.23796

  MD5:    57b6d231b55cbbf1f9d507fbb951c0db
  SHA1:   c9288c01ae7f202c4f02516c2d6dc171c650f84a
  SHA256: 93cc37b8df1cf0db3c6e1d3230f5bd343cc9e3e7bc374d931b5edc6e1e0708b9

    OS version:      WindowsVista
    architecture:    x64
    service_pack(s): SP2
    offset(s):       0x4e05

    OS version:      Windows7
    architecture:    x64
    service_pack(s): SP0, SP1
    offset(s):       0x4e05

I couldn't tests the new offsets as I only have the DLL, so feel free to decide what to do with them ;)

Cheers!

@carmaa

This comment has been minimized.

Owner

carmaa commented Sep 25, 2017

This looks awesome, thanks. Mind if I include your script in inception (with proper attribution, of course)?

Haven鈥檛 tested the offsets yet, but will do and merge if everything鈥檚 ok.

@carmaa carmaa self-assigned this Sep 25, 2017

@Fist0urs

This comment has been minimized.

Contributor

Fist0urs commented Sep 25, 2017

You can include it, ofc 馃憤

I also plan to add 2 related features when I have time:

  • command line option to inception to be able to specify offset + OS + archi + SP, so that it will apply patch without needing to bruteforce
  • Dump the 4GB, reconstruct .text section of msv1_0.dll/NtlmShared.dll from memory pages and apply the script (so that we could extract the offset and launch inception again specifying this offset. This would give a 100% reliability of the tool)

What do you think about these ideas?

Cheers!

EDIT: just let me add the most important in the script before adding it: the BeerWare license 馃槈
EDIT2: done 馃憤

@cbaker730

This comment has been minimized.

cbaker730 commented Jun 12, 2018

Yes! Please accept this. We just added offset 0xe05 for Win7 Pro SP1 msv1_0.dll v6.1.7601.24094 and it worked beautifully. Wish we'd seen this first. Also nice work by Fist0urs on search_offsets_DMA.py.

@carmaa carmaa merged commit 8e674d5 into carmaa:master Aug 18, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment