Unlocking Windows 7 SP1 locked screen remotely

Those concerned know about msv1_0.dll  function MsvpPasswordValidate in Windows operating systems. A useful script for unlocking locked workstation in Metasploit Meterpreter is called screen_unlock.rb. It works well but the signatures and offsets are a little outdated as they are missing Win7 SP1 and latest XP SP3 msv1_0.dll security update.

As Microsoft ships newer versions of msv1_0.dll we need to manually search using a debugger for offsets and signatures as the old ones wont work anymore.  In this article I will explain how to do it using the freeware IDA  disassembler v. 5.0 and the msv1_0.dll from Win7 SP1 32bit.

For 64Bit Windows 7 the approach is the same, I dont have access to it at this moment.

Okay so here we are stuck with Win7 SP1 with all updates…. and screen_unlock script bails out that : found signature does not match.

Well time to get our hands dirty and do some disassembly, its not as hard as it looks.

Load IDA and create new “PE Dynamic Library” Dissasembly Database, load c:\windows\system32\msv1_0.dll

Once loaded we need to search for MsvpPasswordValidate function signature :

Take note on the Start address its: 6D48E26D , from this we know that the MsvpPasswordValidate signature offset is 0xe26d

Next we need to verify the HEX signature of this function, so switch to hex view in IDA and see :

The signature is 8BFF558BEC81EC88000000A1 which pretty stays the same since Vista SP0.

Okay now the hard part, we need to find a function that checks the user input password and compares the hashes in memory. This function is called RtlCompareMemory and we need to look for this pattern and stay within the 6D48Exxx offset range. There are tons of obfuscations in there so look towards the end of the map.

This is the pattern we are looking for ! What happens here is this compares the two password hashes and if they don’t match it jumps to incorrect password return value. We need to short-circuit the whole process and replace “jnz   loc_6D49776B” with our bypass patch which will take us directly to the end of the function with NOP so that we can use any password.

So here we have this in HEX

So take a note of the value 0F8550940000 this is our original_code  and its offset at 6D48E315  is  0xe315

the NOP in hex would be   909090909090 so this would be our patch code

So we add a new array into the existing screen_unlock.rb  like so

{ :sig => "8bff558bec81ec88000000a1", :sigoffset => 0xe26d, :orig_code => "0f8550940000", :patch => "909090909090", :patchoffset => 0xe315, :os => /Windows 7.*Service Pack 1/ },

For the lazy ones here is the current XP SP3 unlock array ;)

{ :sig => "8bff558bec83ec50a1", :sigoffset => 0x97d3, :orig_code => "7511", :patch => "9090", :patchoffset => 0x9865, :os => /Windows XP.*Service Pack 3/ },

So if you need to unlock a locked Win7 computer on a Windows Domain,  Metasploit and /exploit/windows/psexec module  are your friends.  Just select the meterpreter reverse tcp and once you have a shell on the remote system, run the script. Remember that once the memory is patched and the the user who locked the screen is part of a domain you need to immediately revert the patching  by issuing the ” screen_unlock -r” command after you log into Win7 with ANY password, or the domain account will be locked after a while. Also any local account can be bypassed with ANY password…. hint hint …..

Its could be used as a nice Magic trick on some sysadmins … think of a password my friend and set your account to this password … now abracadabra … I know it !  Oh well..whatever.

About these ads
Gallery | This entry was posted in Uncategorized. Bookmark the permalink.

19 Responses to Unlocking Windows 7 SP1 locked screen remotely

  1. Ange says:

    Nice!
    It would also work with any disassembler with symbols support:
    Hiew (+plugin), OllyDbg 2 (out of the box)…

  2. Carsten says:

    Shameless plug: If you have physical access to the machine you want to unlock you can use the tool FTWAutopwn to hack the machine over FireWire: http://www.breaknenter.org/projects/ftwautopwn/

    • astr0baby says:

      Sure, but not every PC is a laptop with PCMCIA or Firewire port.

      • Carsten says:

        If it is a desktop PC it should be fairly easy to expand it’s PCI bus with a firewire card, if I remember correctly most modern motherboards support PCI hot plugging. I didn’t mean to undermine the Metasploit plugin, but sometimes you don’t have a meterpreter shell with Administrator/SYSTEM privileges (which is required to perform the attack above). Cool that you’ve updated the signatures, though!

  3. astr0baby says:

    As long as the disk isnt encrypted one could just get the hashes from SAM using bkhive and samdump2 out of the HDD. Once you have the admin hash and know the hostname of a target (if on a windows domain for example) you just use psexec module in Metasploit and get the SYSTEM with pass the hash. This was just an exercise to unlock Win7 boxes on a Windows domain.

    • Carsten says:

      Sure, the FireWire attack is primarily aimed at machines that utilize full disk encryption, so that you cannot dump the hives from the HDD. If a machine isn’t encrypted, all bets are off IMHO. To be honest, I rarely encounter laptops at pentests nowadays that isn’t encrypted. I didn’t mean to start a discussion here by the way, I just saw your write up and thought of it as a good place to direct people to other similar attacks (more of a HWW hack, really).

  4. Mike says:

    @astrobaby Very informative. I followed your techniques using a XP SP3 msv1_0.dll. I was able to get the exact values. Now what I don’t quite get is how useful is this metasploit script? If I’ve already have a session against the box, why would I want to unlock the box. Am I missing something here?

    • astr0baby says:

      You are not missing anything there ;) This is what it is, we do it for fun or as some others would say for the lulz. Dont worry about it and keep on truckin’

  5. tekkenhead says:

    It just might be me but I can’t see the msvpPasswordValidate function. I have tried multiple versions of windows and IDA Pro and can’t find it maybe someone can help me. thanks.

  6. tekkenhead says:

    This link says the msvpPasswordValidate function is not even in the .dll I am confused.

    http://www.win7dll.info/msv1_0_dll.html

    • astr0baby says:

      The msvpPasswordValidate is one of “Many” undocumented functions within the msv1_0.dll in Win7 SP1, in fact there are about 700 functions there. Learn how to use IDA first.

  7. tekkenhead says:

    I wanted to say thanks. Your right. After discovering alot of cracked IDA versions didn’t have the debug symbols included. I did download the free version. Other then that I learned nothing. Post that.

  8. Node says:

    I followed your guide for win7 sp1, the values looks the same all the way, so i copy-pasted your line, but the script still didnt work. After i got system and migrated to lsass.exe it said
    [*] “OS ‘Windows 7 (Build 7601, Service Pack 1).’ found in known targets”
    [-] Found signature does not match
    [-] No working target found

    • astr0baby says:

      Is your system 32 or 64bit ? Also dont migrate to lsass.exe, just stay in the original PID that you got in your system shell.

      • Node says:

        It’s 64 bit, and im using a meterpreter exe file and then escalating to system with “getsystem”. If i stay in the original pid it gives me:

        [*] OS ‘Windows 7 (Build 7601, Service Pack 1).’ found in known targets
        [-] Post failed: Rex::Post::Meterpreter::RequestError stdapi_sys_process_image_get_images: Operation failed: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
        [-] Call stack:
        [-] /opt/metasploit-4.4.0/msf3/lib/rex/post/meterpreter/extensions/stdapi/sys/process_subsystem/image.rb:111:in `get_images’
        [-] /opt/metasploit-4.4.0/msf3/lib/rex/post/meterpreter/extensions/stdapi/sys/process_subsystem/image.rb:98:in `each_image’
        [-] /opt/metasploit-4.4.0/msf3/lib/rex/post/meterpreter/extensions/stdapi/sys/process_subsystem/image.rb:40:in `[]‘
        [-] /opt/metasploit-4.4.0/msf3/modules/post/windows/escalate/screen_unlock.rb:74:in `block in run’
        [-] /opt/metasploit-4.4.0/msf3/modules/post/windows/escalate/screen_unlock.rb:68:in `each’
        [-] /opt/metasploit-4.4.0/msf3/modules/post/windows/escalate/screen_unlock.rb:68:in `run’
        [*] Post module execution completed

      • astr0baby says:

        OK, for 64bit you need to migrate to some 64bit process if your spawned shell is 32bit, just check with ps command from within meterpreter shell. Do not migrate to lsass.exe. Also please check here for 64bit Windows 7 SP1 msv1_0.dll https://astr0baby.wordpress.com/2012/09/18/fun-with-msv1_0-dll-in-windows-7-sp1-64bit/
        Original screen unlock was tested on 32bit windows when I wrote the article.

      • astr0baby says:

        I have just made some tests and you need a different approach for 64bit msv1_0.dll, first the signature is different as the offsets for orig and patch. When I am finished researching this on 64bit I will post my findings.

      • Node says:

        You’re awesome. Can’t wait to see what you come up with.

  9. dio says:

    It would be interesting to see the solutions for windows 8 x64 and windows 2008 r2 x64.
    +1 Can’t wait to see what you come up with.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s