Just released a meterpreter script that can be used to unlock the screen of a windows system. The script needs SYSTEM privileges and patches the msv1_0.dll loaded by lsass.exe so that every password will be accepted to unlock the screen. (the patch can also be undone to get back to normal behavior). Currently Windows XP SP2 and SP3 are supported.
The idea for this technique was first published by Metlstorm used for the winlockpwn tool performing the patch via firewire access to a machine.
I think it might be good for some demonstration purposes.
I think it might be good for some demonstration purposes.
you can get the script here: http://github.com/svent/misc/blob/master/metasploit/screen_unlock.rb
Posts
Nice. -- Video demo? :)
ReplyDeletevery useful! thanks for sharing.
ReplyDeletemeterpreter > sysinfo
ReplyDeleteComputer: XPSP2
OS : Windows XP (Build 2600, Service Pack 2).
Arch : x86
Language: en_US
meterpreter > run screen_unlock
[*] OS 'Windows XP (Build 2600, Service Pack 2).' found in known targets
[-] found signature does not match
I updated the script, it now works on some versions of Vista + 7 and supports more versions of XP by using relative offsets.
ReplyDeleteMark Baggett has created a nice video for PaulDotCom showing how to use the script: http://pauldotcom.com/2010/02/meterpreter-script-to-unlock-t.html
ReplyDelete