Jump to content











Photo
- - - - -

PassPassLive


  • Please log in to reply
15 replies to this topic

#1 joakim

joakim

    Silver Member

  • Team Reboot
  • 909 posts
  • Location:Bergen
  •  
    Norway

Posted 21 January 2014 - 12:00 PM

Posted Image

File Name: PassPassLive
File Submitter: joakim
File Submitted: 20 Jan 2014
File Category: Security

This is a live version of PassPass: http://reboot.pro/to...s-the-password/

It attaches to lsass.exe and locates module msv1_0.dll and patches it in memory in order to bypass local password validation. No need for a reboot. Just execute it, and any password will be accepted after that for local logins. Domain logins not supported. No binaries on-disk are patched.

Tested on 6.1.7601.17514 and 6.3.9600.16384 both x86 and x64. That means latest version of both archs for Windows 7 / Server 2008 R2 and Windows 8 / Server 2012 R2.

Just for the fun of it :)

Click here to download this file
  • florin91 likes this

#2 steve6375

steve6375

    Platinum Member

  • Developer
  • 6597 posts
  • Location:UK
  • Interests:computers, programming (masm,vb6,C,vbs), photography,TV,films,guitars
  •  
    United Kingdom

Posted 21 January 2014 - 12:36 PM

Sorry, I don't understand how to use the exe files? Are these Windows executables? How do you boot to Windows and use them to bypass the login pwd?

 

Is this for a logged-in systems only? Does it need Admin rights to run?



#3 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 21 January 2014 - 02:55 PM

Same request as that of Steve's, a bit more guidance expected.



#4 joakim

joakim

    Silver Member

  • Team Reboot
  • 909 posts
  • Location:Bergen
  •  
    Norway

Posted 21 January 2014 - 03:21 PM

Ok guys.

 

Yes it's a Windows executable. As I said, it patches memory of lsass.exe -> msv1_0.dll. So obviously Windows has to be booted. When you want to launch it, is up to you. However it's not a boot or native application, so it depends on the win32 subsystem, and thus has a few restrictions on aexectly when it can be launched. As it brutally modifies the memory of a system process, you need to assign debug privileges to your process, and abviously thus also need to be launched by someone with admin privileges.

 

Useful?

 

Like I said:


Just for the fun of it :)



#5 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 21 January 2014 - 03:25 PM

...you need to assign debug privileges to your process, and abviously thus also need to be launched by someone with admin privileges.

 

Does launching by Admin assign debug privilege, too?



#6 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1918 posts
  • Location:Nantes - France
  •  
    France

Posted 21 January 2014 - 04:00 PM

Will be interesting to see how Antivirus softwares react :)

 

The createremotethread and writeprocesmemory api's (or their counterpart in the NT family) are seen as suspicious nowadays.

But I could be wrong and you could be using other api's (did not have a look at the exe yet).



#7 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 21 January 2014 - 04:02 PM

Will be interesting to see how Antivirus softwares react :)

 

My Avast is complaining!



#8 joakim

joakim

    Silver Member

  • Team Reboot
  • 909 posts
  • Location:Bergen
  •  
    Norway

Posted 21 January 2014 - 09:27 PM

In order to get yourself (in this case PassPassLive.exe) enough rights to tamper with a process running under the context of "NT AUTHORITY\SYSTEM", you will need some super privileges. Kind of like what a debugger would need. In fact, the privilege is named SeDebugPrivilege: http://support.microsoft.com/kb/131065

 

In order to obtain such a privilege for your process, you will to be local adminstrator. If that was not the case, the security model of Windows would not make much sense..

 

The important api's used are:

RtlAdjustPrivilege
EnumProcessModulesEx
OpenProcess
VirtualQueryEx
ReadProcessMemory
VirtualProtectEx
WriteProcessMemory

 

Not really surprising that AV is complaining though, considering what it does.. :)


  • florin91 likes this

#9 Me Only

Me Only

    Newbie

  • Members
  • 16 posts
  •  
    United States

Posted 25 January 2014 - 05:40 AM

I guess I really don't understand what the purpose of such a program can be, then. The only reason I could see this being of any value is if you (as an administrator on your own computer) wish to log into a limited user's account without changing their password. Yet I don't even understand the reason for this program in that case either. Usually, if you are the administrator, you know the other users' passwords because you have created them.

Please explain if there is a real-world use for this app that I haven't mentioned.



#10 dencorso

dencorso

    Frequent Member

  • Advanced user
  • 114 posts
  •  
    Brazil

Posted 25 January 2014 - 11:19 AM

Do you? Really? Can't people change their own password, regardless of how limited their rights may be, anymore? :ph34r:

OTOH, joakim said very clearly it was created just for the lulz, so why are you asking him its real-world usefulness?  :dubbio:



#11 Me Only

Me Only

    Newbie

  • Members
  • 16 posts
  •  
    United States

Posted 25 January 2014 - 03:25 PM

I didn't see that part of his messages.



#12 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1918 posts
  • Location:Nantes - France
  •  
    France

Posted 25 January 2014 - 03:32 PM

To me this is a Proof of concept, nothing more nothing less.

#13 joakim

joakim

    Silver Member

  • Team Reboot
  • 909 posts
  • Location:Bergen
  •  
    Norway

Posted 25 January 2014 - 06:45 PM

He he, "just for the fun of it" does not mean you absolutely need it in your toolkit. Not even a PoC as memory patching has been known since a really long time ago. As said it is up to the user to figure out when and how to execute it.

#14 Wh1t3c0d3r

Wh1t3c0d3r

    Member

  • Tutorial Writer
  • 80 posts
  • Location:/usr/bin/php
  • Interests:I'm an enthusiast PHP programmer working as an IT technician (level 2) for a small company that create software.
    I love to help and teach things to people for free (if possible)
  •  
    Canada

Posted 25 January 2014 - 10:15 PM

My Avast is complaining!

 

Same for me but with BitDefender. Good work on it by the way! Could use it for a prank with my friends... 



#15 ec2011

ec2011
  • Members
  • 7 posts
  •  
    United Kingdom

Posted 26 January 2014 - 06:49 PM

Trying to use PassPassLive on Windows Vista SP2 32-bit.
 
msv1_0.dll version: 6.0.6002.18111
MD5 Hash:  4ABCE74D012971305249E45E095E9EA6
 
Getting the following output:
 

ProductVersion of C:\WINDOWS\system32\msv1_0.dll: 6.0.6002.18111
Error: Version not supported yet
Currently only supports: 6.1.7601.17514 and 6.3.9600.16384

 
Will support for this version be added?



#16 joakim

joakim

    Silver Member

  • Team Reboot
  • 909 posts
  • Location:Bergen
  •  
    Norway

Posted 26 January 2014 - 09:34 PM

I don't have any Vista vm any more, so don't think so.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users