Integrating DMA attacks into Metasploit
Note 1: this is not my research. I only (co)supervised MSc students Albert Spruyt and Rory Breuk.
Note 2: the work was done in only five weeks, including reporting. More updates may follow when the guys find some time to work on it a bit more.
DMA attacks are oldskool, but hard to perform as no modern tool allows for it easily. Also, the oldskool attacks were limited to bypassing the login screen (Windows GINA) and searching for keys through memory. Some small patches were made for other operating systems besides the original winlockpwn for Windows XP and Vista, but the bottom line is that the attack has lost awareness since it’s first appeared a few years back. A nice overview of all DMA related research and attacks over the years can be found here.
The idea for this research came when I was once again fiddling with old linux kernels and old python code to successfully attack a client’s laptop during a security test with winlockpwn. I thougth “Wouldn’t it be cool if we could update the whole DMA attack thing to run on modern systems and integrated it into Metasploit so we could use all goodness Metasploit has to offer like payload selection, session control, etc”? Unable to find the time myself, I was doomed to keep using the old tooling.
But luckily I’m in good contact with the University of Amsterdam (System and Networking Engineering education) and was able to submit the topic for research by their MSc students. Rory Breuk and Albert Spruyt selected the topic and the research could start. They did the theoretical research and also created proof of concept code. Their paper can be found here, their presentation here, and their PoCs here. Oh, the PoC is called MOFO (Metasploit Over Firewire Ownage). With such a name it just has to be awesome ;-)
The PoC include two attacks:
- Payload insertion via Metasploit: use Metasploit to prepare a reverse_tcp payload, connect to the target system via firewire, hit ‘exploit’ to insert the payload into memory, unplug firewire gear and walk away. Once the user gets back to the Ubuntu system and logs in, the injected code gets triggered and a reverse tcp connection is made via the network back to the attacker’s machine. In the case of Ubuntu 11.10 (the only supported OS at this moment), your you will have root-level control as LightDM runs as root. This all happens transparent to the end user. See screenshot below for attacker’s point of view.
- Session control over DMA: connecting two machines via firewire, launch PoC code and the attacking system can issue commands on the target system, all via firewire + DMA.
You can find more details in their paper. The paper also includes ideas for future research on this topic, like how to implement multi stage payloads (meterpreter FTW!). So if you are interested, make sure to have a look.
Welcome additions to the code would be to have it ready for Windows systems and to have multi stage payloads like meterpreter supported. But the main message is that Albert and Rory have shown that it is possible to integrate DMA attacks into Metasploit. Great research, kudos for them!