Integrating DMA attacks into Metasploit

Note 1: this is not my research. I only (co)supervised MSc students Albert Spruyt and Rory Breuk.
Note 2: the work was done in only five weeks, including reporting. More updates may follow when the guys find some time to work on it a bit more.


DMA attacks are oldskool, but hard to perform as no modern tool allows for it easily. Also, the oldskool attacks were limited to bypassing the login screen (Windows GINA) and searching for keys through memory. Some small patches were made for other operating systems besides the original winlockpwn for Windows XP and Vista, but the bottom line is that the attack has lost awareness since it’s first appeared a few years back. A nice overview of all DMA related research and attacks over the years can be found here.

The idea for this research came when I was once again fiddling with old linux kernels and old python code to successfully attack a client’s laptop during a security test with winlockpwn. I thougth “Wouldn’t it be cool if we could update the whole DMA attack thing to run on modern systems and integrated it into Metasploit so we could use all goodness Metasploit has to offer like payload selection, session control, etc”? Unable to find the time myself, I was doomed to keep using the old tooling.

But luckily I’m in good contact with the University of Amsterdam (System and Networking Engineering education) and was able to submit the topic for research by their MSc students. Rory Breuk and Albert Spruyt selected the topic and the research could start. They did the theoretical research and also created proof of concept code. Their paper can be found here, their presentation here, and their PoCs here. Oh, the PoC is called MOFO (Metasploit Over Firewire Ownage). With such a name it just has to be awesome ;-)

The PoC include two attacks:

  • Payload insertion via Metasploit: use Metasploit to prepare a reverse_tcp payload, connect to the target system via firewire, hit ‘exploit’ to insert the payload into memory, unplug firewire gear and walk away. Once the user gets back to the Ubuntu system and logs in, the injected code gets triggered and a reverse tcp connection is made via the network back to the attacker’s machine. In the case of Ubuntu 11.10 (the only supported OS at this moment), your you will have root-level control as LightDM runs as root. This all happens transparent to the end user. See screenshot below for attacker’s point of view.
  • Session control over DMA: connecting two machines via firewire, launch PoC code and the attacking system can issue commands on the target system, all via firewire + DMA.

You can find more details in their paper. The paper also includes ideas for future research on this topic, like how to implement multi stage payloads (meterpreter FTW!). So if you are interested, make sure to have a look.

Welcome additions to the code would be to have it ready for Windows systems and to have multi stage payloads like meterpreter supported. But the main message is that Albert and Rory have shown that it is possible to integrate DMA attacks into Metasploit. Great research, kudos for them!

Happy hacking!


3 Responses to “Integrating DMA attacks into Metasploit”

  1. Alexandru Balan Says:

    Awesome work :) Is there any way to get in touch with the team who researched this ?

    • Sure! If you can’t find their email addresses online, you can drop me a line at mram=> so I can forward it to them.

  2. Hello,

    My metasploit-fu is very weak. What exactly needs to be done in order to deliver the payload to the target ?

    I tried this:
    $ use exploit/multi/misc/mofo
    $ set PAYLOAD generic/shell_reverse_tcp
    $ SET LPORT, LHOST, PLATFORM, ARCH, TARGET ( I set this to 7 for testing purposes), VERBOSE
    msf exploit(mofo) > rexploit
    [*] Reloading module…

    [-] Exploit failed: The following options failed to validate: SESSION.

    What am I missing ?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: