Follow us on Twitter!
Few are those who can see with their own eyes and hear with their own hearts. - Albert Einstein
Thursday, April 24, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 16
Guests Online: 12
Members Online: 4

Registered Members: 82895
Newest Member: kevy90
Latest Articles
View Thread

HellBound Hackers | Computer General | Hacking in general

Author

Defcon Keyboard buffer in memory


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 15-08-08 22:15
Alright, apparently there was this presentation at Defcon about extracting power on passwords and hard-drive encryption passwords by accessing a certain part of memory. It seems that what gets entered into the keyboard does not get flushed and resides in memory, so the information can be accessed whenever.

I did not go to Defcon, but I did have a couple of friends who went so I don't know all the specs.

Now, me and a friend were working on this by accessing the portion of memory in which it was supposed to reside on *nix systems (0x041e, 32 bytes, i believe it was off the top of my head?). We also did compared the results of a complete memory dump when a power on password was on/off. Now, we didn't see anywhere anything about the password. We were using Grub and also tried it on 3 different/major vendors Thinkpad, Dell, and HP. Both 32 and 64 byte. We're going to try and see if maybe LILO is effected or not.

Also, we are going to try and exploit a Windows OS and see if we can't get it working.

I have a couple of questions on this, though.
1.) Did anyone have any success with exploiting this issue? If so, provide info.
2.) Where did he get the location in memory from? He never explains it and the code definse the location of the memory buffer at 0x041e.
3.) Anyone want to donate some time with me to get this working?
4.) Is this a pre-boot attack only? As in it can only be read in real mode.


Author

RE: Defcon Keyboard buffer in memory


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 15-08-08 22:44
I saw some video or something a while back, where they could access files from memory. But there was a time limit once the ram warmed up the files were corrupt/gone...Srry if info not completely right its been awhile. I will be interesting to see what others know on this subject.

ps dying fetus fuuuuuuuuuuucking rocks!, makes me what to punch a baby Smile lol




Edited by on 15-08-08 22:56
Author

RE: Defcon Keyboard buffer in memory


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 15-08-08 22:58
I think you're talking about the coldboot attack? Where they would freeze (not technically freeze, but cool it down a LOT) the memory chip to drastically slow down the time the bits fade at. So you would then boot up with another OS and dump the pre-boot memory.




Author

RE: Defcon Keyboard buffer in memory


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 15-08-08 22:59
yep thats it.


Author

RE: Defcon Keyboard buffer in memory

Infam0us
Member



Posts: 153
Location: 0x080484c6
Joined: 06.09.07
Rank:
Apprentice
Posted on 16-08-08 05:03
nights_shadow wrote:
Alright, apparently there was this presentation at Defcon about extracting power on passwords and hard-drive encryption passwords by accessing a certain part of memory. It seems that what gets entered into the keyboard does not get flushed and resides in memory, so the information can be accessed whenever.

I did not go to Defcon, but I did have a couple of friends who went so I don't know all the specs.

Now, me and a friend were working on this by accessing the portion of memory in which it was supposed to reside on *nix systems (0x041e, 32 bytes, i believe it was off the top of my head?). We also did compared the results of a complete memory dump when a power on password was on/off. Now, we didn't see anywhere anything about the password. We were using Grub and also tried it on 3 different/major vendors Thinkpad, Dell, and HP. Both 32 and 64 byte. We're going to try and see if maybe LILO is effected or not.

Also, we are going to try and exploit a Windows OS and see if we can't get it working.

I have a couple of questions on this, though.
1.) Did anyone have any success with exploiting this issue? If so, provide info.
2.) Where did he get the location in memory from? He never explains it and the code definse the location of the memory buffer at 0x041e.
3.) Anyone want to donate some time with me to get this working?
4.) Is this a pre-boot attack only? As in it can only be read in real mode.


Haha thats funny i made a thread questioning this exact thing not too long ago.

Can you submit a link to where you heard about this please?

My C++ teacher told me about this, he said that there is a buffer that holds key strokes, and if you can find the correct address in memory you can view all keys held in that buffer. I was really interested in testing this but I had no clue how to find the address of the buffer.

I dont know how much help I will be but I am willing to try and help because I was really interested in testing this myself :happy:


"Never memorize what you can look up in books." -Albert Einstein
www.rohitab.com/discuss/style_emoticons/default/suicide_anim.gif
[img]http://www.hellboundhackers.org/fusion_infusions/buddy_panel/buddy_delete.php?id=2783[/img]


[img]javasc ript:alert(document.cookie);[/img]
Author

RE: Defcon Keyboard buffer in memory


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 16-08-08 07:11
Could you possibly get a box with a power-on password and the LILO boot manager?
I'll post results about Windows when I get ahold of a windows OS to toy around with.