June 21st, 2002, 03:22 AM
Why your windows screen saver sucks
Why your windows screen saver sucks + How to get around the screen saver with out restarting
A short tutorial by cwk9
Disclaimer: Only use this info security purposes bla bla blaÖ..
The windows screen saver is the forgotten bastard child of computer security. Most of the time you can just restart the computer and be on your mary way. But what if thereís a bios password and you donít have the luxury of being able to take the computer apart to get at the mother board battery? That leaves you with three options.
1. Run in and access the computer before the screen saver cuts in
2. Hack the computer remotely
3. By-pass the screen saver without restarting.
This tutorial deals with three. Now most people think that the only way to get around the screen saver password is to restart the computer. Not true! There is another way. But for this other way to work two conditions have to be meant. The computer must have a cd or dvd drive and also have autorun enabled. Iím sure most of you have already figured out were this is going by now. For those of you who havenít let me spell it out for you. Auto-run still works while the screen saver is on. Not only is this gaping security hole present on most computers, any village idiot with a cd-burner can exploit it. But of course we would expect nothing less from Microsoft. For all you script kidz reading this, stop now. I have attached a file to this post. Un-zip it, replace autorun.exe with your favorite Trojan, burn it to a CD-R, walk down to your local school/comp store and go nutz. For the rest of you read on for a little extra info. Making a cd that uses auto run is easy; you donít even have to get bogged down in the specifics. Just find your self a cd that uses auto run. Take a quick look at the autorun.inf file, copy it and all the listed files and replace autorun.exe with what ever you want. There are a few catches. The screen saver is still running and depending on the screen saver you might no be able to see any windows that pop up. But thereís a way around that to. In my version autorun.exe is the good old dos prompt (aka. Command.com). All you have to do is wiggle the mouse a little bit so the password box comes up. Next pop in the cd and wait until the bar on the box turns grey. Now hit alt+enter. This simply tells the dos windows to run in full screen mode, witch conveniently does not get stuck behind the screen saver. Now if youíre still determined to have GUI access thereís a few things you can do.
1. Run a command line process killer and take the screen saver out that way.
2. Find a program that will give you the screen saver password
3. Put those l337 programming skilz to work by coding your own program to take care of the pesky screen saver.
The moral of the story is, if youíre worried about local on site hacks disable auto run. Other wise log out and donít rely on your screen saver the guard your computer while your taking your extended bathroom break after eating that punishing jumbo bran muffin.
A little Q and A to wrap things up
Q: Does this work on all versions of windows?
A: Iíve only tested it on 98SE and 95 but I would assume it works for all versions.
Q: Iím the same guy who bought the D.I.R.T Trojan, were could I find a retail version of what you just described.
A: Try here: http://www.amecisco.com/ssbypass.htm
Q: So thereís no magic key combo to bypass the screen saver.
A: Depends on the screen saver. If you have the matrix code screen saver you can mash the esc key until it crashes. But other wise no?
Q: Would a similar trick work on mac osX?
A: Hell if I know.
Feel free to post any flames, corrections, spastic incoherent ramblings.
June 21st, 2002, 04:46 AM
The use at your own risk is a good one. Want to point out that the box is but one step in security in a network enviroment. Sure you get past the screen saver nect question is what permissions does that box have on the network, and what other security measures are in place that may expose what you have done? Not to mention if it is a work enviroment how you have time to do this, if at school don;t you like people to respect your work? Don't get so caught up getting into that box your chances of getting caught if it is networked are pretty good with logs firewalls etc. Anything you do from that computer could be watched if you attempt to go outside the network say on a closed port. You still are no closer to the DC and exposed yourself. Oh the autorun like many other things are usually shut off in networked enviroments. Security resides in many layers on networked computers best to understand them all before you take step one.
I believe that one of the characteristics of the human race - possibly the one that is primarily responsible for its course of evolution - is that it has grown by creatively responding to failure.- Glen Seaborg
June 21st, 2002, 11:03 PM
On windows NT / 2k etc, screensavers run in a different desktop from normal programs. Killing the screensaver will not unlock the desktop if it's locked.
Even if the screen saver crashes it will not unlock the desktop. AFAIK, there is no API to unlock the desktop on demand (although there is to lock it)
The autorun may still run though, and although the program is invisible it will be able to take any action that the user can
June 21st, 2002, 11:06 PM
The obvious lame thing to do is to write a program which opens a full screen window and mimics the login screen, a "Fake login" program (the oldest trick in the book), get the user's password when they come back and send it over the network somehow (or store on HD for subsequent retrieval)
June 21st, 2002, 11:44 PM
Unfortunately this 'feature' that microsoft put in windows, could allow script kiddies to essentially 'carpet infect' loads of computers with one cd. Or heck they could just drop the cd on the floor, write some interesting name on the cd and let someone else put in the cd to see whats on it. Im surprised that there hasn't been more of this going around in schools, public computers, etc. Because really there doesn't even need to be keyboard contact and you can infect the computer with whatever you want.
- ShadowTech - Never Fail, Never Falter, Never Fall
\"Ipsa Scientia Potestas Est \" Knowledge is Power.
\"Sed Quis Custodiet Ipsos Custodes\" Who will guard the guardians themselves?
June 21st, 2002, 11:48 PM
Slarty thanks for the info.
Once you can execute code the possibilities are endless.
Its not software piracy. Iím just making multiple off site backups.
June 23rd, 2002, 11:56 AM
The Windows default screen savers are protected against the following "exploit", but if you download screen savers from the net most of them are vulnerable (at least on the 9x machines I've tried). Just hit Ctrl-Alt-Del, wait for the task manager to appear and kill the screen saver.
Some of the lamest screen savers can also have a buffer overflow -error if you type a password say 100 000 characters long.
Q: Why do computer scientists confuse Christmas and Halloween?
A: Because Oct 31 = Dec 25
June 26th, 2002, 12:38 AM
I have windows 98se and this works on the default screen savers.
Its not software piracy. Iím just making multiple off site backups.
June 26th, 2002, 02:54 AM
You can prevent autorun from executing by holding down the [SHIFT] key when you insert the CD-ROM... Good if you find a CD on the ground... Pressing [F3] will display the Find All Files command... Pressing The [Windows Key] + R will open up the Run command... [Windows Key] + E brings up Windows Explorer...
No clue if you can do this with the little screen saver pass-box up, though...
June 26th, 2002, 04:25 AM
Whoa, I just found out something really interesting. I was looking through this thread and glanced at ZeroOne's thread and saw the words 'buffer overflow' kind of stick out. I never really thought about using an overflow on a screensaver, but I booted up an old laptop running win98 and there is actually a cap on the ss password to prevent an overflow. In windoze none the less. Well just wanted to through that out to you, in case you are wondering, the prompt will only accept 128 alphanumeric keys and symbols. Nevertheless, it amazed me that windoze would think of placing any type of buffer overflow prevention in their systems. Hell, look at XP, there was a major problem pointed out on the first day of release, and by the close of the first day, there were approximately 4 megabytes of patches to fix a buffer overflow they overlooked. Well, I better stop now, starting to ramble.