Cr4sh/UEFI_boot_script_expl Cr4sh/UEFI_boot_script_expl

  • Stars
    star
    128
  • Rank 281,044 (Top 6 %)
  • Language
    Python
  • Created almost 10 years ago
  • Updated almost 9 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
Cr4sh/UEFI_boot_script_expl
github

Cr4sh

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

CHIPSEC module that exploits UEFI boot script table vulnerability 
CHIPSEC module that exploits UEFI boot script table vulnerability.

This vulnerability was discovered by Rafal Wojtczuk and Corey Kallenberg, check 
original white paper:

https://frab.cccv.de/system/attachments/2566/original/venamis_whitepaper.pdf


More detailed exploit description:

http://blog.cr4.sh/2015/02/exploiting-uefi-boot-script-table.html


USAGE:

1) Download and install CHIPSEC (https://github.com/chipsec/chipsec).

2) Download and install Capstone engine incl. Python bindings (http://www.capstone-engine.org).

3) Install nasm (apt-get install nasm).

4) Copy boot_script_table.py into the chipsec/source/tool/chipsec/modules.

5) Run module:
   # cd chipsec/source/tool/chipsec
   # python chipsec_main.py --module boot_script_table 


ADDITIONAL TOOLS:

* dma_expl.py is a proof of concept code for Linux operating system that uses software 
DMA attack to read or write SMRAM contents.

* patch_smi_entry.py program uses DMA attack to defeat BIOS_CNTL flash write protection
with SMI entries patching.

To learn more about these two programs please read my other blog post:

http://blog.cr4.sh/2015/09/breaking-uefi-security-with-software.html


WARNING:

Exploitation of this vulnerability is very hardware-specific because it depends on
boot script table format and location.

Exploit was tested with following hardware:  

* Intel DQ77KB motherboard (Q77 chipset)

* Apple MacBook Pro 10,2 (late 2012, QM77 chipset)

* Lenovo ThinkPad laptops (tested on x220, x230 and others)

Running this code on any other hardware may lead to unexpected problems.


TODO:

* Windows support (current implementation uses rtcwake Linux shell command).

* More decent boot script table decoding and dumping (incl. vendor-specific opcodes).

* SPI protected ranges dumping and checking.


Written by:
Dmytro Oleksiuk (aka Cr4sh)

[email protected]
http://blog.cr4.sh

More Repositories

1

ThinkPwn

Started as arbitrary System Management Mode code execution exploit for Lenovo ThinkPad model line, ended as exploit for industry-wide 0day vulnerability in machines of many vendors
C
641
star
2

s6_pcie_microblaze

PCI Express DIY hacking toolkit for Xilinx SP605. This repository is also home of Hyper-V Backdoor and Boot Backdoor, check readme for links and info
C
599
star
3

SmmBackdoor

First open source and publicly available System Management Mode backdoor for UEFI based platforms. Good as general purpose playground for various SMM experiments.
C
541
star
4

MicroBackdoor

Small and convenient C2 tool for Windows targets. [ Русский -- значит нахуй! ]
C++
497
star
5

openreil

Open source library that implements translator and tools for REIL (Reverse Engineering Intermediate Language)
C
482
star
6

WindowsRegistryRootkit

Kernel rootkit, that lives inside the Windows registry values data
C
464
star
7

KernelForge

A library to develop kernel level Windows payloads for post HVCI era
C++
310
star
8

fwexpl

PC firmware exploitation tool and library
C++
231
star
9

PeiBackdoor

PEI stage backdoor for UEFI compatible firmware
C
185
star
10

ioctlfuzzer

Automatically exported from code.google.com/p/ioctlfuzzer
C
148
star
11

DrvHide-PoC

Hidden kernel mode code execution for bypassing modern anti-rootkits.
C++
75
star
12

IDA-VMware-GDB

Helper script for Windows kernel debugging with IDA Pro on VMware + GDB stub
Python
72
star
13

PTBypass-PoC

Bypassing code hooks detection in modern anti-rootkits via building faked PTE entries.
C++
68
star
14

smram_parse

System Management RAM analysis tool
Python
59
star
15

Code-coverage-analysis-tools

Code coverage analysis tools for the PIN Toolkit
C++
57
star
16

Aptiocalypsis

Arbitrary SMM code execution exploit for industry-wide 0day vulnerability in AMI Aptio based firmwares
Python
55
star
17

MsFontsFuzz

OpenType font file format fuzzer for Windows
C++
51
star
18

secretnet_expl

LPE exploits for Secret Net and Secret Net Studio
C++
48
star
19

qc_debug_monitor

Debug messages monitor for Qualcomm cellular modems
Python
44
star
20

zc_pcie_dma

DMA attacks over PCI Express based on Xilinx Zynq-7000 series SoC
Tcl
43
star
21

DbgCb

Engine for communication with remote kernel debugger (KD, WinDbg) from drivers and applications
C++
36
star
22

SimpleUnpacker

Simple tool for unpacking packed/protected malware executables.
C++
30
star
23

prl_guest_to_host

Guest to host VM escape exploit for Parallels Desktop
C++
28
star
24

IDA-UbiGraph

IDA Pro plug-in and tools for displaying 3D graphs of procedures using UbiGraph
C++
24
star
25

blog

Stuff for blog.cr4.sh website
4
star