CHIPSEC module that exploits UEFI boot script table vulnerability
Cr4sh/UEFI_boot_script_expl
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
master
Could not load branches
Nothing to show
Could not load tags
Nothing to show
{{ refName }}
default
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code
-
Clone
Use Git or checkout with SVN using the web URL.
Work fast with our official CLI. Learn more.
- Open with GitHub Desktop
- Download ZIP
Sign In Required
Please sign in to use Codespaces.
Launching GitHub Desktop
If nothing happens, download GitHub Desktop and try again.
Launching GitHub Desktop
If nothing happens, download GitHub Desktop and try again.
Launching Xcode
If nothing happens, download Xcode and try again.
Launching Visual Studio Code
Your codespace will open once ready.
There was a problem preparing your codespace, please try again.
Latest commit
Git stats
Files
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
CHIPSEC module that exploits UEFI boot script table vulnerability. This vulnerability was discovered by Rafal Wojtczuk and Corey Kallenberg, check original white paper: https://frab.cccv.de/system/attachments/2566/original/venamis_whitepaper.pdf More detailed exploit description: http://blog.cr4.sh/2015/02/exploiting-uefi-boot-script-table.html USAGE: 1) Download and install CHIPSEC (https://github.com/chipsec/chipsec). 2) Download and install Capstone engine incl. Python bindings (http://www.capstone-engine.org). 3) Install nasm (apt-get install nasm). 4) Copy boot_script_table.py into the chipsec/source/tool/chipsec/modules. 5) Run module: # cd chipsec/source/tool/chipsec # python chipsec_main.py --module boot_script_table ADDITIONAL TOOLS: * dma_expl.py is a proof of concept code for Linux operating system that uses software DMA attack to read or write SMRAM contents. * patch_smi_entry.py program uses DMA attack to defeat BIOS_CNTL flash write protection with SMI entries patching. To learn more about these two programs please read my other blog post: http://blog.cr4.sh/2015/09/breaking-uefi-security-with-software.html WARNING: Exploitation of this vulnerability is very hardware-specific because it depends on boot script table format and location. Exploit was tested with following hardware: * Intel DQ77KB motherboard (Q77 chipset) * Apple MacBook Pro 10,2 (late 2012, QM77 chipset) * Lenovo ThinkPad laptops (tested on x220, x230 and others) Running this code on any other hardware may lead to unexpected problems. TODO: * Windows support (current implementation uses rtcwake Linux shell command). * More decent boot script table decoding and dumping (incl. vendor-specific opcodes). * SPI protected ranges dumping and checking. Written by: Dmytro Oleksiuk (aka Cr4sh) cr4sh0@gmail.com http://blog.cr4.sh