CHIPSEC module that exploits UEFI boot script table vulnerability
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
README.TXT
boot_script_table.py
dma_expl.py
patch_smi_entry.py

README.TXT

CHIPSEC module that exploits UEFI boot script table vulnerability.

This vulnerability was discovered by Rafal Wojtczuk and Corey Kallenberg, check 
original white paper:

https://frab.cccv.de/system/attachments/2566/original/venamis_whitepaper.pdf


More detailed exploit description:

http://blog.cr4.sh/2015/02/exploiting-uefi-boot-script-table.html


USAGE:

1) Download and install CHIPSEC (https://github.com/chipsec/chipsec).

2) Download and install Capstone engine incl. Python bindings (http://www.capstone-engine.org).

3) Install nasm (apt-get install nasm).

4) Copy boot_script_table.py into the chipsec/source/tool/chipsec/modules.

5) Run module:
   # cd chipsec/source/tool/chipsec
   # python chipsec_main.py --module boot_script_table 


ADDITIONAL TOOLS:

* dma_expl.py is a proof of concept code for Linux operating system that uses software 
DMA attack to read or write SMRAM contents.

* patch_smi_entry.py program uses DMA attack to defeat BIOS_CNTL flash write protection
with SMI entries patching.

To learn more about these two programs please read my other blog post:

http://blog.cr4.sh/2015/09/breaking-uefi-security-with-software.html


WARNING:

Exploitation of this vulnerability is very hardware-specific because it depends on
boot script table format and location.

Exploit was tested with following hardware:  

* Intel DQ77KB motherboard (Q77 chipset)

* Apple MacBook Pro 10,2 (late 2012, QM77 chipset)

* Lenovo ThinkPad laptops (tested on x220, x230 and others)

Running this code on any other hardware may lead to unexpected problems.


TODO:

* Windows support (current implementation uses rtcwake Linux shell command).

* More decent boot script table decoding and dumping (incl. vendor-specific opcodes).

* SPI protected ranges dumping and checking.


Written by:
Dmytro Oleksiuk (aka Cr4sh)

cr4sh0@gmail.com
http://blog.cr4.sh