Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
CHIPSEC module that exploits UEFI boot script table vulnerability
Fetching latest commit…
Cannot retrieve the latest commit at this time.
|Failed to load latest commit information.|
CHIPSEC module that exploits UEFI boot script table vulnerability. This vulnerability was discovered by Rafal Wojtczuk and Corey Kallenberg, check original white paper: https://frab.cccv.de/system/attachments/2566/original/venamis_whitepaper.pdf More detailed exploit description: http://blog.cr4.sh/2015/02/exploiting-uefi-boot-script-table.html USAGE: 1) Download and install CHIPSEC (https://github.com/chipsec/chipsec). 2) Download and install Capstone engine incl. Python bindings (http://www.capstone-engine.org). 3) Install nasm (apt-get install nasm). 4) Copy boot_script_table.py into the chipsec/source/tool/chipsec/modules. 5) Run module: # cd chipsec/source/tool/chipsec # python chipsec_main.py --module boot_script_table ADDITIONAL TOOLS: * dma_expl.py is a proof of concept code for Linux operating system that uses software DMA attack to read or write SMRAM contents. * patch_smi_entry.py program uses DMA attack to defeat BIOS_CNTL flash write protection with SMI entries patching. To learn more about these two programs please read my other blog post: http://blog.cr4.sh/2015/09/breaking-uefi-security-with-software.html WARNING: Exploitation of this vulnerability is very hardware-specific because it depends on boot script table format and location. Exploit was tested with following hardware: * Intel DQ77KB motherboard (Q77 chipset) * Apple MacBook Pro 10,2 (late 2012, QM77 chipset) * Lenovo ThinkPad laptops (tested on x220, x230 and others) Running this code on any other hardware may lead to unexpected problems. TODO: * Windows support (current implementation uses rtcwake Linux shell command). * More decent boot script table decoding and dumping (incl. vendor-specific opcodes). * SPI protected ranges dumping and checking. Written by: Dmytro Oleksiuk (aka Cr4sh) firstname.lastname@example.org http://blog.cr4.sh