Skip to content

CHIPSEC module that exploits UEFI boot script table vulnerability

Notifications You must be signed in to change notification settings

Cr4sh/UEFI_boot_script_expl

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
 
 
 
 
 
 
 
 

Repository files navigation

CHIPSEC module that exploits UEFI boot script table vulnerability.

This vulnerability was discovered by Rafal Wojtczuk and Corey Kallenberg, check 
original white paper:

https://frab.cccv.de/system/attachments/2566/original/venamis_whitepaper.pdf


More detailed exploit description:

http://blog.cr4.sh/2015/02/exploiting-uefi-boot-script-table.html


USAGE:

1) Download and install CHIPSEC (https://github.com/chipsec/chipsec).

2) Download and install Capstone engine incl. Python bindings (http://www.capstone-engine.org).

3) Install nasm (apt-get install nasm).

4) Copy boot_script_table.py into the chipsec/source/tool/chipsec/modules.

5) Run module:
   # cd chipsec/source/tool/chipsec
   # python chipsec_main.py --module boot_script_table 


ADDITIONAL TOOLS:

* dma_expl.py is a proof of concept code for Linux operating system that uses software 
DMA attack to read or write SMRAM contents.

* patch_smi_entry.py program uses DMA attack to defeat BIOS_CNTL flash write protection
with SMI entries patching.

To learn more about these two programs please read my other blog post:

http://blog.cr4.sh/2015/09/breaking-uefi-security-with-software.html


WARNING:

Exploitation of this vulnerability is very hardware-specific because it depends on
boot script table format and location.

Exploit was tested with following hardware:  

* Intel DQ77KB motherboard (Q77 chipset)

* Apple MacBook Pro 10,2 (late 2012, QM77 chipset)

* Lenovo ThinkPad laptops (tested on x220, x230 and others)

Running this code on any other hardware may lead to unexpected problems.


TODO:

* Windows support (current implementation uses rtcwake Linux shell command).

* More decent boot script table decoding and dumping (incl. vendor-specific opcodes).

* SPI protected ranges dumping and checking.


Written by:
Dmytro Oleksiuk (aka Cr4sh)

cr4sh0@gmail.com
http://blog.cr4.sh

About

CHIPSEC module that exploits UEFI boot script table vulnerability

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages