CHIPSEC module that exploits UEFI boot script table vulnerability.

This vulnerability was discovered by Rafal Wojtczuk and Corey Kallenberg, check original white paper:

https://frab.cccv.de/system/attachments/2566/original/venamis_whitepaper.pdf

More detailed exploit description:

http://blog.cr4.sh/2015/02/exploiting-uefi-boot-script-table.html

USAGE:

1. Download and install CHIPSEC (https://github.com/chipsec/chipsec).

2. Download and install Capstone engine incl. Python bindings (http://www.capstone-engine.org).

3. Install nasm (apt-get install nasm).

4. Copy boot_script_table.py into the chipsec/source/tool/chipsec/modules.

5. Run module:

   cd chipsec/source/tool/chipsec

   python chipsec_main.py --module boot_script_table

ADDITIONAL TOOLS:

• dma_expl.py is a proof of concept code for Linux operating system that uses software DMA attack to read or write SMRAM contents.

• patch_smi_entry.py program uses DMA attack to defeat BIOS_CNTL flash write protection with SMI entries patching.

To learn more about these two programs please read my other blog post:

http://blog.cr4.sh/2015/09/breaking-uefi-security-with-software.html

WARNING:

Exploitation of this vulnerability is very hardware-specific because it depends on boot script table format and location.

Exploit was tested with following hardware:

• Intel DQ77KB motherboard (Q77 chipset)

• Apple MacBook Pro 10,2 (late 2012, QM77 chipset)

• Lenovo ThinkPad laptops (tested on x220, x230 and others)

Running this code on any other hardware may lead to unexpected problems.

TODO:

• Windows support (current implementation uses rtcwake Linux shell command).

• More decent boot script table decoding and dumping (incl. vendor-specific opcodes).

• SPI protected ranges dumping and checking.

Written by: Dmytro Oleksiuk (aka Cr4sh)

[email protected] http://blog.cr4.sh