Uncategorized

fwexpl – PC Firmware Exploitation Tool and Library

Dmytro Oleksiuk (aka Cr4sh) has a VERY INTERESTING new firmware tool for Windows

PC firmware exploitation tool and library

Project includes the following components:
 * libfwexpl — Hardware abstraction library for Windows (see include/libfwexpl.h).
 * libdsebypass — Windows x64 DSE bypass exploit based on Secret Net 7.4 0day privileges escalation vulnerability (see include/libdsebypass.h).
 * driver — Kernel mode part of libfwexpl.
 * application — Application that implements System Management Mode code execution exploit for 1day vulnerability in SystemSmmAhciAspiLegacyRt UEFI SMM driver of Lenovo firmware.

Options:
  –target <N> — Select known target where <N> is a target number. If –target and –target-addr options are not specified — exploit will use heuristics to find EFI_BOOT_SERVICES structure address that neccessary for SystemSmmAhciAspiLegacyRt driver vulnerability exploitation.
  –target-list — Print all known targets information.
  –target-addr – Use manual address of EFI_BOOT_SERVICES.LocateProtocol field for SystemSmmAhciAspiLegacyRt exploit. This option will be ignored if –target was specified.
  –target-smi – Use manual SMI handler number for SystemSmmAhciAspiLegacyRt exploit. This option will be ignored if –target was specified. If –target-addr was specified without –target-smi — SystemSmmAhciAspiLegacyRt exploit will check all of the possible SMI handlers from 0 to 255.
  –smram-dump — Determinate current SMRAM address and dump it’s contents to file specified by –file option.
  –phys-mem-dump — Full raw physical memory dump into the file specified by –file option.
  –phys-mem-read <addr> — Read physical memory starting from specified address.
  –phys-mem-write <addr> — Write physical memory starting from specified address.
  –length <bytes> — Number of bytes to read or write for –phys-mem-read and –phys-mem-write.  
  –file <path> — Memory dump path to read or write, in case of –phys-mem-read this parameter is optional and when it’s not specified — application will print a hex dump of physical memory to stdout. In case of –smram-dump this parameter is mandatory.
  –exec <addr> — Execute SMM code at specified physical memory address.
  –dse-bypass — Install and exploit Secret Net 7.4 driver to bypass Windows x64 DSE.  
  –test — Run some basic libfwexpl tests.

To learn more about this project please read his blog post, “Exploiting SMM callout vulnerabilities in Lenovo firmware”:
http://blog.cr4.sh/2016/02/exploiting-smm-callout-vulnerabilities.html

https://github.com/Cr4sh/fwexpl

Standard

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s