Dmytro Oleksiuk (aka Cr4sh) has a VERY INTERESTING new firmware tool for Windows
PC firmware exploitation tool and library
Project includes the following components:
* libfwexpl — Hardware abstraction library for Windows (see include/libfwexpl.h).
* libdsebypass — Windows x64 DSE bypass exploit based on Secret Net 7.4 0day privileges escalation vulnerability (see include/libdsebypass.h).
* driver — Kernel mode part of libfwexpl.
* application — Application that implements System Management Mode code execution exploit for 1day vulnerability in SystemSmmAhciAspiLegacyRt UEFI SMM driver of Lenovo firmware.
–target <N> — Select known target where <N> is a target number. If –target and –target-addr options are not specified — exploit will use heuristics to find EFI_BOOT_SERVICES structure address that neccessary for SystemSmmAhciAspiLegacyRt driver vulnerability exploitation.
–target-list — Print all known targets information.
–target-addr – Use manual address of EFI_BOOT_SERVICES.LocateProtocol field for SystemSmmAhciAspiLegacyRt exploit. This option will be ignored if –target was specified.
–target-smi – Use manual SMI handler number for SystemSmmAhciAspiLegacyRt exploit. This option will be ignored if –target was specified. If –target-addr was specified without –target-smi — SystemSmmAhciAspiLegacyRt exploit will check all of the possible SMI handlers from 0 to 255.
–smram-dump — Determinate current SMRAM address and dump it’s contents to file specified by –file option.
–phys-mem-dump — Full raw physical memory dump into the file specified by –file option.
–phys-mem-read <addr> — Read physical memory starting from specified address.
–phys-mem-write <addr> — Write physical memory starting from specified address.
–length <bytes> — Number of bytes to read or write for –phys-mem-read and –phys-mem-write.
–file <path> — Memory dump path to read or write, in case of –phys-mem-read this parameter is optional and when it’s not specified — application will print a hex dump of physical memory to stdout. In case of –smram-dump this parameter is mandatory.
–exec <addr> — Execute SMM code at specified physical memory address.
–dse-bypass — Install and exploit Secret Net 7.4 driver to bypass Windows x64 DSE.
–test — Run some basic libfwexpl tests.
To learn more about this project please read his blog post, “Exploiting SMM callout vulnerabilities in Lenovo firmware”: