LeachAgent: related tool for PCILeech

April 6, 2019April 6, 2019 ~ hucktech ~ Leave a comment

Release: The LeechAgent!
⚡️Dump and Analyze remote memory with PCILeech and MemProcFS!
⚡️Execute Python memory analysis scripts on remote hosts running the LeechAgent!https://t.co/f2fWV4SY79 pic.twitter.com/svXkShE1xZ

— Ulf Frisk (@UlfFrisk) April 5, 2019

The LeechAgent is a 100% free open source endpoint solution geared towards remote physical memory acquisition and analysis on Windows endpoints in Active Directory environments. The LeechAgent provides an easy, but yet high performant and secure, way of accessing and querying the physical memory (RAM) of a remote system. Mount the remote memory with MemProcFS as an easy point-and-click file system – perfect for quick and easy triage. Dump the memory over the network with PCILeech. Query the physical memory using the MemProcFS Python API by submitting analysis scripts to the remote host! Do all of the above simultaneously.[…]

http://blog.frizk.net/2019/04/LeechAgent.html

Synacktiv: Using your BMC as a DMA device: plugging PCILeech to HPE iLO 4

January 3, 2019 ~ hucktech ~ Leave a comment

– Dear Santa 🎅, I wish I could link #PCILeech and HP iLO to compromise running hosts via #DMA

– You've been a good boy: https://t.co/y0aygOwnY9

cc @UlfFrisk

— Synacktiv (@Synacktiv) January 3, 2019

This is pure 🔥🔥🔥 totally awesome work by @Synacktiv and @0xf4b! Undetectable _remote_ PCILeech iLO/BMC DMA backdoor straight into the OS! So many use cases 😈😈😈 Makes me wish for a HP server! https://t.co/nQL7DBJbJh

— Ulf Frisk (@UlfFrisk) January 3, 2019

This is a Python service relaying read and write queries from PCILeech to an HP iLO4 device flashed with a modified firmware.

https://github.com/Synacktiv/pcileech_hpilo4_service

https://www.synacktiv.com/posts/exploit/using-your-bmc-as-a-dma-device-plugging-pcileech-to-hpe-ilo-4.html

PCILeech 3.6 released

October 31, 2018 ~ hucktech ~ Leave a comment

PCILeech – PCIe DMA attack toolkit – bug fix release v3.6 – fixes long standing bugs incl. 'missing dll issue'. Also new exported functions in DLL. https://t.co/u7baZL5EuM

— Ulf Frisk (@UlfFrisk) October 30, 2018

https://github.com/ufrisk/pcileech/releases/tag/v3.6

https://github.com/ufrisk/pcileech/

PCILeech 3.5 released

August 21, 2018 ~ hucktech ~ Leave a comment

PCILeech DLL / v3.5 released! PCIe DMA attacks of physical memory _and_ virtual in-process memory made super easy to include in your favorite projects with this brand new easy to use attack API 😈 https://t.co/u7baZL5EuM

— Ulf Frisk (@UlfFrisk) August 21, 2018

https://github.com/ufrisk/pcileech/

https://github.com/ufrisk/pcileech/commit/7cb27dd8ffb4637d4fc939994de614296e512b34

Practical DMA attack on Windows 10

May 31, 2018 ~ hucktech ~ Leave a comment

New technical write-up by @Fist0urs on how to perform a DMA attack against a Windows 10 workstation (TPM-only BitLocker) https://t.co/GZIV7Z1but

— Synacktiv (@Synacktiv) May 30, 2018

Practical DMA attack on Windows 10
Written by Jean-Christophe Delaunay · 2018-05-30 · in Pentest

Among the various security assessments performed by Synacktiv, some involve attacking the security hardening of a laptop or workstation master image that will be massively deployed in an infrastructure. The purpose of this kind of security assessment is to give the client an overview of its level of maturity regarding security concerns and provide him with some recommendations in order to increase his level of security. This post describes how Synacktiv defeated a workstation security measures by using a hardware approach.[…]

https://www.synacktiv.com/posts/pentest/practical-dma-attack-on-windows-10.html

Example photo of Evil Maid attacker in their lab: 🙂

auditor

PCILeech 3.3 released

May 21, 2018 ~ hucktech ~ Leave a comment

PCILeech memory process file system updated! 32-bit process support, access to imports, exports, directories, sections via file system! Memory dump files = read only 😀 PCIe DMA FPGA or "TotalMeltdown" = read/write 😈 https://t.co/KuTVVzZc5j pic.twitter.com/oLkO7C9Ca8

— Ulf Frisk (@UlfFrisk) May 21, 2018

https://github.com/ufrisk/pcileech

https://github.com/ufrisk/pcileech/commit/c812206597c25a4c29a27189deb814af8464ba73

PCILeech 3.1 released!

March 20, 2018 ~ hucktech ~ Leave a comment

Linux support for PCILeech FPGA PCIe DMA attacks finally released! Huge thanks to @key2fr for the driver making this possible and to ikelos for all time spent on hunting down the bugs! https://t.co/KuTVVzZc5j

— Ulf Frisk (@UlfFrisk) March 20, 2018

https://github.com/ufrisk/pcileech

PCILeech3 and Memory Process File System released!

March 12, 2018March 12, 2018 ~ hucktech ~ Leave a comment

Targets 64-bit Intel systems running Windows.

Memory Process File System and PCILeech3 released! Map processes and virtual memory as files & folders!
Use memory dump files or PCIe DMA devices to edit live process memory. More info in blog entry. https://t.co/EfgwZeQSQA https://t.co/KuTVVzZc5j pic.twitter.com/DB6deQAe1G

— Ulf Frisk (@UlfFrisk) March 12, 2018

http://blog.frizk.net/2018/03/memory-process-file-system.html

https://github.com/ufrisk/pcileech

PCILeech updated with board support

February 8, 2018 ~ hucktech ~ Leave a comment

PCILeech PCIe DMA attack support released for PCIeScreamer and AC701 FPGA boards! https://t.co/Vru50qY7ks pic.twitter.com/P1unfBIgPh

— Ulf Frisk (@UlfFrisk) February 8, 2018

https://github.com/ufrisk/pcileech-fpga

https://www.xilinx.com/products/boards-and-kits/ek-a7-ac701-g.html

https://shop.lambdaconcept.com/

pcie_injector – PCIe Injector Gateway – based on Xilinx Artix7 FPGA and FTDI USB FT601 chip

December 31, 2017 ~ hucktech ~ Leave a comment

Latest commit: 2 days ago

Want to masquerade as a PCIe device? Want to learn DMA attack? Check out the cheapest FPGA based PCIe over USB 3 card with DDR3 RAM. Made in colab. with @enjoy_digital. Soon supported by @UlfFrisk for PCILeech as shown @ #ccc https://t.co/EgHC9TpYKo pic.twitter.com/oc4kp6KUWd

— key two (@key2fr) December 29, 2017

PCIe Injector Gateware

The PCIe bus is now the main high speed communication bus between a processor and its peripherials. It is used in all PC (sometime encapsulated in Thunderbolt) and now even in mobile phones. Doing security research on PCIe systems can requires very expensive tools (>$50k) and packet generaration for such tools is not a common feature. PCIe Injector provides a such tool at a more reasonable price. Currently, only few attacks were made on PCIe devices. Most of them were done using a Microblaze inside a Xilinx FPGA to send/receive the TLPs, making it hard to really analyze. (Using embedded C software to generate/analyze traffic) An other way is to use USB3380 chip, but it is also not flexible enough (only supporting 32bits addressing) and does not allow debugging the PCIe state machine.

The PCIe injector is based on a Artix7 FPGA from Xilinx connected to a DDR3 and a high speed USB 3.0 FT601 chip from FTDI. It allows:
* Having a full control of the PCIe core.
* Sending/Receiving TLPs through USB 3.0 (or bufferize it to/from DDR3)
* Using flexible software/tools on the Host for receiving/generating/analyzing the TLPs. (Wireshark dissectors, scapy, …)

https://github.com/enjoy-digital/pcie_injector

http://www.enjoy-digital.fr/

http://pcisig.com/

Sysdream article on using PCILeech to attack Windows

December 25, 2017 ~ hucktech ~ Leave a comment

Nice article by Sysdream on using PCIleech to attack Windows DMA.

Merry christmas from our lab, with this article on DMA attack against Windows: https://t.co/Y3GIkRPsww #infosec #dma #pcileech

Thanks @UlfFrisk !

— Sysdream (@sysdream) December 22, 2017

Thanks, Awesome read about how to roll your own signatures to your advantage 😈 As mentioned, FPGA DMA is the way of the future – hope to present some upcoming news at #34c3

— Ulf Frisk (@UlfFrisk) December 22, 2017

https://sysdream.com/news/lab/2017-12-22-windows-dma-attacks-gaining-system-shells-using-a-generic-patch/

PCILeech: updated with new FPGA bitstream design

November 7, 2017 ~ hucktech ~ Leave a comment

PCILeech PCIe DMA attack toolkit updated with new FPGA bitstream design. Public inxepensive PCIe TLP and DMA access! https://t.co/Vru50qY7ks pic.twitter.com/dYHxf70i55

— Ulf Frisk (@UlfFrisk) November 6, 2017

PCILeech FPGA contains software and HDL code for FPGA based devices that may be used together with the PCILeech Direct Memory Access (DMA) Attack Toolkit. Using FPGA based devices have many advantages over using the USB3380 hardware that have traditionally been supported by PCILeech. FPGA based hardware provides full access to 64-bit memory space without having to rely on a kernel module running on the target system. FPGA based devices are also more stable compared to the USB3380. FPGA based devices may also send raw PCIe Transaction Layer Packets TLPs – allowing for more specialized research.

https://github.com/ufrisk/pcileech-fpga
https://github.com/ufrisk/pcileech/

PCILeech FPGA released!

October 12, 2017 ~ hucktech ~ Leave a comment

FPGA PCIe DMA attacking with PCILeech released! Fast super-stable access to 64-bit memory space and much more! https://t.co/Vru50qY7ks

— Ulf Frisk (@UlfFrisk) October 12, 2017

https://github.com/ufrisk/pcileech-fpga

PCI Express DIY hacking toolkit

October 8, 2017 ~ hucktech ~ Leave a comment

I released some part of my DMA attack tools based on Xilinx SP605 evaluation kit to public, enjoy 🙂 https://t.co/M5ZnmsVbtB

— Dmytro Oleksiuk (@d_olex) October 8, 2017

This repository contains a set of tools and proof of concepts related to PCI-E bus and DMA attacks. It includes HDL design which implements software controllable PCI-E gen 1.1 endpoint device for Xilinx SP605 Evaluation Kit with Spartan-6 FPGA. In comparison with popular USB3380EVB this design allows to operate with raw Transaction Level Packets (TLP) of PCI-E bus and perform full 64-bit memory read/write operations. It’s early version of my first much or less complicated FPGA project, so the speed is quite slow (around 1-2 Mb/s), but in upcoming releases it will be significantly increased by connecting PCI-E endpoint to MicroBlaze soft processor with AXI DMA engine. However, even such low speed is more than enough for reliable implementation of various practical attacks over PCI-E bus: to demonstrate applied use cases of the design, there’s a tool for pre-boot DMA attacks on UEFI based machines which allow executing arbitrary UEFI DXE drivers during platform init. Another example shows how to use pre-boot DMA attacks to inject Hyper-V VM exit handler backdoor into the virtualization-based security enabled Windows 10 Enterprise running on UEFI Secure Boot enabled platform. Provided Hyper-V backdoor PoC might be useful for reverse engineering and exploit development purposes, it provides an interface for inspecting of hypervisor state (VMCS, physical/virtual memory, registers, etc.) from guest partition and perform the guest to host VM escape attacks.

https://github.com/Cr4sh/s6_pcie_microblaze

PCILeech presentation uploaded

September 14, 2017 ~ hucktech ~ Leave a comment

Ulf has a new presentation on PCIe attacks online!

Looking forward watching the talk on youtube, slides at https://t.co/yeGFko6tgy

— Ulf Frisk (@UlfFrisk) September 13, 2017

https://github.com/ufrisk/presentations

Click to access SEC-T-0x0Anniversary-Ulf-Frisk-Evil-Devices-and-Direct-Memory-Attacks.pdf

Dmytro on Apple PCI-E Thunderbolt

July 16, 2017 ~ hucktech ~ Leave a comment

SP605 fits just perfect into it's HighPoint Thunderbolt 2 enclosure 👌
Finally can check how good IOMMU is configured on Apple machines pic.twitter.com/h7dJ7wf6bD

— Dmytro Oleksiuk (@d_olex) July 15, 2017

An interesting finding while playing with PCI-E on OS X: different Thunderbolt devices can access the same DMA buffers mapped by IOMMU [1/2] pic.twitter.com/TbMSYhkl1F

— Dmytro Oleksiuk (@d_olex) July 15, 2017

It's HTTP traffic that going over my Thunderbolt to Ethernet adapter, it was intercepted by FPGA connected to other Thunderbolt port [2/2]

— Dmytro Oleksiuk (@d_olex) July 15, 2017

Yay, evil Thuderbolt device also can access I/O buffers of disk controller which talks to internal SSD of my MacBook Pro pic.twitter.com/nsqUJa6brN

— Dmytro Oleksiuk (@d_olex) July 15, 2017

By the way, I have enabled FileVault which encrypts that SSD, but rogue device somehow is able to see unencrypted filesystem data 😬 #wtf pic.twitter.com/VV6Qo0Y7Hn

— Dmytro Oleksiuk (@d_olex) July 15, 2017

This issue is confirmed for fully patched OS X Sierra, even physical locations of DMA buffers are the same [1/x]https://t.co/2tWLt3rZoD

— Dmytro Oleksiuk (@d_olex) July 16, 2017

OS X offers improper IOMMU support which isolates PCI-E devices from OS, but not from I/O buffers of each others [2/x]

— Dmytro Oleksiuk (@d_olex) July 16, 2017

So, evil PCI-E device can intercept and modify the data which going over your network card or disk controller [3/3] https://t.co/5D3zTcM9Os

— Dmytro Oleksiuk (@d_olex) July 16, 2017

Yes, boot chain level attack is related only for Macs because technically they doesn't have secure boot

— Dmytro Oleksiuk (@d_olex) July 16, 2017

Device still can poison the data of some binary, script or config file to gain code exec at OS level, FileVault doesn't helps

— Dmytro Oleksiuk (@d_olex) July 16, 2017

Dmytro on PCI-E/SMM vulnerability

June 22, 2017 ~ hucktech ~ Leave a comment

Dmytro has an interesting 6-part twitter post on PCI-e security:

Rogue PCI-E/FireWire/Thunderbolt/etc. device can exploit platform firmware vulns to execute arbitrary System Management Mode code [1/x] pic.twitter.com/CueD3ke0yb

— Dmytro Oleksiuk (@d_olex) June 22, 2017

Normally SMM memory is protected against rogue DMA using TSEGMB register, discovered vulnerability allows to break this mechanism [2/x]

— Dmytro Oleksiuk (@d_olex) June 22, 2017

For most of computers with Intel chips SMM code execution means that attacker can infect platform firmware with persistent rootkit [3/x]

— Dmytro Oleksiuk (@d_olex) June 22, 2017

Vulnerability exists because of design flaws in Intel reference code, it presents in EFI 2.x firmware of almost all new computers [4/x]

— Dmytro Oleksiuk (@d_olex) June 22, 2017

Apple is only one vendor so far who not vulnerable for sure (they're know how to cook PCI-E and IOMMU properly :)) [5/x]

— Dmytro Oleksiuk (@d_olex) June 22, 2017

FPGA powered toolkit which implements the attack was tested on Intel NUC 6i3SYH. Test setup pic: https://t.co/59eEwsy2qa [6/6]

— Dmytro Oleksiuk (@d_olex) June 22, 2017

I discovered this vuln a while ago but had no FPGA knowledge to craft the hardware which can exploit it. Now I can report it to Intel 🙂

— Dmytro Oleksiuk (@d_olex) June 22, 2017

PCILeech 2.0 released

May 25, 2017 ~ hucktech ~ Leave a comment

PCILeech 2.0 released! – Mount Live RAM and Target File System over PCIe DMA! Makes pwning super easy 😈https://t.co/KuTVVzZc5j

— Ulf Frisk (@UlfFrisk) May 24, 2017

Insert kernel module over DMA, PCILeech mount, run @volatility on the live RAM and edit/copy target system files! pic.twitter.com/X8C8RP0WXA

— Ulf Frisk (@UlfFrisk) May 24, 2017

Also included: 64-bit DMA and Linux 4.8+ pwn with @d_olex totally awesome pre-release (not yet released) bitstream for SP605 FPGA! pic.twitter.com/F5BJp4kpTw

— Ulf Frisk (@UlfFrisk) May 24, 2017

If pcileech is a self driving car then slotscreamer was a horse drawn buggy. Glad @UlfFrisk did all the work I didn't know how to do!

— Joe Fitz (@securelyfitz) May 24, 2017

https://github.com/ufrisk/pcileech

PCIleech progress continues…

April 24, 2017 ~ hucktech ~ Leave a comment

PCILeech 64-bit native DMA and raw TLP support w/ FPGA HW on its way! pic.twitter.com/aJFT6mi2z2

— Ulf Frisk (@UlfFrisk) April 24, 2017

Not possible to "hide" above 32-bit/4GB limit anymore! attacks are coming!

— Ulf Frisk (@UlfFrisk) April 24, 2017

Yet another "too-advanced-to-be-a-real-threat" attack is in fact just a $500 FPGA and one good researcher.
Wake up, IBV, the DMA has you… https://t.co/OC5Titjcmb

— Nikolaj Schlej (@NikolajSchlej) April 8, 2017

https://github.com/ufrisk/pcileech

PCIleech updated for MacOS

February 1, 2017 ~ hucktech ~ Leave a comment

PCILeech macOS unlock signature updated to support 10.12.3 https://t.co/KuTVVzZc5j

— Ulf Frisk (@UlfFrisk) January 31, 2017

Using PCILeech for first time in mac pentest assignment. Brutal! pic.twitter.com/ruaXuncArz

— Ulf Frisk (@UlfFrisk) January 17, 2017

https://github.com/ufrisk/pcileech