LeachAgent: related tool for PCILeech

April 6, 2019April 6, 2019 ~ hucktech ~ Leave a comment

Release: The LeechAgent!
⚡️Dump and Analyze remote memory with PCILeech and MemProcFS!
⚡️Execute Python memory analysis scripts on remote hosts running the LeechAgent!https://t.co/f2fWV4SY79 pic.twitter.com/svXkShE1xZ

— Ulf Frisk (@UlfFrisk) April 5, 2019

The LeechAgent is a 100% free open source endpoint solution geared towards remote physical memory acquisition and analysis on Windows endpoints in Active Directory environments. The LeechAgent provides an easy, but yet high performant and secure, way of accessing and querying the physical memory (RAM) of a remote system. Mount the remote memory with MemProcFS as an easy point-and-click file system – perfect for quick and easy triage. Dump the memory over the network with PCILeech. Query the physical memory using the MemProcFS Python API by submitting analysis scripts to the remote host! Do all of the above simultaneously.[…]

http://blog.frizk.net/2019/04/LeechAgent.html

PCILeech 3.6 released

October 31, 2018 ~ hucktech ~ Leave a comment

PCILeech – PCIe DMA attack toolkit – bug fix release v3.6 – fixes long standing bugs incl. 'missing dll issue'. Also new exported functions in DLL. https://t.co/u7baZL5EuM

— Ulf Frisk (@UlfFrisk) October 30, 2018

https://github.com/ufrisk/pcileech/releases/tag/v3.6

https://github.com/ufrisk/pcileech/

Ulf on Total Meltdown at SEC-T

September 4, 2018 ~ hucktech ~ Leave a comment

If you aren’t in Sweden, it appears there may be live streaming of the presentation! There are multiple other firmware presentations as well!

https://www.sec-t.org/talks/

https://www.sec-t.org/schedule/

I'll be talking about TOTAL MELTDOWN on September 14th at 9 CET in the morning! Live streams will be available! https://t.co/X8bpBUhld6

— Ulf Frisk (@UlfFrisk) September 3, 2018

The Schedule for 2018 SEC-T 0x0Beyond, including Community Night is Live!https://t.co/vPGMFAYLlH

— SEC-T (@SEC_T_org) September 3, 2018

PCILeech 3.5 released

August 21, 2018 ~ hucktech ~ Leave a comment

PCILeech DLL / v3.5 released! PCIe DMA attacks of physical memory _and_ virtual in-process memory made super easy to include in your favorite projects with this brand new easy to use attack API 😈 https://t.co/u7baZL5EuM

— Ulf Frisk (@UlfFrisk) August 21, 2018

https://github.com/ufrisk/pcileech/

https://github.com/ufrisk/pcileech/commit/7cb27dd8ffb4637d4fc939994de614296e512b34

PCILeech 3.3 released

May 21, 2018 ~ hucktech ~ Leave a comment

PCILeech memory process file system updated! 32-bit process support, access to imports, exports, directories, sections via file system! Memory dump files = read only 😀 PCIe DMA FPGA or "TotalMeltdown" = read/write 😈 https://t.co/KuTVVzZc5j pic.twitter.com/oLkO7C9Ca8

— Ulf Frisk (@UlfFrisk) May 21, 2018

https://github.com/ufrisk/pcileech

https://github.com/ufrisk/pcileech/commit/c812206597c25a4c29a27189deb814af8464ba73

Total Meltdown for Windows 7: follow-up

March 30, 2018 ~ hucktech ~ Leave a comment

Total Meltdown? How the Windows 7 Meltdown January patch made things way worse. (Patched in March updates) https://t.co/wrV8EApW1n

— Ulf Frisk (@UlfFrisk) March 27, 2018

#TotalMeltdown OOB patches available now! No longer ZERO-DAY! APPLY PATCHES NOW! (Win7/2008R2) CVE-2018-1038 . Awesome turnaround time and support from @msftsecresponse! Super impressive work given the time frame!https://t.co/TcVVMBDEPl pic.twitter.com/n0FpD8nP5X

— Ulf Frisk (@UlfFrisk) March 29, 2018

We released a security update yesterday to address CVE-2018-1038 in Windows 7 Service Pack 1 (x64) and Windows Server 2008 R2 Service Pack 1 (x64). Thanks to @UlfFrisk for the partnership.

— Security Response (@msftsecresponse) March 30, 2018

Yesterday #microsoft released a security update to address CVE-2018-1038 in Windows 7 SP1 (x64) and Windows Server 2008 R2 SP1 (x64). Shout out to @UlfFrisk for the partnershiphttps://t.co/fDUMGZuw20

— Jeff Jones (@securityjones) March 30, 2018

I'm proud to have been a part of getting this vulnerability addressed and giving credit where it was due. Thank you @UlfFrisk I hope to see more research from you in the future! https://t.co/jrVghRq1NP

— 👾 Nate Warfield 👾 (@dk_effect) March 29, 2018

A big thanks to @UlfFrisk for working with us through this bumpy ride. We are glad to be at a better spot with this latest release. https://t.co/1kgjE7megN

— Phillip Misner (@phillip_misner) March 30, 2018

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1038

Ulf: Total Meltdown (Windows 7)

March 28, 2018 ~ hucktech ~ Leave a comment

Total Meltdown? How the Windows 7 Meltdown January patch made things way worse. (Patched in March updates) https://t.co/wrV8EApW1n

— Ulf Frisk (@UlfFrisk) March 27, 2018

Ha. Who needs Meltdown when the Windows 7 kernel just gave every userspace process writable page tables? "Oops." https://t.co/Aw36K2IR8B

— Hector Martin (@marcan42) March 28, 2018

https://blog.frizk.net/2018/03/total-meltdown.html

PCILeech 3.1 released!

March 20, 2018 ~ hucktech ~ Leave a comment

Linux support for PCILeech FPGA PCIe DMA attacks finally released! Huge thanks to @key2fr for the driver making this possible and to ikelos for all time spent on hunting down the bugs! https://t.co/KuTVVzZc5j

— Ulf Frisk (@UlfFrisk) March 20, 2018

https://github.com/ufrisk/pcileech

PCILeech3 and Memory Process File System released!

March 12, 2018March 12, 2018 ~ hucktech ~ Leave a comment

Targets 64-bit Intel systems running Windows.

Memory Process File System and PCILeech3 released! Map processes and virtual memory as files & folders!
Use memory dump files or PCIe DMA devices to edit live process memory. More info in blog entry. https://t.co/EfgwZeQSQA https://t.co/KuTVVzZc5j pic.twitter.com/DB6deQAe1G

— Ulf Frisk (@UlfFrisk) March 12, 2018

http://blog.frizk.net/2018/03/memory-process-file-system.html

https://github.com/ufrisk/pcileech

PCILeech updated with board support

February 8, 2018 ~ hucktech ~ Leave a comment

PCILeech PCIe DMA attack support released for PCIeScreamer and AC701 FPGA boards! https://t.co/Vru50qY7ks pic.twitter.com/P1unfBIgPh

— Ulf Frisk (@UlfFrisk) February 8, 2018

https://github.com/ufrisk/pcileech-fpga

https://www.xilinx.com/products/boards-and-kits/ek-a7-ac701-g.html

https://shop.lambdaconcept.com/

PCILeech: updated with new FPGA bitstream design

November 7, 2017 ~ hucktech ~ Leave a comment

PCILeech PCIe DMA attack toolkit updated with new FPGA bitstream design. Public inxepensive PCIe TLP and DMA access! https://t.co/Vru50qY7ks pic.twitter.com/dYHxf70i55

— Ulf Frisk (@UlfFrisk) November 6, 2017

PCILeech FPGA contains software and HDL code for FPGA based devices that may be used together with the PCILeech Direct Memory Access (DMA) Attack Toolkit. Using FPGA based devices have many advantages over using the USB3380 hardware that have traditionally been supported by PCILeech. FPGA based hardware provides full access to 64-bit memory space without having to rely on a kernel module running on the target system. FPGA based devices are also more stable compared to the USB3380. FPGA based devices may also send raw PCIe Transaction Layer Packets TLPs – allowing for more specialized research.

https://github.com/ufrisk/pcileech-fpga
https://github.com/ufrisk/pcileech/

PCILeech FPGA released!

October 12, 2017 ~ hucktech ~ Leave a comment

FPGA PCIe DMA attacking with PCILeech released! Fast super-stable access to 64-bit memory space and much more! https://t.co/Vru50qY7ks

— Ulf Frisk (@UlfFrisk) October 12, 2017

https://github.com/ufrisk/pcileech-fpga

PCILeech presentation uploaded

September 14, 2017 ~ hucktech ~ Leave a comment

Ulf has a new presentation on PCIe attacks online!

Looking forward watching the talk on youtube, slides at https://t.co/yeGFko6tgy

— Ulf Frisk (@UlfFrisk) September 13, 2017

https://github.com/ufrisk/presentations

Click to access SEC-T-0x0Anniversary-Ulf-Frisk-Evil-Devices-and-Direct-Memory-Attacks.pdf

Ulf: Attacking UEFI over DMA

August 30, 2017 ~ hucktech ~ Leave a comment

Attacking UEFI over DMA now supported by PCILeech! 😈https://t.co/ZH917VFSQS https://t.co/KuTVVzZc5j

— Ulf Frisk (@UlfFrisk) August 30, 2017

Attacking UEFI:
Unlike macs many PCs are likely to be vulnerable to pre-boot Direct Memory Access (DMA) attacks against UEFI. If an attack is successful on a system configured with secure boot – then the chain of trust is broken and secure boot becomes insecure boot. If code execution is gained before the operating system is started further compromise of the not yet loaded operating system may be possible. As an example it may be possible to compromise a Windows 10 system running Virtualization Based Security (VBS) with Device Guard. This have already been researched by Dmytro Oleksiuk. This post will focus on attacking UEFI over DMA and not potential further compromises of the system.[…]

https://github.com/ufrisk/pcileech

http://blog.frizk.net/2017/08/attacking-uefi.html

PCILeech for Android (and Linux)

June 12, 2017 ~ hucktech ~ Leave a comment

PCILeech Linux and Android support finally released! PCIe DMA attack toolkit. https://t.co/KuTVVzZc5j pic.twitter.com/D8mvv1qeAH

— Ulf Frisk (@UlfFrisk) June 12, 2017

https://github.com/ufrisk/pcileech

https://github.com/ufrisk/pcileech/blob/master/Android.md

PCILeech 2.0 released

May 25, 2017 ~ hucktech ~ Leave a comment

PCILeech 2.0 released! – Mount Live RAM and Target File System over PCIe DMA! Makes pwning super easy 😈https://t.co/KuTVVzZc5j

— Ulf Frisk (@UlfFrisk) May 24, 2017

Insert kernel module over DMA, PCILeech mount, run @volatility on the live RAM and edit/copy target system files! pic.twitter.com/X8C8RP0WXA

— Ulf Frisk (@UlfFrisk) May 24, 2017

Also included: 64-bit DMA and Linux 4.8+ pwn with @d_olex totally awesome pre-release (not yet released) bitstream for SP605 FPGA! pic.twitter.com/F5BJp4kpTw

— Ulf Frisk (@UlfFrisk) May 24, 2017

If pcileech is a self driving car then slotscreamer was a horse drawn buggy. Glad @UlfFrisk did all the work I didn't know how to do!

— Joe Fitz (@securelyfitz) May 24, 2017

https://github.com/ufrisk/pcileech

PCIleech progress continues…

April 24, 2017 ~ hucktech ~ Leave a comment

PCILeech 64-bit native DMA and raw TLP support w/ FPGA HW on its way! pic.twitter.com/aJFT6mi2z2

— Ulf Frisk (@UlfFrisk) April 24, 2017

Not possible to "hide" above 32-bit/4GB limit anymore! attacks are coming!

— Ulf Frisk (@UlfFrisk) April 24, 2017

Yet another "too-advanced-to-be-a-real-threat" attack is in fact just a $500 FPGA and one good researcher.
Wake up, IBV, the DMA has you… https://t.co/OC5Titjcmb

— Nikolaj Schlej (@NikolajSchlej) April 8, 2017

https://github.com/ufrisk/pcileech

PCIleech updated for MacOS

February 1, 2017 ~ hucktech ~ Leave a comment

PCILeech macOS unlock signature updated to support 10.12.3 https://t.co/KuTVVzZc5j

— Ulf Frisk (@UlfFrisk) January 31, 2017

Using PCILeech for first time in mac pentest assignment. Brutal! pic.twitter.com/ruaXuncArz

— Ulf Frisk (@UlfFrisk) January 17, 2017

https://github.com/ufrisk/pcileech

Attacking UEFI Runtime Services

January 12, 2017 ~ hucktech ~ Leave a comment

Ulf has an informative new article (and video) about attacking UEFI Runtime Services on Linux-based systems using PCILeech:

Attackers with physical access are able to attack the firmware on many fully patched computers with DMA – Direct Memory Access. Once code execution is gained in UEFI/EFI Runtime Services it is possible to use this foothold to take control of a running Linux system. The Linux 4.8 kernel fully randomizes the physical memory location of the kernel. There is a high likelyhood that the kernel will be randomized above 4GB on computers with sufficient memory. This means that DMA attack hardware only capable of 32-bit addressing (4GB), such as PCILeech, cannot reach the Linux kernel directly. Since the EFI Runtime Services are usually located below 4GB they offer a way into Linux on high memory EFI booting systems. Please see the video below for an example of how an attack may look like. […]

Full post:

http://blog.frizk.net/2017/01/attacking-uefi-and-linux.html

PCIleech -vs- Apple Mac OS X

December 19, 2016 ~ hucktech ~ Leave a comment

It appears Mac OS X 10.12.2 has some firmware-related security updates, with some defense against PCILeech:

Grab Mac FileVault passwords from locked macs in 30 seconds! https://t.co/26lyBxYK3g

— Ulf Frisk (@UlfFrisk) December 15, 2016

http://blog.frizk.net/2016/12/filevault-password-retrieval.html
https://github.com/ufrisk/pcileech

One of many reasons to go get 10.12.2 https://t.co/NL3AdP4TaS

— Xeno Kovah (@XenoKovah) December 15, 2016

(while still giving a way to opt back in if you really really need the old OROM auto-run behavior https://t.co/XHg4GJE7tm) [10/x]

— Xeno Kovah (@XenoKovah) December 15, 2016

The quick way to set a fw pass on Macs is "sudo firmwarepasswd -setpasswd -setmode command" from Terminal, and then reboot

— Xeno Kovah (@XenoKovah) December 15, 2016

So the moral of the story is: 1) install 10.12.2, 2) set a firmware password, to opt into higher physically-present attacker defense [13/x]

— Xeno Kovah (@XenoKovah) December 15, 2016

2) @coreykal also changed the behavior of firmware passwords, so that if you have one set, OROMs will not load even with the keypress [11/x]

— Xeno Kovah (@XenoKovah) December 15, 2016

(while still giving a way to opt back in if you really really need the old OROM auto-run behavior https://t.co/XHg4GJE7tm) [10/x]

— Xeno Kovah (@XenoKovah) December 15, 2016

Positive Spin: OS X 10.12.2: macOS LegbaCore Snaredition.
Negative Spin: OS X 10.12.2: Now matching Windows 8 (4 years ago) UEFI security.

— Alex Ionescu (@aionescu) December 16, 2016

macOS FileVault2 Password Retrieval

“macOS FileVault2 let attackers with physical access retrieve the password in clear text by plugging in a $300 Thunderbolt device into a locked or sleeping mac. The password may be used to unlock the mac to access everything on it. To secure your mac just update it with the December 2016 patches. Anyone including, but not limited to, your colleagues, the police, the evil maid and the thief will have full access to your data as long as they can gain physical access – unless the mac is completely shut down. If the mac is sleeping it is still vulnerable. Just stroll up to a locked mac, plug in the Thunderbolt device, force a reboot (ctrl+cmd+power) and wait for the password to be displayed in less than 30 seconds!
[…]
Recovering the password is just one of the things that are possible unless the security update is applied. Since EFI memory can be overwritten it is possible to do more evil …
[…]
December 13th: Apple released macOS 10.12.2 which contains the security update. At least for some hardware – like my MacBook Air.
[…]”

Look at recent Tweets from Xeno Kovah, he has multiple posts with information about the 10.12.2 update:

https://twitter.com/XenoKovah/

Firmware passwords:
https://support.apple.com/en-us/HT202796
https://support.apple.com/en-us/HT204455
https://support.apple.com/en-us/HT203409

I’ll admit, I didn’t find any firmwaer information in their release:
https://support.apple.com/en-us/HT207423