Information about a signed UEFI Shell that can be used when Secure Boot is enabled.

Overview

SignedUEFIShell

During our research of the BootHole vulnerability last year, we tried to find as many signed bootloaders as we could. We searched all across the internet and we found these bootloaders were part of rescue CDs, firmware update tools, drive encryption utilities and more. One of these was a bootable usb image that was part of the Seagate utility suite called “SeaChest”.

From http://support.seagate.com/seachest/SeaChest_Combo_UserGuides.html) “SeaChest is a comprehensive, easy-to-use command line diagnostic tool that helps you quickly determine the health and status of your Seagate storage product. It includes several tests that will examine the physical media on your Seagate, Samsung or Maxtor disk drive.“

This particular bootloader has been added to the revoked bootloader list by Microsoft as a response to last year's BootHole vulnerability, meaning that any computer with the latest DBX updates in their UEFI Firmware will not be able to run this tool. Caveat: In most platforms, restoring factory default settings for Secure Boot will revert back to a previous version of DBX.

Within the bootable image included within this set of tool there are UEFI Shell binaries, these binaries are signed by Seagate and are loaded by this now revoked bootloader, which essentially means that because Secure Boot is still on while a UEFI Shell is running, only SeaGate signed binaries can run.

However, since a UEFI shell is a command line interface that presents the user with a shell to manually type and run commands and scripts like simple commands that include the basic change directory, list directory, copy, move and delete files. And automatic script execution using a similar mechanism to batch files in Windows (Instead of .bat it uses .nsh, more in the specification). Some of these built in commands allow reading and writing from memory, which can be useful in several ways.

In an excellent talk by Alex Ionesu at Syscan 2012, he describes how the ACPI Specification has a definition for a Windows Platform Binary Table (WPBT) which Microsoft describes: “The primary purpose of WPBT is to allow critical software to persist even when the operating system has changed or been reinstalled in a “clean” configuration.”

And so, as an experiment we will use the built in memory reading/writing utility in the UEFI Shell to overwrite an existing table with our own WPBT and load a binary to memory allowing for Windows to automatically download and execute it for us. (For simplicity's sake, we will avoid adding a new table to the existing ones, we will just overwrite the DBG2 table which happens to be the exact size we need for a basic WPBT entry.)

Before we begin, a big caveat here is that the binary the WPBT points to has to be signed with a valid code signing certificate, so for this proof-of-concept we’ll just place a file in memory and see if it gets saved to disk by Windows, since Windows will not run it but it will save it ¯_(ツ)_/¯

The python script we have published alongside this post will help you do what we just described by building an .nsh script file for you. This script uses the UEFI Shell “mm” command for replacing the content of an ACPI table it is pointed at.

Hint: you can use the memmap command in the UEFI shell to get the ACPI location in memory along with other mapped locations you might place data that will persist when windows boot (post ExitBootServices).

References: https://web.archive.org/web/20180101001804/https://infocon.hackingand.coffee/SyScan/SyScan%202012%20Singapore/SyScan%202012%20Singapore%20presentations/Day2-6Alex%20Ionescu/AlexSyScan12.pdf https://web.archive.org/web/20210309140158/https://download.microsoft.com/download/8/A/2/8A2FB72D-9B96-4E2D-A559-4A27CF905A80/windows-platform-binary-table.docx https://web.archive.org/web/20210310034802/http://www.uefi.org/sites/default/files/resources/UEFI_Shell_2_2.pdf https://web.archive.org/web/20200807013341/https://www.seagate.com/support/kb/using-seachest-bootable-to-blockerase-ssd/ https://web.archive.org/web/20201202151645/http://support.seagate.com/seachest/SeaChestUtilities.zip https://web.archive.org/web/20210221001814/https://github.com/Jamesits/dropWPBT https://web.archive.org/web/20210319021620/http://support.seagate.com/seachest/SeaChest_Combo_UserGuides.html

You might also like...
A server shell for you to play with Powered by Django + Nginx + Postgres + Bootstrap + Celery.

A server shell for you to play with Powered by Django + Nginx + Postgres + Bootstrap + Celery.

Shell Trality API for local development.

Trality Simulator Intro This package is a work in progress. It allows local development of Trality bots in an IDE such as VS Code. The package provide

Utility/Raiding selfbot made by Shell and Roover.
Utility/Raiding selfbot made by Shell and Roover.

Utility/Raiding selfbot made by Shell and Roover. We are open to suggestions and ideas.

 Improve current data preprocessing for FTM's WOB data to analyze Shell and Dutch Governmental contacts.
Improve current data preprocessing for FTM's WOB data to analyze Shell and Dutch Governmental contacts.

We're the hackathon leftovers, but we are Too Good To Go ;-). A repo by Lukas Schubotz and Raymon van Dinter. We aim to improve current data preprocessing for FTM's WOB data to analyze Shell and Dutch Governmental contacts.

Originally used during Marketplace.tf's open period, this program was used to get the profit of items bought with keys and sold for dollars.

Originally used during Marketplace.tf's open period, this program was used to get the profit of items bought with keys and sold for dollars. Practically useless for me now, but can be used as an example of tkinter.

WATTS provides a set of Python classes that can manage simulation workflows for multiple codes where information is exchanged at a coarse level

WATTS (Workflow and Template Toolkit for Simulation) provides a set of Python classes that can manage simulation workflows for multiple codes where information is exchanged at a coarse level.

 tidevice can be used to communicate with iPhone device
tidevice can be used to communicate with iPhone device

h 该工具能够用于与iOS设备进行通信, 提供以下功能 截图 获取手机信息 ipa包的安装和卸载 根据bundleID 启动和停止应用 列出安装应用信息 模拟Xcode运行XCTest,常用的如启动WebDriverAgent测试

vFuzzer is a tool developed for fuzzing buffer overflows, For now, It can be used for fuzzing plain vanilla stack based buffer overflows
vFuzzer is a tool developed for fuzzing buffer overflows, For now, It can be used for fuzzing plain vanilla stack based buffer overflows

vFuzzer vFuzzer is a tool developed for fuzzing buffer overflows, For now, It can be used for fuzzing plain vanilla stack based buffer overflows, The

Identifies the faulty wafer before it can be used for the fabrication of integrated circuits and, in photovoltaics, to manufacture solar cells.

Identifies the faulty wafer before it can be used for the fabrication of integrated circuits and, in photovoltaics, to manufacture solar cells. The project retrains itself after every prediction, making it more robust and generalized over time.

Owner
Mickey
Mickey
Modeval (or Modular Eval) is a modular and secure string evaluation library that can be used to create custom parsers or interpreters.

modeval Modeval (or Modular Eval) is a modular and secure string evaluation library that can be used to create custom parsers or interpreters. Basic U

null 2 Jan 1, 2022
Patch PL to disable LK verification. Patch LK to disable boot/recovery verification.

Simple Python(3) script to disable LK verification in Amazon Preloader images and boot/recovery image verification in Amazon LK ("Little Kernel") images.

Roger Ortiz 18 Mar 17, 2022
Waydroid is a container-based approach to boot a full Android system on a regular GNU/Linux system like Ubuntu.

Waydroid is a container-based approach to boot a full Android system on a regular GNU/Linux system like Ubuntu.

WayDroid 4.7k Jan 8, 2023
Boot.img patcher for Tolino ebook readers to enable ADB and root.

I'm not responsible for any damage to your devices by running this tool. Please note that you may loose warranty when using this, although (This is no

Aaron Dewes 9 Nov 13, 2022
Ikaros is a free financial library built in pure python that can be used to get information for single stocks, generate signals and build prortfolios

Ikaros is a free financial library built in pure python that can be used to get information for single stocks, generate signals and build prortfolios

Salma Saidane 64 Sep 28, 2022
BinCat is an innovative login system, with which the account you register will be more secure.

BinCat is an innovative login system, with which the account you register will be more secure. This project is inspired by a conventional token system.

Hipotesi 2 May 22, 2022
KeyBrowser: A program launches a browser and a keylogger at the same time, is used to retrieve a person's personal information

KeyBrowser: A program launches a browser and a keylogger at the same time, is used to retrieve a person's personal information

null 3 Oct 16, 2022
A beautiful and useful prompt for your shell

A Powerline style prompt for your shell A beautiful and useful prompt generator for Bash, ZSH, Fish, and tcsh: Shows some important details about the

Buck Ryan 6k Jan 8, 2023
Shell scripts made simple 🐚

zxpy Shell scripts made simple ?? Inspired by Google's zx, but made much simpler and more accessible using Python. Rationale Bash is cool, and it's ex

Tushar Sadhwani 492 Dec 27, 2022
Penelope Shell Handler

penelope Penelope is an advanced shell handler. Its main aim is to replace netcat as shell catcher during exploiting RCE vulnerabilities. It works on

null 293 Dec 30, 2022