UEFI and the Task of the Translator: Using cross-architecture UEFI quines as a framework for UEFI exploit development
This repo contains the slidedeck and PoCs presented at OffensiveCon 2024 for my talk "UEFI and the Task of the Translator: Using cross-architecture UEFI quines as a framework for UEFI exploit development"
OffensiveCon24 talk slidededeck is in the OffensiveCon2024-slides folder.
bggp4 winning entry - x64 assembly source code
bggp4 winning entry - UEFI self-replicating app, compiled from x64 asm source
source code for basic UEFI app, written in x64, to be used as a template for writing x64 UEFI shellcode
arm64-quinearm64-demo-video.mov
arm64 assembly source code for self-replicating UEFI application
INF file for building QuineArm64 UEFI app using edk2 build system
The UEFI apps for both the final arm64 assembly solution and the original cross-compiled C solution are in the directory UEFI_bb_disk:
QuineArm64.efi: UEFI app QuineArm64.efi -- built from arm64 asm source code quinearm64.S
UEFISelfRep.efi: UEFI app UEFISelfRep.efi -- built from C source code, cross-compiled for aarch64 architecture using edk2 build system
Python script to test arm64 self-rep app in QEMU; includes option for running in QEMU with GDB debugging session
SMM Callout PoCs will be published on the Leviathan GitHub as part of my upcoming UEFI blog series for Leviathan Security Group. Links to the blog series and the SMM PoCs will be added here as they are published on the Leviathan website and GitHub, in the coming weeks.
Hit me up with questions or feedback.
xoxo
ic3qu33n