{"id":13774024,"url":"https://github.com/Cr4sh/ThinkPwn","last_synced_at":"2025-05-11T06:31:54.606Z","repository":{"id":9449112,"uuid":"62154566","full_name":"Cr4sh/ThinkPwn","owner":"Cr4sh","description":"Started as arbitrary System Management Mode code execution exploit for Lenovo ThinkPad model line, ended as exploit for industry-wide 0day vulnerability in machines of many vendors","archived":false,"fork":false,"pushed_at":"2022-05-13T16:23:34.000Z","size":412,"stargazers_count":656,"open_issues_count":0,"forks_count":84,"subscribers_count":50,"default_branch":"master","last_synced_at":"2024-08-03T17:10:52.508Z","etag":null,"topics":["0day","exploit","firmware","intel","smm","uefi","vulnerability"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Cr4sh.png","metadata":{"files":{"readme":"README.TXT","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.TXT","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2016-06-28T15:53:29.000Z","updated_at":"2024-07-27T20:22:42.000Z","dependencies_parsed_at":"2022-08-09T03:30:16.064Z","dependency_job_id":null,"html_url":"https://github.com/Cr4sh/ThinkPwn","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cr4sh%2FThinkPwn","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cr4sh%2FThinkPwn/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cr4sh%2FThinkPwn/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cr4sh%2FThinkPwn/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Cr4sh","download_url":"https://codeload.github.com/Cr4sh/ThinkPwn/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225021941,"owners_count":17408520,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["0day","exploit","firmware","intel","smm","uefi","vulnerability"],"created_at":"2024-08-03T17:01:22.975Z","updated_at":"2024-11-17T09:30:28.020Z","avatar_url":"https://github.com/Cr4sh.png","language":"C","funding_links":[],"categories":["Threats","Vulnerabilities \u0026 Exploits :mag_right:","C"],"sub_categories":[],"readme":"\n  Lenovo ThinkPad System Management Mode arbitrary code execution exploit\n\n***************************************************************************\n\nFor more information about this project please read the following article:\n\nhttp://blog.cr4.sh/2016/06/exploring-and-exploiting-lenovo.html\n\n\nThis code exploits 0day privileges escalation vulnerability (or backdoor?) in SystemSmmRuntimeRt UEFI driver (GUID is 7C79AC8C-5E6C-4E3D-BA6F-C260EE7C172E) of Lenovo firmware. Vulnerability is present in all of the ThinkPad series laptops, the oldest one that I have checked is X220 and the newest one is T450s (with latest firmware versions available at this moment). Running of arbitrary System Management Mode code allows attacker to disable flash write protection and infect platform firmware, disable Secure Boot, bypass Virtual Secure Mode (Credential Guard, etc.) on Windows 10 Enterprise and do others evil things.\n\n##########################################\n\nUPDATE FROM 30.06.2016:\n\nVulnerable code of SystemSmmRuntimeRt UEFI driver was copy-pasted by Lenovo from Intel reference code for 8-series chipsets. This exact code is not available in public but open source firmware of some Intel boards is also sharing it. For example, here you can see SmmRuntimeManagementCallback() function from Intel Quark BSP -- it's exactly the same vulnerable code.\n\nhttps://kernel.googlesource.com/pub/scm/linux/kernel/git/jejb/Quark_EDKII/+/master/QuarkSocPkg/QuarkNorthCluster/Smm/Dxe/SmmRuntime/SmmRuntime.c#639\n\nEDK2 source from public repository never had this vulnerability -- it's version of QuarkSocPkg was heavily modified in comparison with vulnerable one:\n\nhttps://github.com/tianocore/edk2/commits/master/QuarkSocPkg\n\nIt means that original vulnerability was fixed by Intel in the middle of 2014. Unfortunately, there was no any public advisories, so, it's still not clear that Intel or Lenovo actually knew about it. There's a high possibility that old Intel code with this vulnerability currently present in firmware of other OEM/IBV vendors.\n\n##########################################\n\nUPDATE FROM 01.07.2016:\n\nLenovo released advisory for this vulnerability, they claims that vulnerable code written by Intel was received from 3-rd party IBV (Independent BIOS Vendor):\n\nhttps://support.lenovo.com/my/en/solutions/LEN-8324\n\nNow we can say for sure that products from other OEM's also has this vulnerability.\n\n##########################################\n\nUPDATE FROM 02.07.2016:\n\nOne of my followers confirmed that vulnerable code is present in his HP Pavilion laptop:\n\nhttps://twitter.com/al3xtjames/status/749063556486791168\n\n##########################################\n\nUPDATE FROM 05.07.2016:\n\nAlex James found vulnerable code on motherboards from GIGABYTE (Z68-UD3H, Z77X-UD5H, Z87MX-D3H, Z97-D3H and many others):\n\nhttps://twitter.com/al3xtjames/status/750163415159582720\nhttps://twitter.com/al3xtjames/status/750183816266940417\n\nThe interesting fact -- vulnerable UEFI driver from their firmwares has different GUID value than HP and Lenovo: A56897A1-A77F-4600-84DB-22B0A801FA9A\n\n##########################################\n\nUPDATE FROM 06.07.2016:\n\nJapanese researcher known as 173210 found vulnerable code in firmware of Fujitsu LIFEBOOK A574/H, other Fujitsu computers probably affected as well:\n\nhttps://twitter.com/173210/status/750565904111562752\nhttps://twitter.com/173210/status/750569389741731840\n\n##########################################\n\nUPDATE FROM 07.07.2016:\n\nKasey Smith figured that Dell Latitude E6430 is also vulnerable, it means that other computers from Dell might be affected as well:\n\nhttps://twitter.com/Ziginox/status/750778513012043776\n\n##########################################\n\nUPDATE FROM 08.07.2016:\n\nLenovo updated their advisory with product models information, there's a quite lot of vulnerable machines from IdeaPad and ThinkPad lines:\n\nhttps://support.lenovo.com/my/en/solutions/LEN-8324\n\nAlso, it seems that vulnerability is not present in Skylake based Lenovo computers.\n\n##########################################\n\nUPDATE FROM 08.08.2016:\n\nIt seems that server motherboards from Intel are also vulnerable, Intel released their own advisory for ThinkPwn (aka SmmRuntime) vulnerability: \n\nhttps://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00056\u0026languageid=en-fr\n\nFixes will be released at 19-th of September. \n\n##########################################\n\nUPDATE FROM 09.08.2016:\n\nHP released ThinkPwn advisory with the list of vulnerable computer models:\n\nhttp://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c05230715\n\nPatches are not available yet.\n\n##########################################\n\n\nVulnerable SMM callback code:\n\n    EFI_STATUS __fastcall sub_AD3AFA54(\n        EFI_HANDLE SmmImageHandle, VOID *CommunicationBuffer, UINTN *SourceSize)\n    {\n        VOID *v3; // rax@1\n        VOID *v4; // rbx@1\n\n        // get some structure pointer from EFI_SMM_COMMUNICATE_HEADER.Data\n        v3 = *(VOID **)(CommunicationBuffer + 0x20);\n        v4 = CommunicationBuffer;\n        if (v3)\n        {\n            /*\n              Vulnerability is here:\n              this code calls some function by address from obtained v3 structure field.\n            */\n            *(v3 + 0x8)(*(VOID **)v3, \u0026dword_AD002290, CommunicationBuffer + 0x18);\n\n            // set zero value to indicate successful operation\n            *(VOID **)(v4 + 0x20) = 0;\n        }\n        \n        return 0;\n    }\n\n\nProof of concept exploit for this vulnerability is designed as UEFI application that runs from UEFI shell. It's also possible to exploit it from running operating system but you have to implement your own EFI_BASE_PROTOCOL.Communicate() function.\n\nThis exact PoC was designed only for Lenovo computers and it's a pure luck that it works anywhere else. If it will fail to exploit the vulnerability on any other vendor machine it doesn't mean that machine is not vulnerable, probably it just not supported by exploit.\n\nTo build exploit from the source code on Windows with Visual Studio compiler you have to perform the following steps:\n\n  1. Copy ThinkPwn project directory into the EDK2 source code directory.\n\n  2. Run Visual Studio 2008 Command Prompt and cd to EDK2 directory.\n\n  3. Execute Edk2Setup.bat --pull to configure build environment and download required binaries.\n\n  4. Edit AppPkg/AppPkg.dsc file and add path of ThinkPwn/ThinkPwn.dsc to the end of the [Components] section.\n\n  5. cd to the ThinkPwn project directory and run build command.\n\n  6. After compilation resulting PE image file will be created at Build/AppPkg/DEBUG_VS2008x86/X64/ThinkPwn/ThinkPwn/OUTPUT/ThinkPwn.efi\n\n\nTo test exploit on your own hardware:\n\n  1. Prepare FAT32 formatted USB flash drive with ThinkPwn.efi and UEFI Shell (https://github.com/tianocore/tianocore.github.io/wiki/Efi-shell) binaries.\n\n  2. Boot into the UEFI shell and execute ThinkPwn.efi application.\n\n\nUsage example:\n\nFS1:\\\u003e ThinkPwn.efi\n\nSMM access protocol is at 0xaa5f8b00\nAvailable SMRAM regions:\n * 0xad000000:0xad3fffff\nSMM base protocol is at 0xaa989340\nBuffer for SMM communicate call is allocated at 0xacbfb018\nObtaining FvFile(7C79AC8C-5E6C-4E3D-BA6F-C260EE7C172E) image handles...\n * Handle = 0xa4aee798\n   Communicate() returned status 0x0000000e, data size is 0x1000\n * Handle = 0xa4aee298\n   Communicate() returned status 0x00000000, data size is 0x1000\nSmmHandler() was executed, exploitation success!\n\n\nThis repository is also contains a Python program that allows to scan firmware image from any computer vendor/model for UEFI SMM driver that has ThinkPwn vulnerability. For more information check it's source code:\n\nhttps://github.com/Cr4sh/ThinkPwn/blob/master/scan_thinkpwn.py\n\n\nWritten by:\nDmytro Oleksiuk (aka Cr4sh)\n\ncr4sh0@gmail.com\nhttp://blog.cr4.sh\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FCr4sh%2FThinkPwn","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FCr4sh%2FThinkPwn","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FCr4sh%2FThinkPwn/lists"}