diff --git a/pcileech/devicerawtcp.c b/pcileech/devicerawtcp.c index 0390023..aa61200 100644 --- a/pcileech/devicerawtcp.c +++ b/pcileech/devicerawtcp.c @@ -160,7 +160,7 @@ BOOL DeviceRawTCP_ReadDMA(_Inout_ PPCILEECH_CONTEXT ctxPcileech, _In_ QWORD qwAd cbRead = 0; while (cbRead < Rx.cb) { - len = recv(ctxrawtcp->Sock, (char *)pb + cbRead, Rx.cb - cbRead, 0); + len = recv(ctxrawtcp->Sock, (char *)pb + cbRead, (int)(Rx.cb - cbRead), 0); if (len == SOCKET_ERROR || len == 0) { fprintf(stderr, "ERROR: recv() fails\n"); return 0; @@ -213,7 +213,7 @@ BOOL DeviceRawTCP_WriteDMA(_Inout_ PPCILEECH_CONTEXT ctxPcileech, _In_ QWORD qwA } if (Rx.cmd != MEM_WRITE) { - fprintf(stderr, "ERROR: Memory write fail\n", cbRead); + fprintf(stderr, "ERROR: Memory write fail\n"); } return cbWritten >= cb; diff --git a/pcileech/help.c b/pcileech/help.c index 234ace2..346aaf6 100644 --- a/pcileech/help.c +++ b/pcileech/help.c @@ -94,10 +94,10 @@ VOID Help_ShowGeneral() " Wait occurs after any other actions have been completed. \n" \ " -device: force the use of a specific hardware device instead of auto-detect.\n" \ " Affects all modes and commands. \n" \ - " Valid options: USB3380, FPGA, SP605_TCP, or \n" \ - " TOTALMELTDOWN \n" \ - " -device-addr: Remote address for -device SP605_TCP. \n" \ - " -device-port: Remote TCP port for -device SP605_TCP. Default value: 28472. \n" \ + " Valid options: USB3380, FPGA, SP605_TCP, RAWTCP, TOTALMELTDOWN or \n" \ + " . \n" \ + " -device-addr: Remote address for -device RAWTCP and SP605_TCP. \n" \ + " -device-port: Remote TCP port for -device RAWTCP and SP605_TCP. (optional). \n" \ " -device-opt[0-3]: Optional additional device configuration for some devices.\n" \ " FPGA device (NB! 0 = default!): -device-opt0 = delay read uS \n" \ " -device-opt1 = delay write uS, -device-opt2 = delay probe uS \n" \ @@ -142,7 +142,7 @@ VOID Help_ShowInfo() { printf( " PCILEECH INFORMATION \n" \ - " PCILeech (c) 2016-2018 Ulf Frisk \n" \ + " PCILeech (c) 2016-2019 Ulf Frisk \n" \ " Version: " \ PCILEECH_VERSION_CURRENT \ " \n" \ @@ -155,6 +155,7 @@ VOID Help_ShowInfo() " Google USB Driver - https://developer.android.com/sdk/win-usb.html \n" \ " FTDI FT601 Driver - http://www.ftdichip.com/Drivers/D3XX.htm \n" \ " PCIe Injector - https://github.com/enjoy-digital/pcie_injector \n" \ + " iLO DMA firmware - https://www.synacktiv.com/posts/exploit/using-your-bmc-as-a-dma-device-plugging-pcileech-to-hpe-ilo-4.html \n" \ " Dokany - https://github.com/dokan-dev/dokany/releases/latest \n" \ " ---------------- \n" \ " Use with memory dump files in read-only mode. \n" \ diff --git a/pcileech/pcileech.h b/pcileech/pcileech.h index 21caef4..6f8d90b 100644 --- a/pcileech/pcileech.h +++ b/pcileech/pcileech.h @@ -7,7 +7,7 @@ #define __PCILEECH_H__ #include "oscompatibility.h" -#define PCILEECH_VERSION_CURRENT "3.6.2" +#define PCILEECH_VERSION_CURRENT "3.7.0" #define SIZE_PAGE_ALIGN_4K(x) ((x + 0xfff) & ~0xfff) #define CONFIG_MAX_SIGNATURES 16 diff --git a/pcileech/pcileech.vcxproj b/pcileech/pcileech.vcxproj index c8f5ca3..19e04df 100644 --- a/pcileech/pcileech.vcxproj +++ b/pcileech/pcileech.vcxproj @@ -193,6 +193,7 @@ + @@ -219,6 +220,7 @@ + diff --git a/pcileech/pcileech.vcxproj.filters b/pcileech/pcileech.vcxproj.filters index 2258837..76c478b 100644 --- a/pcileech/pcileech.vcxproj.filters +++ b/pcileech/pcileech.vcxproj.filters @@ -90,6 +90,9 @@ Header Files + + Header Files + @@ -158,6 +161,9 @@ Source Files + + Source Files + diff --git a/pcileech_files/dll/pcileech.dll b/pcileech_files/dll/pcileech.dll index 7498133..9730f87 100644 Binary files a/pcileech_files/dll/pcileech.dll and b/pcileech_files/dll/pcileech.dll differ diff --git a/pcileech_files/dll/pcileech.lib b/pcileech_files/dll/pcileech.lib index 9bb1432..98ce481 100644 Binary files a/pcileech_files/dll/pcileech.lib and b/pcileech_files/dll/pcileech.lib differ diff --git a/pcileech_files/pcileech.exe b/pcileech_files/pcileech.exe index e9aeaf6..fb69ee1 100644 Binary files a/pcileech_files/pcileech.exe and b/pcileech_files/pcileech.exe differ diff --git a/readme.md b/readme.md index e2dc65a..a9ac64b 100644 --- a/readme.md +++ b/readme.md @@ -2,7 +2,7 @@ PCILeech Summary: ================= PCILeech uses PCIe hardware devices to read and write from the target system memory. This is achieved by using DMA over PCIe. No drivers are needed on the target system. -PCILeech works without hardware together with memory dump files and the Windows 7/2008R2 x64 [Total Meltdown / CVE-2018-1038](https://blog.frizk.net/2018/03/total-meltdown.html) vulnerability. +PCILeech works without hardware together with memory dump files and the Windows 7/2008R2 x64 [Total Meltdown / CVE-2018-1038](https://blog.frizk.net/2018/03/total-meltdown.html) vulnerability. In addition to locally connected devices PCILeech also support DMA patched iLO interfaces. PCILeech supports multiple memory acquisition devices. Primarily hardware based, but also dump files and software based techniques based on select security issues are supported. USB3380 based hardware is only able to read 4GB of memory natively, but is able to read all memory if a kernel module (KMD) is first inserted into the target system kernel. FPGA based hardware is able to read all memory. @@ -52,6 +52,7 @@ Please find a device comparision table below. | [SP605/TCP](https://github.com/ufrisk/pcileech-fpga/) | FPGA | TCP/IP | 100kB/s | Yes | Yes | | [USB3380-EVB](usb3380.md) | USB3380 | USB3 | 150MB/s | No (via KMD only) | No | | [PP3380](usb3380.md) | USB3380 | USB3 | 150MB/s | No (via KMD only) | No | +| [DMA patched HP iLO](https://www.synacktiv.com/posts/exploit/using-your-bmc-as-a-dma-device-plugging-pcileech-to-hpe-ilo-4.html) | TCP | TCP | 1MB/s | Yes | No | Recommended adapters: * PE3B - ExpressCard to mini-PCIe. @@ -122,6 +123,9 @@ Mount the PCILeech Memory Process File System from a Windows 10 64-bit memory im Dump memory using the the reported "TotalMeltdown" [Windows 7/2008R2 x64 PML4 page table permission vulnerability](https://blog.frizk.net/2018/03/total-meltdown.html). * ` pcileech.exe dump -out memdump_win7.raw -device totalmeltdown -v -force ` +Insert a kernel module into a running Linux system remotely via a [DMA patched HP iLO](https://www.synacktiv.com/posts/exploit/using-your-bmc-as-a-dma-device-plugging-pcileech-to-hpe-ilo-4.html). +* ` pcileech.exe kmdload -vvv -device rawtcp -device-addr 127.0.0.1 -device-port 8888 -kmd LINUX_X64_48 ` + Generating Signatures: ====================== PCILeech comes with built in signatures for Windows, Linux, FreeBSD and macOS. For Windows 10 it is also possible to use the pcileech_gensig.exe program to generate alternative signatures. @@ -187,3 +191,6 @@ v3.5 v3.6 * Various bug fixes (including 'missing dlls' issue). * Additional functionality exported from DLL. + +v3.7 +* Support for RAWTCP device - used to communicate with [DMA patched HP iLO](https://www.synacktiv.com/posts/exploit/using-your-bmc-as-a-dma-device-plugging-pcileech-to-hpe-ilo-4.html). Thanks to [Synacktiv](https://www.synacktiv.com) for the contribution and the awesome research!