Damn Vulnerable UEFI (DVUEFI)
August 10, 2024 ยท View on GitHub
Damn Vulnerable UEFI (DVUEFI)
An Exploitation Toolkit and Learning Platform for Unveiling and Fixing UEFI Firmware Vulnerabilities Presented at Black Hat USA 2024 Arsenal

Introduction
Inspired by projects such as Damn Vulnerable Web Application and OWASP's Damn Vulnerable Web Sockets, Damn Vulnerable UEFI (DVUEFI) is designed to help guide ethical hackers, security researchers, and firmware enthusiasts in getting started with UEFI firmware security, by facilitating the exploration of vulnerabilities by example.
The DVUEFI project is engineered to simulate real-world firmware attacks, offering an environment for practicing and refining exploitation techniques.
DVUEFI is accompanied by a robust, continuously evolving catalog of documented UEFI vulnerabilities. Each entry is detailed with exploitation methods, potential impacts, and strategic mitigation recommendations, serving as both a learning tool and a reference for security practitioners.
OS Support
DEVUEFI's exploitation environment is designed to be deployable on both Windows and Linux using either QEMU for the first two stages and VMWare Workstation Player for the final stage (the free version, VMWare Workstation Player, will suffice).
Tools
We extend and combine different engines of UEFITool to help with automation for the third stage. For more information on the tool, see Tools.
Getting Started
Clone this repository using
git clone --recursive git@github.com:hacking-support/DVUEFI.git # ssh
or
git clone --recursive https://github.com/hacking-support/DVUEFI.git # https
To start setting up your exploitation environment, head over to Level 0: Setup
Acknowledgements
DVUEFI would not exist without the previous contributions of many members of the UEFI community.
- UEFI image analysis and modification: https://github.com/LongSoft/UEFITool
- Inspiration for Apps to make Vulnerable: https://github.com/fpmurphy/UEFI-Utilities-2019