Skip to content

Instantly share code, notes, and snippets.

@rufflabs
Last active May 25, 2023 20:08
Show Gist options
  • Save rufflabs/dccd1008f966e16d99b94a30a6bb1f9f to your computer and use it in GitHub Desktop.
Save rufflabs/dccd1008f966e16d99b94a30a6bb1f9f to your computer and use it in GitHub Desktop.
Applies BootHole UEFI fixes, requires some editing.
<#
.SYNOPSIS
Applies UEFI dbx updates to fix BootHole vulnerability.
.DESCRIPTION
Applies the UEFI dbxupdates to fix the BootHole vulnerability. Prior to running,
edit this script to choose between Embedded files or link to a file share.
See https://www.rufflabs.com/post/nessus-plugin-139239-remediating-boothole-windows/
.EXAMPLE
Run the script after making required modifications as mentioned in the descriptions.
PS C:\>.\Fix-BootHole.ps1
#>
# Set this to false if you want to load the .p7 and .bin files from a file share
# instead of having them embedded within this script as base64 encoded data.
#$EmbeddedFiles = $False
$EmbeddedFiles = $True
# If using a file share instead of embedding files, update these file paths to point
# to the .p7 and .bin files for each respective update. You can only specify those that
# will be used (such as, if not using arm, ignore the arm ones.)
$DbxUpdatePaths = @{
"x64" = @{
"April 2021" = @{
"signature" = "\\sampleserver\sampleshare\dbxupdates\april2021_x64\signature.p7"
"content" = "\\sampleserver\sampleshare\dbxupdates\april2021_x64\content.bin"
}
"October 2020" = @{
"signature" = "\\sampleserver\sampleshare\dbxupdates\october2020_x64\signature.p7"
"content" = "\\sampleserver\sampleshare\dbxupdates\october2020_x64\content.bin"
}
"July 2020" = @{
"signature" = "\\sampleserver\sampleshare\dbxupdates\july2020_x64\signature.p7"
"content" = "\\sampleserver\sampleshare\dbxupdates\july2020_x64\content.bin"
}
}
"x86" = @{
"April 2021" = @{
"signature" = "\\sampleserver\sampleshare\dbxupdates\april2021_x86\signature.p7"
"content" = "\\sampleserver\sampleshare\dbxupdates\april2021_x86\content.bin"
}
"July 2020" = @{
"signature" = "\\sampleserver\sampleshare\dbxupdates\july2020_x86\signature.p7"
"content" = "\\sampleserver\sampleshare\dbxupdates\july2020_x86\content.bin"
}
}
"arm" = @{
"April 2021" = @{
"signature" = "\\sampleserver\sampleshare\dbxupdates\april2021_arm64\signature.p7"
"content" = "\\sampleserver\sampleshare\dbxupdates\april2021_arm64\content.bin"
}
"July 2020" = @{
"signature" = "\\sampleserver\sampleshare\dbxupdates\july2020_arm64\signature.p7"
"content" = "\\sampleserver\sampleshare\dbxupdates\july2020_arm64\content.bin"
}
}
}
# Paste in Base64 encoded files below, both signature.p7 and content.bin
# for each update and architecture as needed. Any left blank will not be applied.
$DbxUpdateFiles = @{
"x64" = @{
"May 2023" = @{
"signature" = ""
"content" = ""
}
"March 2023" = @{
"signature" = ""
"content" = ""
}
"September 2022" = @{
"signature" = ""
"content" = ""
}
"August 2022" = @{
"signature" = ""
"content" = ""
}
"April 2021" = @{
"signature" = ""
"content" = ""
}
"October 2020" = @{
"signature" = ""
"content" = ""
}
"July 2020" = @{
"signature" = ""
"content" = ""
}
}
"x86" = @{
"May 2023" = @{
"signature" = ""
"content" = ""
}
"March 2023" = @{
"signature" = ""
"content" = ""
}
"September 2022" = @{
"signature" = ""
"content" = ""
}
"April 2021" = @{
"signature" = ""
"content" = ""
}
"July 2020" = @{
"signature" = ""
"content" = ""
}
}
"arm" = @{
"May 2023" = @{
"signature" = ""
"content" = ""
}
}
"arm64" = @{
"May 2023" = @{
"signature" = ""
"content" = ""
}
"March 2023" = @{
"signature" = ""
"content" = ""
}
"August 2022" = @{
"signature" = ""
"content" = ""
}
"April 2021" = @{
"signature" = ""
"content" = ""
}
"July 2020" = @{
"signature" = ""
"content" = ""
}
}
}
# CA Check adapted from https://github.com/synackcyber/BootHole_Fix/blob/main/boothole.ps1
Write-Output "Checking for matching UEFI CA"
$CAMatch = [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Microsoft Corporation UEFI CA 2011'
if(-not $CAMatch){
Write-Output "Microsoft Corporation UEFI CA 2011 was not found. Updates are not required on this system."
exit
}
Write-Output "Certificate found, continuing."
# Check architecture
$ArchitectureOptions = @{
0 = "x86"
1 = "MIPS"
2 = "Alpha"
3 = "PowerPC"
5 = "ARM"
6 = "IA64"
9 = "x64"
}
$Architecture = $ArchitectureOptions[[int](Get-WmiObject -Class Win32_Processor).Architecture]
$SupportedArchitectures = @("x86", "x64", "arm")
if($SupportedArchitectures -notcontains $Architecture) {
Write-Output "This script does not support $($Architecture) based PC's, and no dbx updates are available for this architecture."
exit
}
function Update-DbxVariable {
param(
$SignaturePath,
$ContentPath
)
Set-SecureBootUefi -Name dbx -SignedFilePath $SignaturePath -ContentFilePath $ContentPath -Time "2010-03-06T19:17:21Z" -AppendWrite
}
Write-Output "Updating UEFI dbx variable for $($Architecture) architecture."
$UpdateFiles = @{}
if($EmbeddedFiles) {
# Use the embedded files in this script
Write-Output "Using embedded update files, creating files on disk."
try {
$DbxUpdateFiles.$Architecture.GetEnumerator() | ForEach-Object {
$Release = $_.Name
$Content = $_.Value.Content
$Signature = $_.Value.Signature
$TempSigFile = "$($env:temp)\$($Release)_$($Architecture)_signature.p7"
$TempContentFile = "$($env:temp)\$($Release)_$($Architecture)_content.bin"
# Only copy data if signature and content are not null.
if($null -ne $Signature -and $null -ne $Content) {
$UpdateFiles.Add($Release, @{"Signature" = $TempSigFile; "Content" = $TempContentFile})
Set-Content -Path $TempSigFile -Value ([System.Convert]::FromBase64String($Signature)) -Encoding Byte -ErrorAction Stop
Write-Output "Created $($TempSigFile)"
Set-Content -Path $TempContentFile -Value ([System.Convert]::FromBase64String($Content)) -Encoding Byte -ErrorAction Stop
Write-Output "Created $($TempContentFile)"
}
}
} catch {
Write-Output "Error creating temporary files. Check permissions to $($env:temp)."
exit
}
}else{
# Use the files from a file share location
Write-Output "Using update files from file share."
$DbxUpdatePaths.$Architecture.GetEnumerator() | ForEach-Object {
$Release = $_.Name
$ContentPath = $_.Value.Content
$SignaturePath = $_.Value.Signature
# Only add to the queue if both signature and content files are accessible
if((Test-Path -Path $ContentPath) -and (Test-Path -Path $SignaturePath)) {
Write-Output "`nPreparing: $($Release)`nSignature: $($SignaturePath)`nContent: $($ContentPath)"
$UpdateFiles.Add($Release, @{"Signature" = $SignaturePath; "Content" = $ContentPath})
}
}
}
$UpdateFiles.GetEnumerator() | ForEach-Object {
Write-Output "Applying $($_.Name) update..."
Update-DbxVariable -SignaturePath $_.Value.Signature -ContentPath $_.Value.Content
}
if($EmbeddedFiles) {
$UpdateFiles.Values.Values | ForEach-Object {
# Delete file from disk
Write-Output "Deleting on disk $($_)"
Remove-Item -Path $_ -ErrorAction SilentlyContinue
}
}
@rufflabs
Copy link
Author

Updated $DbxUpdateFiles to match available updates from UEFI forum's website.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment