A short entry here which might be of help to whomever tries to run Metasploit framework on AIX and Power architecture. (I have not seen yet anybody mentioning this on the Internet)
I have done all this under qemu-system-ppc64 (how to run this under Qemu is described here in more detail https://astr0baby.wordpress.com/2018/11/04/running-aix-7-2-tl3sp1-on-x86_64-via-qemu-system-ppc64/) on my laptop which is perfect for tinkering and testing things before doing it on real hardware. Make sure you use at least 4 GB of RAM for the qemu simulation, otherwise you will not be able to run metasploit (it will try forever to load ..) Here is my qemu loader script
p.s. There are some quirks with newer qemu-system-ppc64 builds and AIX 7.2. Version that Im using which works well is and thus I have named it qemu-system-ppc64-old
QEMU emulator version 3.0.50 (v3.0.0-614-g19b599f766-dirty)
./qemu-system-ppc64-old -cpu POWER8 -machine pseries -m 4096 -serial stdio -drive file=disk.img,if=none,id=drive-virtio-disk0 -device virtio-scsi-pci,id=scsi -device scsi-hd,drive=drive-virtio-disk0 -cdrom aix.iso -prom-env boot-command='boot disk: ' -net nic -net tap -display vnc=:1
First of all one needs to download some dependencies. I will include all the RPMs I have already installed in my system via yum from the Aixtoolbox public repo.
AIX-rpm
SDL
SDL-devel
SDL_mixer
SDL_ttf
SDL_ttf-devel
audiofile
audiofile-devel
autoconf
automake
bash
bzip2
bzip2-devel
ca-certificates
cmake
coreutils
cups
cups-libs
curl
cyrus-sasl
db
dbus
esound
esound-devel
expat
expat-devel
expect
flac
fontconfig
fontconfig-devel
freetype2
freetype2-devel
gcc
gcc-c++
gcc-cpp
gcc-go
gdbm
gdbm-devel
gettext
gettext-devel
glib
glib-devel
glib2
glib2-devel
gmp
gmp-devel
gnutls
grep
gtk+
info
less
libXft
libXft-devel
libXrandr
libXrender
libXrender-devel
libffi
libffi-devel
libgcc
libgcrypt
libgcrypt-devel
libgo
libgo-devel
libgpg-error
libgpg-error-devel
libiconv
libjpeg
libmikmod
libmpc
libogg
libogg-devel
libpcap
libpcap-devel
libpng
libpng-devel
libssh2
libssh2-devel
libstdc++
libstdc++-devel
libtasn1
libtool
libvorbis
libvorbis-devel
libxml2
libxml2-devel
libxml2-python
libxslt
libxslt-devel
lua
m4
mpfr
ncurses
ncurses-devel
nettle
nmap
openldap
p11-kit
patch
pcre
pcre-devel
perl
pkg-config
postgresql
postgresql-devel
postgresql-libs
pth
pysqlite
python
python-cryptography
python-devel
python-iniparse
python-passlib
python-pyasn1
python-pycurl
python-six
python-tools
python-urlgrabber
python3
readline
readline-devel
renderproto
rsync
sed
smpeg
smpeg-libs
sqlite
sqlite-devel
tar
tcl
tcsh
tightvnc-server
tk
unzip
wget
xz
xz-devel
xz-libs
yum
yum-metadata-parser
zlib
zlib-devel
Since the ruby-2.5.1 and ruby-devel-2.5.1 RPMs that come from the https://public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/ruby/ don’t work in compiling any gems that Metasploit is dependant upon, I have chosen to build Ruby from source on AIX. It not hard and is a pretty straight forward task (we will install into /usr/local prefix to keep the /opt/freeware separate)
In this example I have used Ruby 2.5.1 version to shadow the Aixtoolbox one, but you can do the same with 2.5.5 or 2.6.3
$ wget https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.1.tar.gz
$ tar -zxvf ruby-2.5.1.tar.gz
$ cd ruby-2.5.1
$ ./configure
$ make
$ su -
# make installOnce we have Ruby installed (make sure to include /usr/local to your profile) we can move on to downloading a Metasploit snapshot from git. I chose to get the ZIP snapshot, simply because its faster under the ppc64 simulator
$ wget https://github.com/rapid7/metasploit-framework/archive/master.zip
$ unzip master.zip
$ cd metasploit-framework-masterNext step would be to run bunlde install in the metasploit directory, but we will skip this for now, because there are 2 gems we need to customize locally and patch in order to compile and build them on AIX 7.2 These are
nokogiri-1.10.3.gem bcrypt-3.1.13
Since nokogiri the most important and downloaded Ruby gem of all times, it does not build on AIX due to the missing vasprintf() function which is not POSIX and is not present in the C library in AIX, the gem builds and compiles if you do not modify the build procedure, but the final library does not work and bails with following error
bash-5.0# /usr/local/bin/gem install nokogiri-1.10.3.gem Building native extensions. This could take a while... Successfully installed nokogiri-1.10.3 Parsing documentation for nokogiri-1.10.3 Done installing documentation for nokogiri after 49 seconds 1 gem installed bash-5.0# /usr/local/bin/nokogiri Traceback (most recent call last): 8: from /usr/local/bin/nokogiri:23:in<main>' 7: from /usr/local/bin/nokogiri:23:inload' 6: from /usr/local/lib/ruby/gems/2.5.0/gems/nokogiri-1.10.3/bin/nokogiri:6:in<top (required)>' 5: from /usr/local/lib/ruby/2.5.0/rubygems/core_ext/kernel_require.rb:59:inrequire' 4: from /usr/local/lib/ruby/2.5.0/rubygems/core_ext/kernel_require.rb:59:inrequire' 3: from /usr/local/lib/ruby/gems/2.5.0/gems/nokogiri-1.10.3/lib/nokogiri.rb:28:in<top (required)>' 2: from /usr/local/lib/ruby/gems/2.5.0/gems/nokogiri-1.10.3/lib/nokogiri.rb:32:inrescue in <top (required)>' 1: from /usr/local/lib/ruby/2.5.0/rubygems/core_ext/kernel_require.rb:59:inrequire' /usr/local/lib/ruby/2.5.0/rubygems/core_ext/kernel_require.rb:59:in `require': load failed - /usr/local/lib/ruby/gems/2.5.0/gems/nokogiri-1.10.3/lib/nokogiri/nokogir.so. Please issue below command for detailed reasons: (LoadError) /usr/sbin/execerror ruby "(ld 3 1 vasprintf /usr/local/lib/ruby/gems/2.5.0/gems/nokogiri-1.10.3/lib/nokogiri/nokogiri.so"
When we check the detailed error by running the suggested command we get more details
bash-5.0# /usr/sbin/execerror ruby "(ld 3 1 vasprintf /usr/local/lib/ruby/gems/2.5.0/gems/nokogiri-1.10.3/lib/nokogiri/nokogiri.so" exec(): 0509-036 Cannot load program ruby because of the following errors: rtld: 0712-001 Symbol vasprintf was referenced from module /usr/local/lib/ruby/gems/2.5.0/gems/nokogiri-1.10.3/lib/nokogiri/nokogiri.so(), but a runtime definition of the symbol was not found.
So vasprintf symbol is missing and is being called. Well we will need to hack through the gem to get it to build on AIX 7.2 then. Luckily its not that hard.
Lets create a working directory for our Ruby gem dissection experiments and download the nokogiri one.
$ mkdir GEMS $ cd GEMS $ gem fetch nokogiri Fetching: nokogiri-1.10.3.gem (100%) Downloaded nokogiri-1.10.3 $ gem spec nokogiri-1.10.3.gem --ruby > nokogiri.gemspec $ gem unpack nokogiri-1.10.3.gem Unpacked gem: '/home/root/LOCAL-GEMS/TT/nokogiri-1.10.3' $ mv nokogiri.gemspec nokogiri-1.10.3 $ cd nokogiri-1.10.3 $ cd ext/nokogiri
Now we will modify the extconf.rb file to include build procedure to make a working nokogiri.so shared library on AIX and locate the following under nix? $CFLAGS <<
And change to
$CFLAGS << " -DXP_WIN -DXP_WIN32 -DUSE_INCLUDED_VASPRINTF "
Save and return to building nokogiri gem
$ cd ../..
$ gem build nokogiri.gemspec
WARNING: ports/archives/libxml2-2.9.9.tar.gz is not world-readable
WARNING: ports/archives/libxslt-1.1.33.tar.gz is not world-readable
WARNING: no homepage specified
WARNING: pessimistic dependency on mini_portile2 (~> 2.4.0) may be overly strict
if mini_portile2 is semantically versioned, use:
add_runtime_dependency 'mini_portile2', '~> 2.4', '>= 2.4.0'
WARNING: pessimistic dependency on racc (~> 1.4.14, development) may be overly strict
if racc is semantically versioned, use:
add_development_dependency 'racc', '~> 1.4', '>= 1.4.14'
WARNING: pessimistic dependency on rake-compiler (~> 1.0.3, development) may be overly strict
if rake-compiler is semantically versioned, use:
add_development_dependency 'rake-compiler', '~> 1.0', '>= 1.0.3'
WARNING: pessimistic dependency on rexical (~> 1.0.5, development) may be overly strict
if rexical is semantically versioned, use:
add_development_dependency 'rexical', '~> 1.0', '>= 1.0.5'
WARNING: See http://guides.rubygems.org/specification-reference/ for help
Successfully built RubyGem
Name: nokogiri
Version: 1.10.3
File: nokogiri-1.10.3.gem
$ su
# gem install nokogiri-1.10.3.gem
After some time it will eventually build (under qemu its slow) and we can check to see if the final nokogiri gem actually works by executing the gem itself
$ /usr/local/bin/nokogiri --version
# Nokogiri (1.10.3)
---
warnings: []
nokogiri: 1.10.3
ruby:
version: 2.5.1
platform: powerpc-aix7.2.0
description: ruby 2.5.1p57 (2018-03-29 revision 63029) [powerpc-aix7.2.0]
engine: ruby
libxml:
binding: extension
source: packaged
libxml2_path: "/usr/local/lib/ruby/gems/2.5.0/gems/nokogiri-1.10.3/ports/powerpc-ibm-aix7.2.3.0/libxml2/2.9.9"
libxslt_path: "/usr/local/lib/ruby/gems/2.5.0/gems/nokogiri-1.10.3/ports/powerpc-ibm-aix7.2.3.0/libxslt/1.1.33"
libxml2_patches:
- 0001-Revert-Do-not-URI-escape-in-server-side-includes.patch
- 0002-Remove-script-macro-support.patch
- 0003-Update-entities-to-remove-handling-of-ssi.patch
libxslt_patches:
- 0001-Fix-security-framework-bypass.patch
compiled: 2.9.9
loaded: 2.9.9
Now lets move onto the last gem bcrytp; the problem with it is as follows – when running gem install bcrypt we get the floowing error on AIX 7.2
$ gem install bcrypt
# gem install bcrypt
Fetching: bcrypt-3.1.13.gem (100%)
Building native extensions. This could take a while...
ERROR: Error installing bcrypt:
ERROR: Failed to build gem native extension.
current directory: /usr/local/lib/ruby/gems/2.5.0/gems/bcrypt-3.1.13/ext/mri
/usr/local/bin/ruby -r ./siteconf20190624-6029732-1f0poah.rb extconf.rb
creating Makefile
current directory: /usr/local/lib/ruby/gems/2.5.0/gems/bcrypt-3.1.13/ext/mri
make "DESTDIR=" clean
current directory: /usr/local/lib/ruby/gems/2.5.0/gems/bcrypt-3.1.13/ext/mri
make "DESTDIR="
compiling bcrypt_ext.c
compiling crypt_blowfish.c
compiling crypt_gensalt.c
compiling wrapper.c
linking shared-object bcrypt_ext.so
gcc: error: x86.o: No such file or directory
make: 1254-004 The error code from the last command is 1.
Stop.
make failed, exit code 2
Gem files will remain installed in /usr/local/lib/ruby/gems/2.5.0/gems/bcrypt-3.1.13
for inspection.
Results logged to /usr/local/lib/ruby/gems/2.5.0/extensions/powerpc-aix-7/2.5.0-static/bcrypt-3.1.13/gem_make.out
So yet again some strangeness with x86.o object file on ppc64 AIX platform … this time the fix is easy as well, lets repeat the exercise and fetch the gem and modify the build procedure
$ gem fetch bcrypt Fetching: bcrypt-3.1.13.gem (100%) Downloaded bcrypt-3.1.13 $ gem spec bcrypt-3.1.13.gem --ruby > bcrypt.gemspec $ gem unpack bcrypt-3.1.13.gem $ mv bcrypt.gemspec bcrypt-3.1.13 $ cd bcrypt-3.1.13 $ cd ext/mri
Lets edit the extconf.rb again and remove the x86 reference
Delete the x86.o save and rebuild the gem again
$ cd ../..
$ gem build bcrypt.gemspec
WARNING: open-ended dependency on rspec (>= 3, development) is not recommended
if rspec is semantically versioned, use:
add_development_dependency 'rspec', '~> 3'
WARNING: See http://guides.rubygems.org/specification-reference/ for help
Successfully built RubyGem
Name: bcrypt
Version: 3.1.13
File: bcrypt-3.1.13.gem
$ su
# gem install bcrypt-3.1.13.gem
Building native extensions. This could take a while...
Successfully installed bcrypt-3.1.13
Parsing documentation for bcrypt-3.1.13
Installing ri documentation for bcrypt-3.1.13
Done installing documentation for bcrypt after 26 seconds
1 gem installed
Now we should be all set to install the missing gems needed for Metasploit framework so just run bundle install from the metasploit root directory
$ cd metasploit-framework-master $ bundle install
Make some coffee/tea as this will take some time … I went outside to see the world around me
So now we are ready to run Metasploit Framework on AIX 7.2 ? Yes we are !
we can run ./msfconsole and hope all works (again this takes some time under qemu)
And even do some live test against up2date Windows 10 1903 (10.0.18362.175) and bypass MS Defender while we are at it ;)
And a video demonstration of how it runs/works on AIX against Win10