One of the best InfoSec books of all time in my opinion is the Cliff Stoll’s Cuckoo’s Egg ( https://en.wikipedia.org/wiki/The_Cuckoo%27s_Egg) which pretty much covers all the hacking basics as well as the defence. There is even a real movie/docu with real Cliff starring himself (I would still recommend reading the book though)
Main thing in this story is the iconic appearance of the mighty Berkeley UNIX (BSD) systems running on VAX computers along with the VAX VMS. The book covers an intrusion to a university network in Berkeley, California and goes on describing the hunt for the mysterious “hacker” who seems to be interested in military information and uses the Berkeley Labs computers as a jump host to other systems in the late 80s ARPANET/MILNET.
We can reconstruct some of the most interesting attacks that are covered in the book today thanks to the SIMH simulator https://github.com/simh/simh and Metasploit Framework https://github.com/rapid7/metasploit-framework
Also please note there is an already excellent and very detailed howto created by Rapid7
https://blog.rapid7.com/2019/01/02/the-ghost-of-exploits-past-a-deep-dive-into-the-morris-worm/
And since Im not a big fan of docker ( Which the above Rapid7 blog entry refers to @ https://github.com/wvu/ye-olde-bsd ) I have decided to write my own version.
This guide is for Linux x86_64 and the SIMH vax emulator compiled on it. Like all my other simulation exercises, this one will depend on the tun/tap and bridging. I have prepared the ready-to use 4.3BSD (networking and emacs sources compiled + gcc 2.8 and bash 2 ) but if one wants to replicate step-by-step he can do so following this guide
http://gunkies.org/wiki/Installing_4.3_BSD_on_SIMH
http://plover.net/~agarvin/4.3bsd-on-simh.html
Both guides cover up all the needed, but if you do not wish to do this you can download the ready-made image which is available for download here -> www.sandokan.tk/release/4.3BSD-SIMH.tar.gz
The above gzipped tarball contains following files
-rw-r--r-- 1 root root 622932480 Sep 22 22:30 4.3bsd.dsk -rw-r--r-- 1 root root 445 Sep 22 21:29 boot.ini -rw-r--r-- 1 root root 131072 Sep 22 21:28 ka655x.bin -rw-r--r-- 1 root root 1024 Sep 22 22:20 nvram.dat -rwxr-xr-x 1 root root 15 Sep 22 21:28 run.sh -rwxr-xr-x 1 root root 1949200 Sep 22 21:56 vax
Where the 4.3bsd.dsk is the actual system image, boot.ini is the simh-vax loader config with following:
load -r ka655x.bin ; CPU config set CPU 512m set cr dis set lpt dis set rl dis set ry dis set ts dis set xq dis set rq0 ra82 att rq0 4.3bsd.dsk set rq1 dis set rq2 dis set rq3 dis att tq0 quas.tap #att tq0 de_drivers.tape set tti 7b set tto 7b att nvr nvram.dat dep bdr 1 ; Attach Ethernet to a network interface set xq enable set xq type=deqna set xq mac=08-00-2B-AA-BB-CC attach xq tap:tap0 boot cpu
ka655.bin is the VAX ROM, nvram.dat has the stored boot procedure for the vax and run.sh is the loader script for the whole simulation.
- root:password <— root user/password
- user:password <— 2nd user /password
- gcc version 2.7.2.2
- GNU bash, version 2.00.0(18)-release (vax-dec-bsd)
- GNU Make version 3.75, by Richard Stallman and Roland McGrath.
- GNU Emacs 17.61.1
- And all bunch of ancient source code (DEC X11 included) in the /usr/CUSTOM/43new
Networking is hardcoded on the 4.3BSD and I use following values (please change accordingly to your needs!)
BSD> netstat -i ---------------------------------------------------------------------------- Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll qe0 1500 10 10.0.2.10 7 0 8 0 0 lo0 1536 127 127.0.0.1 1 0 1 0 0 ---------------------------------------------------------------------------- BSD> cat /etc/netstart ---------------------------------------------------------------------------- #!/bin/sh - # # @(#)netstart 1.1 (Berkeley) 1/10/99 routedflags=-q rwhod=NO # myname is my symbolic name # my-netmask is specified in /etc/networks # hostname=bsd hostname $hostname ifconfig qe0 inet $hostname netmask my-netmask ifconfig lo0 inet localhost route add $hostname localhost 0 route add default 10.0.2.2 1 hostid $hostname --------------------------------------------------------------------- BSD> cat /etc/resolv.conf nameserver 8.8.8.8
Next we will need the SIMH of course, which is downloadable from its official Github repo https://github.com/simh/simh and is pretty much straight forward to build and is well described here https://github.com/simh/simh#linuxosx-other-nix-platforms
Once SIMH is compiled place the vax binary into the 4.3BSD simulator directory (run.sh wants it – its just a simple loader ./vax boot.ini
(I have just noticed now I have included by mistake my own dynamically linked simh in the gzipped tarball, just delete it and compile your own)
For the full networking support (to have the simulator running in a virtual VLAN) I use the following script on my Linux host. On Debian/Ubuntu just run sudo apt–get install uml-utilities bridge-utils to get tunctl and brctl commands)
network.sh
tunctl -t tap0 -u user ifconfig tap0 up brctl addbr br0 brctl setfd br0 0 ifconfig br0 10.0.2.2 netmask 255.255.255.0 broadcast 10.0.2.255 up brctl addif br0 tap0 ifconfig tap0 0.0.0.0 sysctl net.ipv4.ip_forward=1 iptables --table nat -A POSTROUTING --out-interface wlan0 -j MASQUERADE
If you wish to add other virtual VLANs to the br0 just append your network device to brctl addif br0 tap0
Once we have all this in place, run the above network.sh and execute the 4.3BSD simulation by running the ./run.sh
in order to boot the disk issue the following in the SIMH VAX ROM prompt
>>>boot dua0
once the system boots and you get to the login prompt you can login as root or user (both passwords are “password” without quotes)
We can even test the network now by pinging the simulation @ 10.0.2.10 or by ftp/telneting to it (I have made /etc/ttys exceptions for remote root login )
# name getty type status comments # console "/etc/getty Console-1200" unknown on secure tty00 "/etc/getty std.9600" unknown off secure tty01 "/etc/getty std.9600" unknown off secure tty02 "/etc/getty std.9600" unknown off secure tty03 "/etc/getty std.9600" unknown off secure tty04 "/etc/getty std.9600" unknown off secure tty05 "/etc/getty std.9600" unknown off secure tty06 "/etc/getty std.9600" unknown off secure tty07 "/etc/getty std.9600" unknown off secure ttyp0 none network off secure ttyp1 none network off secure ttyp2 none network off secure ttyp3 none network off secure
I prefer to NMap the host first so here is the output from # nmap -sS -sV 10.0.2.10
Nmap scan report for 10.0.2.10 Host is up (0.0016s latency). Not shown: 987 closed ports PORT STATE SERVICE VERSION 7/tcp open echo 9/tcp open discard? 13/tcp open daytime 19/tcp open chargen 21/tcp open ftp 23/tcp open telnet 25/tcp open smtp Sendmail 5.61.1.2/1.36 37/tcp open time (32 bits) 79/tcp open finger SGI IRIX or NeXTSTEP fingerd 512/tcp open exec 513/tcp open login 514/tcp open tcpwrapped 515/tcp open printer lpd (path: /usr/lib/lpd; error: lp: Malformed from address)
So next we can fire-up Metasploit framework and search for 4.3BSD exploits :)
So we will use exploit/bsd/finger/morris_fingerd_bof first to get a RCE on the 4.3BSD first. This is the famous Morris Worm and here we can learn how it was exploiting the fingerd service on the 4.3BSD
Description:
This module exploits a stack buffer overflow in fingerd on 4.3BSD.
This vulnerability was exploited by the Morris worm in 1988-11-02.
Cliff Stoll reports on the worm in the epilogue of The Cuckoo’s Egg.
References:
https://en.wikipedia.org/wiki/Morris_worm
https://spaf.cerias.purdue.edu/tech-reps/823.pdf
http://computerarcheology.com/Virus/MorrisWorm/
https://github.com/arialdomartini/morris-worm
http://gunkies.org/wiki/Installing_4.3_BSD_on_SIMH
Next we choose the only one payload available for the VAX 4.3BSD and set RHOSTS and LHOST
We have all that’s needed, so “exploit” next to get a remote shell
We are “nobody” – how convenient – and we need to become somebody, preferably root
Next comes the best part – 4.3BSD privilege escalation as it was used by Markus Hess and possibly his friends Dirk Brzezinski and Peter Carl
So we background our session #1 on our 4.3BSD VAX and return back to Metasploit console
And this time we will use the emacs_movemail LPE against the session #1
Please note – the movemail setuid binary is not part of the base 4.3BSD install set and you will need to compile it yourself if you wish to use a custom 4.3BSD install, the set I have provided has the movemail binary as well as compiled emacs in place, so its easier to use in this example.
Description:
This module exploits a SUID installation of the Emacs movemail
utility to run a command as root by writing to 4.3BSD’s
/usr/lib/crontab.local. The vulnerability is documented in Cliff
Stoll’s book The Cuckoo’s Egg.
References:
https://en.wikipedia.org/wiki/Movemail
https://en.wikipedia.org/wiki/The_Cuckoo%27s_Egg
http://pdf.textfiles.com/academics/wilyhacker.pdf
https://www.gnu.org/software/emacs/manual/html_node/efaq/Security-risks-with-Emacs.html
https://www.gnu.org/software/emacs/manual/html_node/emacs/Movemail.html
https://mailutils.org/manual/html_node/movemail.html
Since the LPE exploit uses cron to prepare a setuid /bin/sh for us in /tmp we need to wait 1 minute (60 seconds) for the /tmp/sh file !
[*] Preparing crontab with payload [*] Creating writable /usr/lib/crontab.local [+] Writing crontab to /usr/lib/crontab.local [!] Please wait at least one minute for effect [*] Exploit completed, but no session was created.
Now lets return to your session #1
But shortly our setuid root owned /bin/sh will appear in /tmp :)
This time we are root and not nobody anymore
Now that was fun no ? I leave out to the reader to explore other wonderful secrets of 4.3BSD – there are many other ways – FTPd, Telnet, EXEC, Logind … also some other possible LPEs ..
4.3BSD is considered to be the finest human software creation of all times https://spectrum.ieee.org/tech-talk/semiconductors/devices/the_best_software_ever_written and also by co-incidence the infamous Morris Worm (ranks #12 on the same scale) so I think this is something of a must for any computer classes out there doing any infosec lessons ;)
Here is a video demo of the above I have made last night
3rd module done by Rapid7 is the https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/smtp/morris_sendmail_debug.rb