Metasploit framework on AIX 7.2

A short entry here which might be of  help to whomever tries to run Metasploit framework on AIX and Power architecture. (I have not seen yet anybody mentioning this on the Internet)

I have done all this under qemu-system-ppc64 (how to run this under Qemu is described here in more detail https://astr0baby.wordpress.com/2018/11/04/running-aix-7-2-tl3sp1-on-x86_64-via-qemu-system-ppc64/) on my laptop which is perfect for tinkering and testing things before doing it on real hardware.  Make sure you use at least 4 GB of RAM for the qemu simulation, otherwise you will not be able to run metasploit (it will try forever to load ..)  Here is my qemu loader script

p.s.  There are some quirks with newer qemu-system-ppc64 builds and AIX 7.2. Version that Im using which works well is and thus I have named it qemu-system-ppc64-old

QEMU emulator version 3.0.50 (v3.0.0-614-g19b599f766-dirty)

./qemu-system-ppc64-old -cpu POWER8 -machine pseries -m 4096 -serial stdio -drive file=disk.img,if=none,id=drive-virtio-disk0 -device virtio-scsi-pci,id=scsi -device scsi-hd,drive=drive-virtio-disk0 -cdrom aix.iso -prom-env boot-command='boot disk: ' -net nic -net tap -display vnc=:1

First of all one needs to download some dependencies. I will include all the RPMs I have already installed in my system via yum from the Aixtoolbox public repo.

AIX-rpm
SDL
SDL-devel
SDL_mixer
SDL_ttf
SDL_ttf-devel
audiofile
audiofile-devel
autoconf
automake
bash
bzip2
bzip2-devel
ca-certificates
cmake
coreutils
cups
cups-libs
curl
cyrus-sasl
db
dbus
esound
esound-devel
expat
expat-devel
expect
flac
fontconfig
fontconfig-devel
freetype2
freetype2-devel
gcc
gcc-c++
gcc-cpp
gcc-go
gdbm
gdbm-devel
gettext
gettext-devel
glib
glib-devel
glib2
glib2-devel
gmp
gmp-devel
gnutls
grep
gtk+
info
less
libXft
libXft-devel
libXrandr
libXrender
libXrender-devel
libffi
libffi-devel
libgcc
libgcrypt
libgcrypt-devel
libgo
libgo-devel
libgpg-error
libgpg-error-devel
libiconv
libjpeg
libmikmod
libmpc
libogg
libogg-devel
libpcap
libpcap-devel
libpng
libpng-devel
libssh2
libssh2-devel
libstdc++
libstdc++-devel
libtasn1
libtool
libvorbis
libvorbis-devel
libxml2
libxml2-devel
libxml2-python
libxslt
libxslt-devel
lua
m4
mpfr
ncurses
ncurses-devel
nettle
nmap
openldap
p11-kit
patch
pcre
pcre-devel
perl
pkg-config
postgresql
postgresql-devel
postgresql-libs
pth
pysqlite
python
python-cryptography
python-devel
python-iniparse
python-passlib
python-pyasn1
python-pycurl
python-six
python-tools
python-urlgrabber
python3
readline
readline-devel
renderproto
rsync
sed
smpeg
smpeg-libs
sqlite
sqlite-devel
tar
tcl
tcsh
tightvnc-server
tk
unzip
wget
xz
xz-devel
xz-libs
yum
yum-metadata-parser
zlib
zlib-devel

Since the ruby-2.5.1 and ruby-devel-2.5.1 RPMs that come from the https://public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/ruby/   don’t work in compiling any gems that Metasploit is dependant upon, I have chosen to build Ruby from source on AIX. It not hard and is a pretty straight forward task (we will install into /usr/local prefix to keep the /opt/freeware separate)

In this example I have used Ruby 2.5.1 version to shadow the Aixtoolbox one, but you can do the same with 2.5.5 or 2.6.3


$ wget https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.1.tar.gz
$ tar -zxvf ruby-2.5.1.tar.gz
$ cd ruby-2.5.1
$ ./configure
$ make
$ su - 
# make install

Once we have Ruby installed (make sure to include /usr/local to your profile) we can move on to downloading a Metasploit snapshot from git. I chose to get the ZIP snapshot, simply because its faster under the ppc64 simulator

$ wget  https://github.com/rapid7/metasploit-framework/archive/master.zip
$ unzip master.zip 
$ cd metasploit-framework-master

Next step would be to run bunlde install in the metasploit directory, but we will skip this for now, because there are 2 gems we need to customize locally and patch in order to compile and  build them on AIX 7.2  These are

nokogiri-1.10.3.gem
bcrypt-3.1.13

Since nokogiri the most important and downloaded Ruby gem of all times, it does not build on AIX due to the missing vasprintf() function which is not POSIX and is not present in the C library in AIX, the gem builds and compiles if you do not modify the build procedure, but the final library does not work and bails with following error

bash-5.0# /usr/local/bin/gem install nokogiri-1.10.3.gem
Building native extensions. This could take a while...
Successfully installed nokogiri-1.10.3
Parsing documentation for nokogiri-1.10.3
Done installing documentation for nokogiri after 49 seconds
1 gem installed
bash-5.0# /usr/local/bin/nokogiri
Traceback (most recent call last):
8: from /usr/local/bin/nokogiri:23:in <main>' 7: from /usr/local/bin/nokogiri:23:in load' 6: from /usr/local/lib/ruby/gems/2.5.0/gems/nokogiri-1.10.3/bin/nokogiri:6:in <top (required)>' 5: from /usr/local/lib/ruby/2.5.0/rubygems/core_ext/kernel_require.rb:59:in require' 4: from /usr/local/lib/ruby/2.5.0/rubygems/core_ext/kernel_require.rb:59:in require' 3: from /usr/local/lib/ruby/gems/2.5.0/gems/nokogiri-1.10.3/lib/nokogiri.rb:28:in <top (required)>' 2: from /usr/local/lib/ruby/gems/2.5.0/gems/nokogiri-1.10.3/lib/nokogiri.rb:32:in rescue in <top (required)>' 1: from /usr/local/lib/ruby/2.5.0/rubygems/core_ext/kernel_require.rb:59:in require' /usr/local/lib/ruby/2.5.0/rubygems/core_ext/kernel_require.rb:59:in `require': load failed - /usr/local/lib/ruby/gems/2.5.0/gems/nokogiri-1.10.3/lib/nokogiri/nokogir.so. Please issue below command for detailed reasons: (LoadError) /usr/sbin/execerror ruby "(ld 3 1 vasprintf /usr/local/lib/ruby/gems/2.5.0/gems/nokogiri-1.10.3/lib/nokogiri/nokogiri.so"

When we check the detailed error by running the suggested command we get more details

bash-5.0# /usr/sbin/execerror ruby 
"(ld 3 1 vasprintf /usr/local/lib/ruby/gems/2.5.0/gems/nokogiri-1.10.3/lib/nokogiri/nokogiri.so"
exec(): 0509-036 Cannot load program ruby because of the following errors:
rtld: 0712-001 Symbol vasprintf was referenced from module
/usr/local/lib/ruby/gems/2.5.0/gems/nokogiri-1.10.3/lib/nokogiri/nokogiri.so(),
but a runtime definition of the symbol was not found.

So vasprintf symbol is missing and is being called. Well we will need to hack through the gem to get it to build on AIX 7.2 then. Luckily its not that hard.

Lets create a working directory for our Ruby gem dissection experiments and download the nokogiri one.

$ mkdir GEMS
$ cd GEMS
$ gem fetch nokogiri 
Fetching: nokogiri-1.10.3.gem (100%)
Downloaded nokogiri-1.10.3
$ gem spec nokogiri-1.10.3.gem --ruby > nokogiri.gemspec
$ gem unpack nokogiri-1.10.3.gem
Unpacked gem: '/home/root/LOCAL-GEMS/TT/nokogiri-1.10.3'
$ mv nokogiri.gemspec nokogiri-1.10.3
$ cd  nokogiri-1.10.3
$ cd ext/nokogiri

Now we will modify the extconf.rb file to include build procedure to make a working nokogiri.so shared library on AIX  and locate the following   under nix? $CFLAGS <<

And change to

$CFLAGS << " -DXP_WIN -DXP_WIN32 -DUSE_INCLUDED_VASPRINTF "

Save and return to building nokogiri gem

$ cd ../.. 
$ gem build nokogiri.gemspec 
WARNING:  ports/archives/libxml2-2.9.9.tar.gz is not world-readable
WARNING:  ports/archives/libxslt-1.1.33.tar.gz is not world-readable
WARNING:  no homepage specified
WARNING:  pessimistic dependency on mini_portile2 (~> 2.4.0) may be overly strict
  if mini_portile2 is semantically versioned, use:
    add_runtime_dependency 'mini_portile2', '~> 2.4', '>= 2.4.0'
WARNING:  pessimistic dependency on racc (~> 1.4.14, development) may be overly strict
  if racc is semantically versioned, use:
    add_development_dependency 'racc', '~> 1.4', '>= 1.4.14'
WARNING:  pessimistic dependency on rake-compiler (~> 1.0.3, development) may be overly strict
  if rake-compiler is semantically versioned, use:
    add_development_dependency 'rake-compiler', '~> 1.0', '>= 1.0.3'
WARNING:  pessimistic dependency on rexical (~> 1.0.5, development) may be overly strict
  if rexical is semantically versioned, use:
    add_development_dependency 'rexical', '~> 1.0', '>= 1.0.5'
WARNING:  See http://guides.rubygems.org/specification-reference/ for help
  Successfully built RubyGem
  Name: nokogiri
  Version: 1.10.3
  File: nokogiri-1.10.3.gem

$ su 
# gem install  nokogiri-1.10.3.gem

After some time it will eventually build (under qemu its slow) and we can check to see if the final nokogiri gem actually works by executing the gem itself

$ /usr/local/bin/nokogiri  --version
# Nokogiri (1.10.3)
    ---
    warnings: []
    nokogiri: 1.10.3
    ruby:
      version: 2.5.1
      platform: powerpc-aix7.2.0
      description: ruby 2.5.1p57 (2018-03-29 revision 63029) [powerpc-aix7.2.0]
      engine: ruby
    libxml:
      binding: extension
      source: packaged
      libxml2_path: "/usr/local/lib/ruby/gems/2.5.0/gems/nokogiri-1.10.3/ports/powerpc-ibm-aix7.2.3.0/libxml2/2.9.9"
      libxslt_path: "/usr/local/lib/ruby/gems/2.5.0/gems/nokogiri-1.10.3/ports/powerpc-ibm-aix7.2.3.0/libxslt/1.1.33"
      libxml2_patches:
      - 0001-Revert-Do-not-URI-escape-in-server-side-includes.patch
      - 0002-Remove-script-macro-support.patch
      - 0003-Update-entities-to-remove-handling-of-ssi.patch
      libxslt_patches:
      - 0001-Fix-security-framework-bypass.patch
      compiled: 2.9.9
      loaded: 2.9.9

Now lets move onto the last gem bcrytp; the problem with it is as follows – when running gem install bcrypt we get the floowing error on AIX 7.2

$ gem install bcrypt
# gem install bcrypt 
Fetching: bcrypt-3.1.13.gem (100%)
Building native extensions. This could take a while...
ERROR:  Error installing bcrypt:
        ERROR: Failed to build gem native extension.

    current directory: /usr/local/lib/ruby/gems/2.5.0/gems/bcrypt-3.1.13/ext/mri
/usr/local/bin/ruby -r ./siteconf20190624-6029732-1f0poah.rb extconf.rb
creating Makefile

current directory: /usr/local/lib/ruby/gems/2.5.0/gems/bcrypt-3.1.13/ext/mri
make "DESTDIR=" clean

current directory: /usr/local/lib/ruby/gems/2.5.0/gems/bcrypt-3.1.13/ext/mri
make "DESTDIR="
compiling bcrypt_ext.c
compiling crypt_blowfish.c
compiling crypt_gensalt.c
compiling wrapper.c
linking shared-object bcrypt_ext.so
gcc: error: x86.o: No such file or directory
make: 1254-004 The error code from the last command is 1.

Stop.

make failed, exit code 2

Gem files will remain installed in /usr/local/lib/ruby/gems/2.5.0/gems/bcrypt-3.1.13 
for inspection.
Results logged to /usr/local/lib/ruby/gems/2.5.0/extensions/powerpc-aix-7/2.5.0-static/bcrypt-3.1.13/gem_make.out

So yet again some strangeness with x86.o object file on ppc64 AIX platform … this time the fix is easy as well, lets repeat the exercise and fetch the gem and modify the build procedure

$ gem fetch bcrypt 
Fetching: bcrypt-3.1.13.gem (100%)
Downloaded bcrypt-3.1.13
$ gem spec bcrypt-3.1.13.gem --ruby > bcrypt.gemspec
$ gem unpack bcrypt-3.1.13.gem
$ mv bcrypt.gemspec bcrypt-3.1.13 
$ cd bcrypt-3.1.13
$ cd ext/mri

Lets edit the extconf.rb again and remove the x86 reference

Delete the x86.o save and rebuild the gem again

$ cd ../.. 
$ gem build bcrypt.gemspec
WARNING:  open-ended dependency on rspec (>= 3, development) is not recommended
  if rspec is semantically versioned, use:
    add_development_dependency 'rspec', '~> 3'
WARNING:  See http://guides.rubygems.org/specification-reference/ for help
  Successfully built RubyGem
  Name: bcrypt
  Version: 3.1.13
  File: bcrypt-3.1.13.gem

$ su 
# gem install bcrypt-3.1.13.gem
Building native extensions. This could take a while...
Successfully installed bcrypt-3.1.13
Parsing documentation for bcrypt-3.1.13
Installing ri documentation for bcrypt-3.1.13
Done installing documentation for bcrypt after 26 seconds
1 gem installed

Now we should be all set to install the missing gems needed for Metasploit framework so just run bundle install from the metasploit root directory

$ cd metasploit-framework-master
$ bundle install

Make some coffee/tea as this will take some time … I went outside to see the world around me

So now we are ready to run Metasploit Framework on AIX 7.2 ? Yes we are !

we can run ./msfconsole and hope all works (again this takes some time under qemu)

And even do some live test against up2date Windows 10 1903 (10.0.18362.175)  and bypass MS Defender while we are at it ;)

And a video demonstration of how it runs/works on AIX against Win10

Advertisement

About astr0baby

Please run Adblock or similar... we have been told to do so since Carl Sagan wrote the Contact .
This entry was posted in Uncategorized. Bookmark the permalink.

3 Responses to Metasploit framework on AIX 7.2

  1. Pingback: Metasploit framework on AIX 7.2 – Astr0baby’s not so random thoughts _____ rand() % 100; – The Library 6.0

  2. Pingback: 如何在AIX和Power架构上运行Metasploit Framework - IcySun'Blog

  3. Pingback: 如何在AIX和Power架构上运行Metasploit Framework – NEWS.ALL

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.