Table of Contents

Setting up argos

Setting up argos

Foreword

Aim is to setup argos so it runs on the hosts, and shares the same network enviroment as the host, f.e. the standard dhcp server for the network, using the bridge interface.

kqemu is not really needed but as it may speedup the guest os installation from factor 2.5-5 we simply drop any concerns using proprietary closed source kernel modules.

Requirements

argos 0.1 link to file
udma patched qemu with kqemu kernel module link to file
recent linux kernel with support for
- bridge
- tun
bridge-utils
some install iso for the guest os
SDL library & header

Installation

Setting up the kernel

make sure you have this in your kernels config, static will work too

CONFIG_BRIDGE=m
CONFIG_TUN=m

Compiling from source

We simply assume you want to install argos to /opt/argos

argos

cd /tmp/
wget http://www.few.vu.nl/~porto/argos/packages/argos-0.1.tar.gz
tar xfz argos-0.1.tar.gz
cd argos-0.1
./configure --prefix=/opt/argos

the configure output should look like:

Install prefix    /opt/argos
BIOS directory    /opt/argos/share/qemu
binary directory  /opt/argos/bin
Manual directory  /opt/argos/share/man
ELF interp prefix /usr/gnemul/qemu-%M
Source path       /tmp/argos-0.1
C compiler        gcc
Host C compiler   gcc
make              make
host CPU          i386
host big endian   no
target list       i386-softmmu
gprof enabled     no
static build      no
SDL support       yes
SDL static link   no
mingw32 support   no
Adlib support     no
FMOD support      no

make 
make install

qemu

cd /tmp
wget http://www.few.vu.nl/~porto/argos/packages/qemu_full-0.7.2.tar.gz
tar xfz qemu_full-0.7.2.tar.gz
cd qemu_full-0.7.2
./configure --prefix=/opt/argos

the configure output should look like:

Install prefix    /opt/argos
BIOS directory    /opt/argos/share/qemu
binary directory  /opt/argos/bin
Manual directory  /opt/argos/share/man
ELF interp prefix /usr/gnemul/qemu-%M
Source path       /tmp/qemu_full-0.7.2
C compiler        gcc
Host C compiler   gcc
make              make
host CPU          i386
host big endian   no
target list       i386-user arm-user armeb-user sparc-user ppc-user i386-softmmu ppc-softmmu sparc-softmmu x86_64-softmmu mips-softmmu
gprof enabled     no
static build      no
SDL support       yes
SDL static link   no
mingw32 support   no
Adlib support     no
FMOD support      no
kqemu support     yes

KQEMU Linux module configuration:
kernel sources    /lib/modules/2.6.14.4/build
kbuild type       2.6

make 
make install

Setting up a kqemu

compile

as the provided patched qemu will create the kernel module, wo dont need to do it by hand

load the module

# modprobe kqemu

Setting up a qemu guest os

create a image partion

Now we create a qemu image with 2gb size.

cd /opt/argos/
bin/qemu-img create -f qcow qemu_win2k.img 2G

install windows 2000

bin/qemu -localtime -m 256 -hda qemu_win2k.img -cdrom /path/to/Windows_2000.iso -boot d -win2k-hack

setup qemu bridge'd networking

first we create

/opt/argos/etc/qemu-ifup

with content

#!/bin/sh

brctl addif br0 $1
ifconfig $1 0.0.0.0 promisc up

debian way

we assume your nic is eth0, so we comment the eth0 entry, and add the br0 entry for the bridge device

# The first network card - this entry was created during the Debian installation
#auto eth0
#iface eth0 inet dhcp

auto br0
iface br0 inet static
        address 192.168.53.20
        network 192.168.53.0
        netmask 255.255.255.0
        broadcast 192.168.53.255
        gateway 192.168.53.1
        bridge_ports eth0
        bridge_fd 1
        bridge_hello 1
        bridge_stp off

the others

in words, you have to

create a br0 device with
- your eth0 device and assign ip/netmask to br0 and
- set br0 the default route to your gateway

starting qemu with the image

To verify everything works as intended, start your fresh image in qemu, and check networking works fine.

bin/qemu -localtime -m 256 -hda qemu_win2k.img -n etc/qemu-ifup

to verify network is up use cmd.exe ping tracert and maybe internet explorer, verify you can access the lan and the internet.

start argos

bin/argos -localtime -m 256 -hda  qemu_win2k.img -snapshot -win2k -n etc/qemu-ifup

smack argos the way he likes it

verify it exists

ping 192.168.53.213
PING 192.168.53.213 (192.168.53.213): 56 data bytes
64 bytes from 192.168.53.213: icmp_seq=0 ttl=128 time=8.0 ms
64 bytes from 192.168.53.213: icmp_seq=1 ttl=128 time=5.7 ms
64 bytes from 192.168.53.213: icmp_seq=2 ttl=128 time=7.3 ms
64 bytes from 192.168.53.213: icmp_seq=3 ttl=128 time=3.0 ms

--- 192.168.53.213 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 3.0/6.0/8.0 ms

hit it

./exploit-oc192 -d 192.168.53.213
RPC DCOM remote exploit - .:[oc192.us]:. Security
[+] Resolving host..
[+] Done.
-- Target: [Win2k-Universal]:192.168.53.213:135, Bindshell:666, RET=[0x0018759f]
[-] Couldnt connect to bindshell, possible reasons:
1:Host is firewalled
2:Exploit failed

check argos logs

[ARGOS] Attack detected, code <JMP>
[ARGOS] Log generated <argos.csi.1135266457>

the stack dump

-rw-------  1 root root 16651 2005-12-22 16:47 argos.csi.1135266457

i trimmed it for size reasons.

00000620  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90
*
000006c0  90 90 90 90 eb 19 5e 31  c9 81 e9 89 ff ff ff 81
000006d0  36 80 bf 32 94 81 ee fc  ff ff ff e2 f2 eb 05 e8
000006e0  e2 ff ff ff 03 53 06 1f  74 57 75 95 80 bf bb 92
000006f0  7f 89 5a 1a ce b1 de 7c  e1 be 32 94 09 f9 3a 6b
00000700  b6 d7 9f 4d 85 71 da c6  81 bf 32 1d c6 b3 5a f8
00000710  ec bf 32 fc b3 8d 1c f0  e8 c8 41 a6 df eb cd c2
00000720  88 36 74 90 7f 89 5a e6  7e 0c 24 7c ad be 32 94|

nepenthes

Development

Scene

Service

Misc