elliott
f4eef81807
QEMU's SLIRP hostfwd tried to bind host port 21 for the Metasploitable2
target, which fails for the non-root cis490 user (EPERM). The exploit
driver also had no way to use a different host-side port than the module's
static RPORT=21, so even if the VM had started the exploit would have
connected to the wrong port.
Fix:
- launch_target.sh: change PORT_BASE default from (21 + SLOT*100) to
(2121 + SLOT*100) so SLIRP binds non-privileged ports
- exploits/driver.py: add target_port to DriverConfig; in _fire(),
override opts["RPORT"] when target_port is set so msfrpcd connects
to the correct forwarded port
- tools/run_tier3_demo.py: pass target_port=args.target_port to DriverConfig
- scripts/install-tier-3-4.sh: --target-port 2121 (matches new default)
Closes spectral/CIS490#18
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
117 lines
4.2 KiB
Bash
Executable file
117 lines
4.2 KiB
Bash
Executable file
#!/usr/bin/env bash
|
|
# Boot the Tier-3 *target* VM (the intentionally-vulnerable guest the
|
|
# exploit fires against). Companion to ``launch_demo.sh``, which boots
|
|
# the *idle* Alpine guest used in Tiers 1-2.
|
|
#
|
|
# Networking note: this launcher uses SLIRP usermode networking with
|
|
# ``restrict=on`` plus an explicit ``hostfwd`` for each vulnerable port.
|
|
# That gives us:
|
|
# - the host can reach the guest's services (for msfrpcd + the
|
|
# exploit module to drive ``RHOSTS=127.0.0.1``)
|
|
# - the guest cannot reach the host or the internet (no NAT exit)
|
|
#
|
|
# The host-only ``br-malware`` bridge described in docs/architecture.md
|
|
# replaces SLIRP once the bridge-side pcap collector (source 4) lands —
|
|
# at which point payloads with ``reverse_tcp`` callbacks become viable
|
|
# too. Until then, we restrict module choices to ones that return a
|
|
# shell on the same socket they exploit (e.g. vsftpd_234_backdoor).
|
|
#
|
|
# Run-dir contract (read by run_tier3_demo.py):
|
|
# $RUN_DIR/qemu.pid
|
|
# $RUN_DIR/qmp.sock
|
|
# $RUN_DIR/monitor.sock
|
|
# $RUN_DIR/serial.sock
|
|
|
|
set -euo pipefail
|
|
|
|
REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
|
|
IMAGE="${IMAGE:-$REPO_ROOT/vm/images/metasploitable2.qcow2}"
|
|
SLOT="${SLOT:-0}"
|
|
RUN_DIR="${RUN_DIR:-/tmp/cis490-target-$SLOT}"
|
|
RAM_MIB="${RAM_MIB:-512}"
|
|
# When BRIDGE is set, attach a tap to the host-only bridge instead of
|
|
# using SLIRP. Pcap-feature episodes (source 4) require this.
|
|
BRIDGE="${BRIDGE:-}"
|
|
TAP="${TAP:-cis490target$SLOT}"
|
|
# Ports the host should forward to the guest. Comma-separated host:guest pairs.
|
|
# Default covers the vsftpd module's RPORT. Slot offset makes per-VM
|
|
# fleet runs collision-free (slot 0 → 21, slot 1 → 121, slot 2 → 221, ...).
|
|
PORT_BASE="${PORT_BASE:-$((2121 + SLOT * 100))}"
|
|
TARGET_PORTS="${TARGET_PORTS:-${PORT_BASE}:21}"
|
|
# KVM if the host can take it; otherwise fall back to TCG. Cross-arch
|
|
# images (Metasploitable2 is x86-only) on aarch64 hosts will need TCG.
|
|
ACCEL="${ACCEL:-}"
|
|
|
|
mkdir -p "$RUN_DIR"
|
|
QMP_SOCK="$RUN_DIR/qmp.sock"
|
|
MON_SOCK="$RUN_DIR/monitor.sock"
|
|
PID_FILE="$RUN_DIR/qemu.pid"
|
|
SERIAL_SOCK="$RUN_DIR/serial.sock"
|
|
|
|
if [[ ! -f "$IMAGE" ]]; then
|
|
cat >&2 <<EOF
|
|
no target image at $IMAGE
|
|
|
|
Drop a vulnerable Linux qcow2 there. The canonical choice is
|
|
Metasploitable2 — see docs/sources.md for the download + sha256.
|
|
|
|
If the image is x86 and your host is not, set ACCEL=tcg explicitly.
|
|
EOF
|
|
exit 1
|
|
fi
|
|
|
|
# Build the netdev string. With BRIDGE set we use a tap on the host-only
|
|
# bridge (so source-4 pcap captures the traffic). Without it, SLIRP
|
|
# usermode + restrict=on for the no-egress smoke runs.
|
|
if [[ -n "$BRIDGE" ]]; then
|
|
NETDEV="tap,id=n0,ifname=$TAP,script=no,downscript=no"
|
|
else
|
|
NETDEV="user,id=n0,restrict=on"
|
|
IFS=',' read -ra _PAIRS <<< "$TARGET_PORTS"
|
|
for pair in "${_PAIRS[@]}"; do
|
|
host_port="${pair%%:*}"
|
|
guest_port="${pair##*:}"
|
|
NETDEV+=",hostfwd=tcp:127.0.0.1:${host_port}-:${guest_port}"
|
|
done
|
|
fi
|
|
|
|
# Pick acceleration: explicit override wins; otherwise use KVM if the
|
|
# device is present, else TCG.
|
|
if [[ -z "$ACCEL" ]]; then
|
|
if [[ -e /dev/kvm && -r /dev/kvm && -w /dev/kvm ]]; then
|
|
ACCEL="kvm"
|
|
else
|
|
ACCEL="tcg"
|
|
fi
|
|
fi
|
|
|
|
CPU_FLAGS=()
|
|
if [[ "$ACCEL" == "kvm" ]]; then
|
|
CPU_FLAGS=(-cpu host)
|
|
fi
|
|
|
|
AGENT_SOCK="$RUN_DIR/agent.sock"
|
|
|
|
# snapshot=on so the qcow2 is never mutated — every boot is identical.
|
|
# Second virtio-serial port carries the in-guest agent's telemetry to
|
|
# the host (see vm/guest-agent/). Targets without the agent installed
|
|
# (e.g. unmodified Metasploitable2) leave the device unused — the
|
|
# host-side collector simply gets no rows. Harmless.
|
|
exec qemu-system-x86_64 \
|
|
-name cis490-target \
|
|
-machine q35,accel="$ACCEL" \
|
|
"${CPU_FLAGS[@]}" \
|
|
-smp 1,sockets=1,cores=1,threads=1 \
|
|
-m "$RAM_MIB" \
|
|
-drive file="$IMAGE",format=qcow2,if=virtio,snapshot=on \
|
|
-netdev "$NETDEV" \
|
|
-device virtio-net-pci,netdev=n0 \
|
|
-device virtio-serial-pci,id=cis490vs0 \
|
|
-chardev socket,id=cis490agent,path="$AGENT_SOCK",server=on,wait=off \
|
|
-device virtserialport,chardev=cis490agent,name=cis490.guest.agent \
|
|
-nographic \
|
|
-serial unix:"$SERIAL_SOCK",server=on,wait=off \
|
|
-monitor unix:"$MON_SOCK",server=on,wait=off \
|
|
-qmp unix:"$QMP_SOCK",server=on,wait=off \
|
|
-pidfile "$PID_FILE" \
|
|
-display none
|