Author
Christopher Marshall (christopherlmarshall@yahoo.com)
Raw Notes on User Mode Linux
# here is how you can tell what the kernel command line was
cat /proc/cmdline
# making a slackware initrd image for installing
# mount the standard slackware root image
gunzip color.gz
mkdir mnt
mount color mnt -o loop
# copy it into another directory on an ext2 loopback file
mkdir mnt2
dd if=/dev/zero of=/color2 bs=1M count=10
mke2fs color2
mount color2 mnt2 -o loop
cd mnt2
(cd ../mnt; tar c *) | tar xp
cd etc
vi inittab
(comment out tty2 and tty3)
vi fstab
(make root partition udb0 and mount proc)
vi rc.d/rc.S
(comment out post-root-rw-bitch "read" prompt statement by searching for "read junk;", so slack doesn't hang on boot)
cd ../dev
mknod ubd0 b 98 0
mknod ubd1 b 98 1
mknod ubd2 b 98 2
mknod ubd3 b 98 3
mknod ubd4 b 98 4
mknod ubd5 b 98 5
# install bugged bash
cd ..
cp /usr/local/bin/bugged_bash bin/bash
# configure syslog to log everything to host syslog
vi etc/syslog; (add line *.* @10.3.0.2, restart host syslog with "syslogd -r")
# clean up
cd ../..
umount mnt
umount mnt2
chown chris.users *
# start UML with the new slackware install image
./linux ubd0=color2 devfs=nomount rw
# mounting a host partition or block device under UML
# here we do the cdrom drive. The 'r' makes it read only
chown chris /dev/hdc
./linux ubd1r=/dev/hdc
mount /dev/ubd/1 /mnt
# here we do a hard drive partition
chown chris /dev/hda6
./linux ubd1=/dev/hda6
mount /dev/ubd1 /mnt
# networking
# host side
chmod 666 /dev/net/tun # this looks bad but is not exploitable
insmod tun
tunctl -u chris
(observe net device name, probably tap0)
ifconfig tap0 10.3.0.2 netmask 255.255.255.0 up
# slackware UML side
./linux ubd0=color2 devfs=nomount rw eth0=tuntap,tap0
ifconfig eth0 10.3.0.1 netmask 255.255.255.1 up
(at this point everything works as it should)
(you can ssh and telnet to your hearts content)
# cleanup
# sometimes, a tap can be left open and you won't be able to use it.
# To see if that is the case, try to remove it, then add it back
tunctl -d tap0
# console and tty tapping
# in the case below, you can use telnet to attach to the port and interact
./linux ubd0=color2 devfs=nomount rw eth0=tuntap,tap0 con=port:9000
./linux ubd0=color2 devfs=nomount rw eth0=tuntap,tap0 con=xterm
# Next step should be compiling a slackware kernel that has been UML patched
# compiling the kernel, you need to put ARCH=um on all steps
bzip2 -dc packages/linux-2.4.19.tar.bz2 | tar xp
cd linux-2.4.19
bzip2 -dc ../packages/uml-patch-2.4.19-18.bz2 | patch -p1
make clean ARCH=um
make mrproper ARCH=um
make xconfig ARCH=um
(
uml config options
if you want to use jail, you need to disable loadable modules and
host fs support under general setup. If you want to use SKAS mode,
you need to CONFIG_MODE_SKAS)
CONFIG_TTY_LOG=y # this enables tty logging for honeypots
)
(
host kernel options
CONFIG_PROC_MM=y # make bzImage will fail without this one
)
(after you do an xconfig, you can save the .config file and automatically
do this step next time with "make oldconfig". If you change patches, though,
you have to redo the "make xconfig")
make dep ARCH=um
make linux ARCH=um
(had to edit /usr/lib/gcc-lib/i386-slackware-linux/2.95.5/include/asm/posix.h)
(I should make a comment about this on the UML mailing lists)
(just saw that patch 18 does not compile. I'm am going to try patch 17 next)
(patch 17 worked with the posix.h hack)
make modules ARCH=um
make modules_install INSTALL_MOD_PATH=../mnt ARCH=um
# some experiments with communication channels
# this seems to work, but doesn't output anything on the console log
/sbin/e2fsck -p slack_fs
cat /dev/ptyp0 > console_log &
./linux-uml ubd0=slack_fs rw eth0=tuntap,tap0 con1=/dev/ttyp0 tty=null
# here's another way on handling this
./linux-uml ubd0=slack_fs rw eth0=tuntap,tap0 con1=null tty=null
# why doesn't this work?
./linux-uml ubd0=slack_fs rw eth0=tuntap,tap0 con0=null con1=null tty=null
# until it does, I am stuck running this by hand from an interactive terminal, it seems
# hmmm, I'mm bet "ssh -t" could be used to run this from a pseudoterminal.
# I tried this and it didn't work.
# next step:
# write a script for starting up UML, and run it from within a vncserver on elcheapo
# instrument it with the bugged bash, and work out automatic email notification when
# someone bites. Then workout automatic shutdown. THEN alter rc.firewall to redirect
# telnet traffic to it and wait for a bite!
Marijn Vriens schrieb:
> $ dd if=/dev/zero of=usrServ.disk seek=100 count=1 bs=1M
Should also work with "count=0" 8-)
> Start up UML...
> Kernel command line: ubd0=Debian-3.0r0.ext2 ubd1=usrServ.disk
You need to use ubda and ubdb.
> virtual:~# mkfs /dev/ubd1
And here ubdb too. The other possibility would be to fdisk /dev/ubdb
and
then mkfs /dev/ubdb1 and so on.
Since partitions are supported, the ubd-devices changed. Device 98/1 is
no longer the second disk, it's now the first partition out of 15 on
the first disk. Device 98/16 is the second disk (former ubd16).
rm /dev/ubd* and execute this script to update with the new naming
convention:
#!/bin/bash
device=/dev/ubd
major=98
minor=0
for u in a b c d e f g h
do dev=$device$u
mknod $dev b $major $minor
for i in $(seq 1 15)
do
mknod $dev$i b $major $(($minor + $i))
done
minor=$(($minor + 16))
done
# When a UML instance starts, a file is created in /tmp (on the host) that is the same size as the physical memory of the instance specified in the mem= boot parameter. Performance will greatly increase if /tmp is a tmpfs filesystem on the host. Another approach to gaining this advantage is to use /dev/anon together with the ubd=mmap boot argument. You need to create the /dev/anon node like this on the host: "mknod /dev/anon c 1 10". You also need to "chmod 666 /dev/anon" so normal users can use it.
# hostfs filesystem
# this will mount the hosts's root directory under the uml at /mnt/host:
mount -t hostfs none /mnt/host
# this will mount a subdirectory (/home/someuser) of the host's filesystem
mount -t hostfs none /mnt/host -o /home/someuser