Does anyone here have experience troubleshooting KVM installs in arch? I am using virsh and virt-manager, the VM seems to successfully boot, but the virtualization window is only showing a black screen with a cursor in the top left of the window. (on the host) journelctl -xe only shows one related error: "libvirtd[298]: this function is not supported by the connection driver: virConnectGetCPUModuleNames" If it helps: the ISO I am trying to boot from is the live disk that comes with "Hacking: The Art of Exploitation" Thanks in advance.
El 23/11/15 a les 06:59, Luna Moonbright ha escrit:
Does anyone here have experience troubleshooting KVM installs in arch?
I am using virsh and virt-manager, the VM seems to successfully boot, but the virtualization window is only showing a black screen with a cursor in the top left of the window.
(on the host) journelctl -xe only shows one related error: "libvirtd[298]: this function is not supported by the connection driver: virConnectGetCPUModuleNames"
Could you attach all xml config for this VM? Also /proc/cpuinfo output may help.
If it helps: the ISO I am trying to boot from is the live disk that comes with "Hacking: The Art of Exploitation"
Have you tried other ISOs? Try with arch install disk ;) or a derivated with x11. You say it shows a black screen and a cursor, so BIOS/UEFI booted, kernel booted but no graphic enverontment. First try another ISO.
Thanks in advance.
You're welcome. -- Joan.
On 11/22/2015 09:59 PM, Luna Moonbright wrote:
Does anyone here have experience troubleshooting KVM installs in arch?
I am using virsh and virt-manager, the VM seems to successfully boot, but the virtualization window is only showing a black screen with a cursor in the top left of the window.
(on the host) journelctl -xe only shows one related error: "libvirtd[298]: this function is not supported by the connection driver: virConnectGetCPUModuleNames"
If it helps: the ISO I am trying to boot from is the live disk that comes with "Hacking: The Art of Exploitation"
Thanks in advance.
I have the same book ("Hacking: The Art of Exploitation", 2nd Edition). I just successfully booted and installed the Live CD in KVM. The CD is a very old (EOL) custom Ubuntu Live CD (Feisty Fawn). In virt-manager, I selected the "Ubuntu Feisty Fawn" preset, and that changed some of the defaults. - The Video card is set to VMVGA (I think this is the problem. The default is normally QXL, which is a really new super-fast paravirtualized interface iirc.) - The hard disk is an IDE hard disk. - Fiesty Fawn does not support the EvTouch Tablet. For some reason, the LiveCD's bootloader took a long time to draw to the screen. I'm not sure why, but after I booted, everything seemed fine. I installed and rebooted. The repositories have been archived. You will need to edit /etc/apt/sources.list and change every instance of "us.archive.ubuntu.com" with "old-releases.ubuntu.com". After this, I was able to install openssh-server and vim-gtk on the VM. I still need to figure out why sshfs won't work (fuse: failed to exec fusermount: Permission denied). I think the problem you are having is related to the QXL video driver. Thanks for giving me an excuse to dust-off the CD. I really should find more time to read through that book. It's a great book. If you are curious, the XML dump of my VM follows. (MAC address and UUID are obfuscated.) --Kyle <domain type='kvm'> <name>hacking</name> <uuid>13b0cfef-b878-470f-a690-000000000000</uuid> <memory unit='KiB'>2097152</memory> <currentMemory unit='KiB'>2097152</currentMemory> <vcpu placement='static'>2</vcpu> <os> <type arch='x86_64' machine='pc-i440fx-2.4'>hvm</type> <boot dev='hd'/> </os> <features> <acpi/> <apic/> <vmport state='off'/> </features> <cpu mode='custom' match='exact'> <model fallback='allow'>Nehalem</model> </cpu> <clock offset='utc'> <timer name='rtc' tickpolicy='catchup'/> <timer name='pit' tickpolicy='delay'/> <timer name='hpet' present='no'/> </clock> <on_poweroff>destroy</on_poweroff> <on_reboot>restart</on_reboot> <on_crash>restart</on_crash> <pm> <suspend-to-mem enabled='no'/> <suspend-to-disk enabled='no'/> </pm> <devices> <emulator>/usr/sbin/qemu-system-x86_64</emulator> <disk type='file' device='disk'> <driver name='qemu' type='qcow2'/> <source file='/data/libvirt/images/hacking.qcow2'/> <target dev='hda' bus='ide'/> <address type='drive' controller='0' bus='0' target='0' unit='0'/> </disk> <disk type='file' device='cdrom'> <driver name='qemu' type='raw'/> <target dev='hdb' bus='ide'/> <readonly/> <address type='drive' controller='0' bus='0' target='0' unit='1'/> </disk> <controller type='usb' index='0' model='ich9-ehci1'> <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x7'/> </controller> <controller type='usb' index='0' model='ich9-uhci1'> <master startport='0'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0' multifunction='on'/> </controller> <controller type='usb' index='0' model='ich9-uhci2'> <master startport='2'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x1'/> </controller> <controller type='usb' index='0' model='ich9-uhci3'> <master startport='4'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x2'/> </controller> <controller type='pci' index='0' model='pci-root'/> <controller type='ide' index='0'> <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/> </controller> <controller type='virtio-serial' index='0'> <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/> </controller> <interface type='network'> <mac address='52:54:00:??:??:??'/> <source network='default'/> <model type='rtl8139'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> </interface> <serial type='pty'> <target port='0'/> </serial> <console type='pty'> <target type='serial' port='0'/> </console> <channel type='spicevmc'> <target type='virtio' name='com.redhat.spice.0'/> <address type='virtio-serial' controller='0' bus='0' port='1'/> </channel> <input type='mouse' bus='ps2'/> <input type='keyboard' bus='ps2'/> <graphics type='spice' autoport='yes'> <image compression='off'/> </graphics> <sound model='ich6'> <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/> </sound> <video> <model type='vmvga' vram='16384' heads='1'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/> </video> <redirdev bus='usb' type='spicevmc'> </redirdev> <redirdev bus='usb' type='spicevmc'> </redirdev> <memballoon model='virtio'> <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/> </memballoon> </devices> </domain>
Fantastic, I love that book and am wanting to get the rest of the way through it. I didn't realize it was such an issue in KVM. I think it works in virtual box, but it would be nice to get it installed on KVM so me and a few guys can set up a class on exploitation. I'll keep working on it to. On November 27, 2015 7:00:00 PM EST, Kyle Terrien <kyleterrien@gmail.com> wrote:
On 11/22/2015 09:59 PM, Luna Moonbright wrote:
Does anyone here have experience troubleshooting KVM installs in arch?
I am using virsh and virt-manager, the VM seems to successfully boot, but the virtualization window is only showing a black screen with a cursor in the top left of the window.
(on the host) journelctl -xe only shows one related error: "libvirtd[298]: this function is not supported by the connection driver: virConnectGetCPUModuleNames"
If it helps: the ISO I am trying to boot from is the live disk that comes with "Hacking: The Art of Exploitation"
Thanks in advance.
I have the same book ("Hacking: The Art of Exploitation", 2nd Edition). I just successfully booted and installed the Live CD in KVM.
The CD is a very old (EOL) custom Ubuntu Live CD (Feisty Fawn). In virt-manager, I selected the "Ubuntu Feisty Fawn" preset, and that changed some of the defaults.
- The Video card is set to VMVGA (I think this is the problem. The default is normally QXL, which is a really new super-fast paravirtualized interface iirc.) - The hard disk is an IDE hard disk. - Fiesty Fawn does not support the EvTouch Tablet.
For some reason, the LiveCD's bootloader took a long time to draw to the screen. I'm not sure why, but after I booted, everything seemed fine. I installed and rebooted.
The repositories have been archived. You will need to edit /etc/apt/sources.list and change every instance of "us.archive.ubuntu.com" with "old-releases.ubuntu.com".
After this, I was able to install openssh-server and vim-gtk on the VM.
I still need to figure out why sshfs won't work (fuse: failed to exec fusermount: Permission denied).
I think the problem you are having is related to the QXL video driver.
Thanks for giving me an excuse to dust-off the CD. I really should find more time to read through that book. It's a great book.
If you are curious, the XML dump of my VM follows. (MAC address and UUID are obfuscated.)
--Kyle
<domain type='kvm'> <name>hacking</name> <uuid>13b0cfef-b878-470f-a690-000000000000</uuid> <memory unit='KiB'>2097152</memory> <currentMemory unit='KiB'>2097152</currentMemory> <vcpu placement='static'>2</vcpu> <os> <type arch='x86_64' machine='pc-i440fx-2.4'>hvm</type> <boot dev='hd'/> </os> <features> <acpi/> <apic/> <vmport state='off'/> </features> <cpu mode='custom' match='exact'> <model fallback='allow'>Nehalem</model> </cpu> <clock offset='utc'> <timer name='rtc' tickpolicy='catchup'/> <timer name='pit' tickpolicy='delay'/> <timer name='hpet' present='no'/> </clock> <on_poweroff>destroy</on_poweroff> <on_reboot>restart</on_reboot> <on_crash>restart</on_crash> <pm> <suspend-to-mem enabled='no'/> <suspend-to-disk enabled='no'/> </pm> <devices> <emulator>/usr/sbin/qemu-system-x86_64</emulator> <disk type='file' device='disk'> <driver name='qemu' type='qcow2'/> <source file='/data/libvirt/images/hacking.qcow2'/> <target dev='hda' bus='ide'/> <address type='drive' controller='0' bus='0' target='0' unit='0'/> </disk> <disk type='file' device='cdrom'> <driver name='qemu' type='raw'/> <target dev='hdb' bus='ide'/> <readonly/> <address type='drive' controller='0' bus='0' target='0' unit='1'/> </disk> <controller type='usb' index='0' model='ich9-ehci1'> <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x7'/> </controller> <controller type='usb' index='0' model='ich9-uhci1'> <master startport='0'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0' multifunction='on'/> </controller> <controller type='usb' index='0' model='ich9-uhci2'> <master startport='2'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x1'/> </controller> <controller type='usb' index='0' model='ich9-uhci3'> <master startport='4'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x2'/> </controller> <controller type='pci' index='0' model='pci-root'/> <controller type='ide' index='0'> <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/> </controller> <controller type='virtio-serial' index='0'> <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/> </controller> <interface type='network'> <mac address='52:54:00:??:??:??'/> <source network='default'/> <model type='rtl8139'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> </interface> <serial type='pty'> <target port='0'/> </serial> <console type='pty'> <target type='serial' port='0'/> </console> <channel type='spicevmc'> <target type='virtio' name='com.redhat.spice.0'/> <address type='virtio-serial' controller='0' bus='0' port='1'/> </channel> <input type='mouse' bus='ps2'/> <input type='keyboard' bus='ps2'/> <graphics type='spice' autoport='yes'> <image compression='off'/> </graphics> <sound model='ich6'> <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/> </sound> <video> <model type='vmvga' vram='16384' heads='1'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/> </video> <redirdev bus='usb' type='spicevmc'> </redirdev> <redirdev bus='usb' type='spicevmc'> </redirdev> <memballoon model='virtio'> <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/> </memballoon> </devices> </domain>
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
On 11/27/2015 04:57 PM, Luna Moonbright wrote:
Fantastic, I love that book and am wanting to get the rest of the way through it. I didn't realize it was such an issue in KVM. I think it works in virtual box, but it would be nice to get it installed on KVM so me and a few guys can set up a class on exploitation.
I'll keep working on it to.
It's an old version of Ubuntu, so you could have a lot of fun poking at vulnerabilities, especially if you don't do an apt-get update. Coincidentally, this VM is vulnerable to my personal favorite exploit--Shellshock. That's something fun you can cover in your class. kyle@hacking:~ $ env 'x=() { :;}; echo Vulnerable' bash -c 'echo Test' Vulnerable Test kyle@hacking:~ $ And if you set up a web server on the VM, you can demonstrate how to use Shellshock to dump /etc/passwd by setting a malicious User-Agent. [0] --Kyle [0] http://blog.regehr.org/archives/1187
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 That is a great idea, in fact I am going to leave it %100 un-patched and try all of those fun kernel exploits on it as well. As for it just being old Ubuntu - are the newer EOL versions of Ubuntu (like 9 or 10) still easy to exploit (32 bit/no canaries/no NX) that are easier to get the display drivers to work for? Shellshock was awesome, but my favorite exploit is the exploit in fingerd used by the morris worm. So simple - yet so effective. I'm sure us archers can appreciate that. Thanks! On 11/27/2015 11:48 PM, Kyle Terrien wrote:
On 11/27/2015 04:57 PM, Luna Moonbright wrote:
Fantastic, I love that book and am wanting to get the rest of the way through it. I didn't realize it was such an issue in KVM. I think it works in virtual box, but it would be nice to get it installed on KVM so me and a few guys can set up a class on exploitation.
I'll keep working on it to.
It's an old version of Ubuntu, so you could have a lot of fun poking at vulnerabilities, especially if you don't do an apt-get update.
Coincidentally, this VM is vulnerable to my personal favorite exploit--Shellshock. That's something fun you can cover in your class.
kyle@hacking:~ $ env 'x=() { :;}; echo Vulnerable' bash -c 'echo Test' Vulnerable Test kyle@hacking:~ $
And if you set up a web server on the VM, you can demonstrate how to use Shellshock to dump /etc/passwd by setting a malicious User-Agent. [0]
--Kyle
On 11/27/2015 11:14 PM, Luna Moonbright wrote:
As for it just being old Ubuntu - are the newer EOL versions of Ubuntu (like 9 or 10) still easy to exploit (32 bit/no canaries/no NX) that are easier to get the display drivers to work for?
I can't remember when Ubuntu started supporting canaries. (I haven't done much Ubuntu stuff since Linux Mint 14 (based on 12.10)). There used to be a project called Damn Vulnerable Linux, but it has disappeared. Even their website is gone. A quick web search revealed some possibilities [0], although I have never heard of them personally. Let me know if you find any good intentionally vulnerable distros. You could also download old unsupported Ubuntu releases [1]. (You just need to tweak the repository URLs after install.) Normally, if I want/need a completely out-of-date vulnerable system to poke at, I usually use an old distro (whatever is sitting around) and bite the bullet to figure out what hardware it is looking for. It's trial and error.
Shellshock was awesome, but my favorite exploit is the exploit in fingerd used by the morris worm. So simple - yet so effective. I'm sure us archers can appreciate that.
Thanks!
I have heard of it, but I don't know all the details. I will definitely look up the fingerd exploit. --Kyle [0] http://www.101hacker.com/2013/03/5-vulnerable-distros-for-practicing.html [1] http://old-releases.ubuntu.com/releases/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Thanks, this image [1] certainly qualifies as a "intentionally vulnerable" image. The guys at my school have used it pretty extensively for target practice. As for the morris worm the vulnerable function was: a use of gets() directly on a packet that read into the first variable declared in the program (which was, undeniably, a char array). Good ole' buffer overflows. I just watched a talk on Cisco router exploitation from '09 where the speaker went into a description of ROP like it was a fairly unknown subject. Do you know when useing ROP began being common as a mitigation for DEP? As for places that are fairly easy to start learning exploitation I would recommend slackware 10-12. Those are all 32-bit OSs with no DEP and a sloppy pager. This is also a great resource for learning exploitation [2]. If you want to continue this perhaps we could close the "KVM troubles thread" and start an "exploitation general" thread which might pick up a few more guys with additional resources. [0] https://sourceforge.net/projects/metasploitable/ [1] https://opensecuritytraining.info return 0; On 11/29/2015 01:11 AM, Kyle Terrien wrote:
On 11/27/2015 11:14 PM, Luna Moonbright wrote:
As for it just being old Ubuntu - are the newer EOL versions of Ubuntu (like 9 or 10) still easy to exploit (32 bit/no canaries/no NX) that are easier to get the display drivers to work for?
I can't remember when Ubuntu started supporting canaries. (I haven't done much Ubuntu stuff since Linux Mint 14 (based on 12.10)).
There used to be a project called Damn Vulnerable Linux, but it has disappeared. Even their website is gone.
A quick web search revealed some possibilities [0], although I have never heard of them personally. Let me know if you find any good intentionally vulnerable distros.
You could also download old unsupported Ubuntu releases [1]. (You just need to tweak the repository URLs after install.)
Normally, if I want/need a completely out-of-date vulnerable system to poke at, I usually use an old distro (whatever is sitting around) and bite the bullet to figure out what hardware it is looking for. It's trial and error.
Shellshock was awesome, but my favorite exploit is the exploit in fingerd used by the morris worm. So simple - yet so effective. I'm sure us archers can appreciate that.
Thanks!
I have heard of it, but I don't know all the details. I will definitely look up the fingerd exploit.
--Kyle
[0] http://www.101hacker.com/2013/03/5-vulnerable-distros-for-practicing.h tml
[1] http://old-releases.ubuntu.com/releases/
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJWWx6+AAoJELUNMVVHp9ondn0IAIlgGo2NXPVVXxut6Ow59Y8V aozLmNBCW7wRLUJEgefjJX36nPpT0E5PnIZk4N0YVhhwS/c+js7RVbE1A9aSVp69 5oNfXzaMimx5paFkULC5MrRoT1Au6A2jc/l7XsWtUDtZvfnbr4VTASEIGT0f0N0C 2rboCg/5U9FihXWX+ipJaHfHxHDJxsjJSIAA8qEpYI8K4lSoGYC9q2PXX3O8Jn6I zbPOs69FMkRQsO0YRxhKGuUOLM8B0kfr5olG7ZtAb7kxy+/hJNXN9Ko0ugwVE0JU jWgYMZ+Kt/0FsTymnFRdbz4IZv5U9wmwoazPlyPhIndu4TR7xQMP6PbbKWSlhjE= =xa8Z -----END PGP SIGNATURE-----
participants (3)
-
Joan Aymà
-
Kyle Terrien
-
Luna Moonbright