├── .dockerignore
├── 43.tap.gz
├── Dockerfile
├── README.md
├── boot.ini
├── boot42.gz
├── build.sh
├── install.ini
├── miniroot.gz
└── setup.exp


/.dockerignore:
--------------------------------------------------------------------------------
1 | *
2 | !43.tap.gz
3 | !boot.ini
4 | !boot42.gz
5 | !install.ini
6 | !miniroot.gz
7 | !setup.exp
8 | 


--------------------------------------------------------------------------------
/43.tap.gz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wvu/ye-olde-bsd/fcaf449a21be55d57d0564d6b0465c13dc7ef1e8/43.tap.gz


--------------------------------------------------------------------------------
/Dockerfile:
--------------------------------------------------------------------------------
 1 | #
 2 | # Dockerfile for 4.3BSD on VAX by wvu
 3 | #
 4 | # expect(1) and ed(1) are used to automate SIMH
 5 | #
 6 | # This is my first Dockerfile, so please be kind :)
 7 | #
 8 | 
 9 | FROM alpine AS simh
10 | 
11 | WORKDIR /simh
12 | 
13 | # Install build dependencies for SIMH
14 | RUN apk --no-cache add -t build-essential \
15 |       gcc \
16 |       libc-dev \
17 |       make
18 | 
19 | # Build and "install" SIMH
20 | RUN wget https://github.com/simh/simh/archive/master.tar.gz && \
21 |     tar xf master.tar.gz && \
22 |     make -C simh-master vax780 && \
23 |     cp simh-master/BIN/vax780 . && \
24 |     rm -rf simh-master master.tar.gz && \
25 |     apk del build-essential
26 | 
27 | FROM alpine
28 | LABEL author="wvu"
29 | 
30 | WORKDIR /simh
31 | 
32 | ARG SETUP_FILES="install.ini miniroot setup.exp"
33 | 
34 | # Copy SIMH from the builder
35 | COPY --from=simh /simh/vax780 .
36 | 
37 | # Install setup dependencies for 4.3BSD
38 | RUN apk --no-cache add -t simh-essential \
39 |       expect \
40 |       libcap
41 | 
42 | # Copy files, respecting .dockerignore
43 | COPY . .
44 | 
45 | # Install and configure 4.3BSD
46 | RUN gunzip *.gz && \
47 |     ./setup.exp && \
48 |     chown -R nobody:nobody . && \
49 |     setcap cap_net_bind_service+ep vax780 && \
50 |     rm -f $SETUP_FILES && \
51 |     apk del simh-essential
52 | 
53 | # sendmail and fingerd are vulnerable
54 | EXPOSE 25 79
55 | 
56 | # Run the simulator as the "nobody" user
57 | USER nobody
58 | CMD ["./vax780", "boot.ini"]
59 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Docker Environment for 4.3BSD on VAX
 2 | 
 3 | ## Setup
 4 | 
 5 | Run `./build.sh` to build and run this image.
 6 | 
 7 | ## Blog Post
 8 | 
 9 | https://www.rapid7.com/blog/post/2019/01/02/the-ghost-of-exploits-past-a-deep-dive-into-the-morris-worm/
10 | 
11 | ## Related PRs
12 | 
13 | https://github.com/rapid7/metasploit-framework/pull/10700  
14 | https://github.com/rapid7/metasploit-framework/pull/10836  
15 | https://github.com/rapid7/metasploit-framework/pull/11049
16 | 


--------------------------------------------------------------------------------
/boot.ini:
--------------------------------------------------------------------------------
 1 | set rq0 ra81
 2 | att rq0 rq.dsk
 3 | set rq1 dis
 4 | set rq2 dis
 5 | set rq3 dis
 6 | set rp dis
 7 | set lpt dis
 8 | set rl dis
 9 | set tq dis
10 | set tu dis
11 | att ts 43.tap
12 | set tti 7b
13 | set tto 7b
14 | load -o boot42 0
15 | d r10 9
16 | d r11 0
17 | set xu enable
18 | att xu nat:tcp=25:10.0.2.15:25,tcp=79:10.0.2.15:79
19 | set dz lines=8
20 | att dz 23
21 | set dz 7b
22 | run 2
23 | 


--------------------------------------------------------------------------------
/boot42.gz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wvu/ye-olde-bsd/fcaf449a21be55d57d0564d6b0465c13dc7ef1e8/boot42.gz


--------------------------------------------------------------------------------
/build.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh -ex
2 | 
3 | docker build -t ye-olde-bsd .
4 | docker run -itp 127.0.0.1:25:25 -p 127.0.0.1:79:79 ye-olde-bsd
5 | 


--------------------------------------------------------------------------------
/install.ini:
--------------------------------------------------------------------------------
 1 | set rq0 ra81
 2 | at rq0 miniroot
 3 | set rq1 ra81
 4 | at rq1 rq.dsk
 5 | set rq2 dis
 6 | set rq3 dis
 7 | set rp dis
 8 | set lpt dis
 9 | set rl dis
10 | set tq dis
11 | set tu dis
12 | att ts 43.tap
13 | set tti 7b
14 | set tto 7b
15 | load -o boot42 0
16 | d r10 9
17 | d r11 0
18 | run 2
19 | 


--------------------------------------------------------------------------------
/miniroot.gz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wvu/ye-olde-bsd/fcaf449a21be55d57d0564d6b0465c13dc7ef1e8/miniroot.gz


--------------------------------------------------------------------------------
/setup.exp:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/expect -f
  2 | 
  3 | #
  4 | # http://gunkies.org/wiki/Installing_4.3_BSD_on_SIMH
  5 | #
  6 | 
  7 | # Match as much as the scouter says
  8 | match_max 9001
  9 | 
 10 | # And wait as long as Air Supply can
 11 | set timeout -1
 12 | 
 13 | # Simplify shell commands
 14 | proc send_cmd line {
 15 |   send "$line\n"
 16 |   expect "# "
 17 | }
 18 | 
 19 | # Simplify here documents
 20 | proc send_heredoc line {
 21 |   send "$line\n"
 22 | 
 23 |   if [string equal $line "EOF"] {
 24 |     expect "# "
 25 |   } else {
 26 |     expect "> "
 27 |   }
 28 | }
 29 | 
 30 | # Simplify file I/O
 31 | proc send_file file {
 32 |   set fh [open $file]
 33 |   set buf [read $fh]
 34 |   close $fh
 35 | 
 36 |   foreach line [split $buf "\n"] {
 37 |     send "$line\n"
 38 |     expect "\n"
 39 |   }
 40 | }
 41 | 
 42 | # Booting the emulator
 43 | spawn ./vax780 install.ini
 44 | expect "# "
 45 | 
 46 | # Restoring the rootdump
 47 | send_cmd "cd /dev"
 48 | send_cmd "./MAKEDEV ra1"
 49 | send_cmd "cd /"
 50 | send_cmd "disk=ra1 type=ra81 tape=ts xtr"
 51 | # https://utcc.utoronto.ca/~cks/space/blog/unix/TheLegendOfSync
 52 | send_cmd "sync"
 53 | send_cmd "sync"
 54 | send_cmd "sync"
 55 | send ""
 56 | expect "Simulation stopped*\n"
 57 | send "q\n"
 58 | expect eof
 59 | 
 60 | # Booting the emulator
 61 | spawn ./vax780 boot.ini
 62 | expect "# "
 63 | 
 64 | # Preparing the disk
 65 | send_cmd "disk=ra"
 66 | send_cmd "name=ra0h;type=ra81"
 67 | send_cmd "cd /dev"
 68 | send_cmd "sh ./MAKEDEV ts0 pty0 dz0;sync"
 69 | send_cmd "cd /"
 70 | send_cmd "newfs \$name \$type"
 71 | 
 72 | # Restoring the usr slice
 73 | send_cmd "mount /dev/\$name /usr"
 74 | send_cmd "cd /usr"
 75 | # Restore /usr/sys
 76 | send_cmd "mkdir sys"
 77 | send_cmd "cd sys"
 78 | send_cmd "mt rew"
 79 | send_cmd "mt fsf 3"
 80 | send_cmd "tar xpbf 20 /dev/rmt12"
 81 | # Restore /usr
 82 | send_cmd "cd .."
 83 | send_cmd "mt fsf"
 84 | send_cmd "tar xpbf 20 /dev/rmt12"
 85 | # Restore /usr/src
 86 | send_cmd "mkdir src"
 87 | send_cmd "cd src"
 88 | send_cmd "mt fsf 2"
 89 | send_cmd "tar xpbf 20 /dev/rmt12"
 90 | # Restore /usr/src/contrib
 91 | send_cmd "mkdir contrib"
 92 | send_cmd "cd contrib"
 93 | send_cmd "mt fsf"
 94 | send_cmd "tar xpbf 20 /dev/rmt12"
 95 | send_cmd "cd /"
 96 | send_cmd "chmod 755 / /usr /usr/sys"
 97 | send_cmd "rm -rf sys"
 98 | send_cmd "ln -s /usr/sys sys"
 99 | 
100 | # Configuring the fstab
101 | send_cmd "cd /etc"
102 | send_cmd "cp fstab.ra81 fstab"
103 | send_cmd "newfs ra0g ra81"
104 | 
105 | # Configuring networking using ed(1), the standard editor
106 | send_heredoc "ed <<EOF"
107 | # Edit /etc/hosts
108 | send_heredoc "e /etc/hosts"
109 | send_heredoc "10c"
110 | send_heredoc "127.0.0.1	localhost"
111 | send_heredoc "."
112 | send_heredoc "13,14c"
113 | send_heredoc "#0.2		myname.my.domain myname"
114 | send_heredoc "#0.3		myfriend.my.domain myfriend"
115 | send_heredoc "10.0.2.15	simh"
116 | send_heredoc "."
117 | send_heredoc "w"
118 | # Edit /etc/networks
119 | send_heredoc "e /etc/networks"
120 | send_heredoc "39a"
121 | send_heredoc "my-netmask	255.255.255"
122 | send_heredoc "."
123 | send_heredoc "w"
124 | # Edit /etc/rc.local
125 | send_heredoc "e /etc/rc.local"
126 | send_heredoc "7,9c"
127 | send_heredoc "hostname simh"
128 | send_heredoc "#ifconfig imp0 netmask my-netmask \\`hostname\\`"
129 | send_heredoc "#ifconfig en0 netmask my-netmask \\`hostname\\`"
130 | send_heredoc "."
131 | send_heredoc "10a"
132 | send_heredoc "ifconfig de0 netmask my-netmask \\`hostname\\`"
133 | send_heredoc "."
134 | send_heredoc "12a"
135 | send_heredoc "route add default 10.0.2.2 1"
136 | send_heredoc "."
137 | send_heredoc "w"
138 | # Edit /etc/resolv.conf even when it doesn't exist
139 | send_heredoc "e /dev/null"
140 | send_heredoc "0a"
141 | send_heredoc "nameserver 10.0.2.3"
142 | send_heredoc "."
143 | send_heredoc "w /etc/resolv.conf"
144 | send_heredoc "q"
145 | send_heredoc "EOF"
146 | 
147 | # Fixing the "screensaver"
148 | send_heredoc "ed /usr/lib/crontab <<EOF"
149 | send_heredoc "1d"
150 | send_heredoc "w"
151 | send_heredoc "q"
152 | send_heredoc "EOF"
153 | 
154 | # Configuring sendmail
155 | send_cmd "newaliases"
156 | 
157 | # Exeunt
158 | send_cmd "cd /"
159 | send_cmd "umount /dev/\$name"
160 | send_cmd "fsck /dev/r\$name"
161 | send_cmd "sync"
162 | send_cmd "sync"
163 | send_cmd "sync"
164 | send ""
165 | expect "Simulation stopped*\n"
166 | send "q\n"
167 | expect eof
168 | 


--------------------------------------------------------------------------------